The U.S. Office of Personnel Management's reaction to massive breaches of personal data it stored on more than 21 million people is beginning to read like a manual on how not to prevent, mitigate or survive a hack.
The most recent portion of the train wreck saw acting OPM director Beth Cobert reaching out to other federal agencies to inform them they will have to pay their fair share of mitigation, including notifying people whose personal data was compromised. OPM performs background checks and security clearances on candidates for federal jobs.
"Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute [fiscal year] 2015 funding to cover the first full year's costs of credit monitoring and related services / benefits" for the incident," wrote Cobert in a memo obtained by the Washington Post.
Cobert's request is only the latest eye-raising folly of this cybersecurity episode. Federal rules that govern technology and services procurement were one element of the bureaucracy (and ineptitude) that slowed OPM from updating its documented poor security over the past five years. And the bureaucracy in hiring contractors to deal with the hack's fallout has prevented official notification of tens of millions of victims that represent 7% of the U.S. population, including 1.8 million family members of those who sought federal security clearance.
That's a bad start followed by an even worse finish.
In fact, reports Wednesday out of the White House show that it will be mid-August at the earliest
before a contractor is hired to help the bulk of hack victims.
In the first, and smaller, OPM hack, the 4.2 million victims have been provided protection services at a cost of $20 million over five years. If you extract that out to the full 21.5 million people affected by the breach (Note: there is some overlap from the smaller hack) you begin to see costs that approach $100 million. Unfortunately, that money doesn't begin to address updating, replacing and tossing OPM systems, some that are 30-years-old.
It's no wonder some are calling this one of the most damaging cyber thefts in U.S. government history.
Cobert's pleas for financial help reveal what might already be obvious; OPM can't afford to pay for its mistakes and misfortune. In essence, if OPM were a private business it would be shutting its doors and preparing for years of court cases and scorn.
In the Post article, Jeff Neal, a former Homeland Security Department chief human capital officer and now senior vice president at ICF International, points out that a government bailout won't happen until OPM shows it knows what it's doing.
That will be a tough nut to crack.
A 2009 Inspector General report noted "significant concerns regarding the overall quality of the information security program at OPM." Five years later, another OPM Inspector General report revealed the agency couldn't find all of its equipment, and that 11 "major systems" were operating without security certification. The report concluded "a material weakness in the internal control of the agency's IT security program."
So Cobert is painted into a corner while the White House is focused on a diplomatic response that came today as a decision against publicly blaming China.
There's enough here for any government or private sector CISO to chew on if they don't already have a firm grasp on their crisis management plan.
The federal government has technology processes and procedures in place for a host of reasons, but clearly those reasons are out of step with an historic breach that has produced a crushing financial burden and exposed policies and procedures that hamstring an efficient response.
Not to mention millions of citizens with their digital identities in tatters.