The headlines have said it all: “OPM’s archaic IT infrastructure opened door for massive data breach” and invited “the ultimate wake-up call.” While Pearl Harbor and 9/11 analogies are strained, it cannot be denied that this stealth attack caught the government completely off-guard and flat-footed.
GAO and OPM’s Inspector General have been warning about the risks of just such a breach for several years. Now, an estimated 20 million or more federal employees, retirees, and job applicants will live the rest of their lives with heightened risks of identity theft and vulnerability to manipulation in espionage games as a result of the government’s mind-boggling failure.
We’re not here to play the blame game — there’s been plenty of piling on already. Our only concern is that the government act decisively to put in place a smarter strategy to prevent and deter future attacks at the lowest cost and highest return for the government, federal employees and taxpayers.
Federal CIO Tony Scott suggests a rational way forward: set smarter priorities for cyber investments according to objectively assessed levels of risk, and accelerate migration to scalable, cloud-based enterprise solutions. The government is rife with antiquated and redundant work processes and technology. Reducing transaction costs and improving performance will always be at the heart of investment decisions to transform silos of waste and inefficiency, but security enhancement is an increasingly important factor.
We wholeheartedly agree with the CIO and offer a “friendly amendment” to his strategy: accelerate shared services implementation so that the government’s limited cyber expertise and investment funds can be concentrated on a smaller number of fully modernized, cyber-secure shared transactional platforms.
As President Obama observed, “part of the problem is that we’ve got very old systems.” He’s right: many government platforms are so antiquated that they cannot be cyber-enhanced cost-effectively. And there are far too many obsolete systems than make sense to modernize, and they are far too scattered to inventory and protect effectively.
An antiquated, far-flung technology environment is only part of the problem. Culture is an equally formidable challenge. Most agencies are not conducive environments for security-driven decision-making. Agencies exist to serve constituencies. Leadership priorities and career tracks are based on fulfilling constituent needs, and mission priorities always trump security and administrative needs in the competition for scarce funds. Moreover, cyber-security expertise is in limited supply and is not highly valued in most agencies. Taken together, tight budgets, limited expertise and cultural blind spots create perfect storms of agency vulnerability throughout the federal environment.
OPM is an unfortunate but classic example of this phenomenon. According to the agency’s Inspector General, eleven OPM systems were operating without valid authorizations to operate (ATO), and numerous platforms were not subject to routine scanning for compliance with established security standards. Limited IT funds were steered to other priorities. Clearly, the culture of OPM did not take cyber security seriously enough.
We are long past the day when every agency can afford to maintain and protect its own critical infrastructure for common business and mission-related transactions. It’s time to modernize the federal shared services marketplace and accelerate agency migration to meet ever-increasing security threats. Let private providers compete with government providers, while setting a high, consistent bar for cyber security for all services and providers. Let government providers charge cost recovery prices that capture sufficient reserves to finance modernization and security compliance organically. Encourage government providers to use market-based practices to recruit top talent and cultivate cultures that reward excellence in cyber security.
Effective security consists of an integrated system of policies, procedures, and activities that are designed to manage and reduce risks to the organization, protect critical data, information and physical assets, ensure the reliability of service delivery, and comply with applicable federal security laws and related OMB guidance and policies.
By implementing shared services, government agencies can improve their ability to deliver more effective security. Let us illustrate with some simple but persuasive examples:
By performing a work or government business process in a smaller number of physical locations, it is inherently easier to monitor and manage the process and reduce fraud.
By consolidating people into fewer locations, security knowledge, awareness and competencies can be addressed with more timely and consistent and efficient security training and behavioral remediation
Segregation of duties can be difficult to achieve in an environment in which a process is fragmented across people and organizations, but through consolidation a shared services organization is in a much better position to implement this control.
Shared services is about standardizing processes and supporting technology. This can improve security effectiveness and efficiency by reducing variation in security controls and eliminating duplication of security work and reporting. By standardizing technology — for example moving to a common financial shared services platform — agencies can significantly reduce the number of system setups, interfaces, security profiles, and manual workarounds, all of which streamline security control design and testing.
One thing is certain: more attacks are coming. Reports indicate that on average 120,000 security hacks of varying sophistication occur every day around the world. Last year GAO reported that incidents involving exposure of personally identifiable information more than doubled from around 10,000 incidents in 2009 to over 25,000 in 2013. As many as 80,000 new variants of computer viruses are created each day, and even the best anti-virus software has only about a 40 percent success rate. Moving forward with cyber-sophisticated shared services should be a core element of a comprehensive federal cyber strategy that is up to 21st century challenges.
Dave McClure is chief strategist of Veris Group, a provider of cybersecurity services. John Marshall is founder and CEO of the Shared Services Leadership Coalition.