WHAT IF THERE WERE CONSEQUENCES

Not long ago a member of my family stated that it seemed that there were no consequences for failing to do the right thing… especially in the public sector. We were talking about a variety of things ranging from healthcare.gov to the bailout of the banking industry. Within a few weeks of that discussion, this story about the OPM hack was published in the LA Times. The story was based on testimony provided to a joint House subcommittee.

At the recent legislative hearing Donna Seymour, top technology officer for OPM, told the lawmakers that “Some legacy systems — those holding Social Security numbers, health carrier information, and other personal details — may not be capable of being encrypted.” She then continued that “These problems are two decades in the making.” Did any of the lawmakers suggest that these legacy systems should not be connected to the internet? Did any of the lawmakers inquire as to why those legacy systems continue to exist? The answers are unknown.

It was also disclosed that OPM using does not use the up-to-data monitoring software, EINSTEIN 3A, that 13 agencies use. There are more than 50 other agencies that are not using this software that is managed by DHS. We do not yet know about the hacks at those other agencies. Nor do we know which agencies are not using this software and so we do not know what an attack on those files will reveal.

According to Michael Esser, OPM’s assistant inspector general of audits, the agency has a “long history of failing” to update its IT infrastructure. Many of the recommendations his office has made have “essentially been ignored.” He said that the agency has never disciplined managers for failing to pass multiple cyber-security audits.

Before her resignation, Katherine Archulete, Director of OPM, told the lawmakers that no one has lost their job over the cyber-attacks.

Although the biggest known breach, this is not the only one that has taken place over the years throughout the Federal agencies. It is likely that it will not be the last.

Passing more laws about changing passwords, using monitoring software or heeding the security audit reports and making the required changes will not create the needed cultural change. Having consequences for failure to do the right thing will create change.

Imagine that the person who wrongly signed-off on a system as being ready to put into operation or the person who directs that a system continue in operation in spite of failing the security audit not only lost their job but also lost their retirement pay or perhaps was demoted before being fired and then their retirement is based on their lower grade.

Just a thought.