An old, familiar shibboleth came up again this week. “Washington is a city of second chances.” That’s what a Washington Post article said about a popular millennial writer who was fired from a popular Web site for plagiarism. He popped up at another web site a year later, where he’s boosting its traffic. Dennis Hastert, the former House speaker now enmeshed in a really bad scandal, probably is too old to have a second chance. Organizations can have second chances, often because they have the wherewithal to buy their way back. I remember the Ford Pinto gas tank scandal (1977), the time Lockheed nearly went bankrupt (1971) save for a federally-backed loan, and the Tylenol poisoning scare (1982), which was a problem not of the company’s making. Today, Ford, Lockheed-Martin and Johnson and Johnson prosper quite nicely. Can federal agencies have a second chance, I’ve been wondering? Technically no, since they can’t go out of business unless Congress decrees it, which it never does. So when they goof up, there might be temporary hell to pay, but not the threat of going out of business. In fact, serious failures are often rewarded with big budget increases, as in the case of the Veterans Affairs Department. Congress can readily replace money. Reputation and perceived legitimacy — harder to recover. Yet agencies are obligated to react when things go wrong. Recently two examples occurred I point out as case studies of the right way to react and retain the confidence of the public. A whistleblower, still anonymous, complained to the FDA about poor practices and fungus contamination at the National Institutes of Health. Specifically, in the Pharmaceutical Development Section of NIH’s Clinical Center. This is where doctors and technicians whip up experimental drug for small groups of patients. Two vials of albumen, a medium for injecting drugs into patients, were found to have the fungus. Patients had been given injections from different vials in the same batch. The FDA investigated the lab, and the NIH suspended sterile production. It won’t resume until at least June 19th. The NIH went public with the episode, including a mea culpa from the director, Dr. Francis Collins. When I spotted the release, I asked for an interview the next morning with Collins. NIH public affairs people — they are among the best in the government — got me the principal deputy director, Dr. Lawrence Tabak. He said the NIH welcomed the highly irregular incursion by another federal agency. We don’t know what personnel changes will happen with the troubled section, but the speed and forthrightness of the NIH response seemed refreshing and, well, grown up. Another agency, the relatively small National Highway Transportation Safety Administration published last week the results of a study of how it can function more effectively. The agency launched the review in response to how sluggishly it responded to the General Motors fiasco of the malignant ignition switches and non-deploying airbags. The defects caused at least 100 deaths when people’s cars turned off at highway speeds. This last year’s incident is still in the news, overshadowed though it may be by the explosive Takata airbag situation that’s affected millions and millions of cars by many makers. Somehow the GM ignition switch-airbag issue went on for a dozen years before the 2014 recall, and the NHTSA blames itself in part. It says it was pushed around by GM, and it lacked the technical understanding staff needed to stay on top of these issues. The NHSTA report says the agency “failed to identify and follow up on trends in its own data sources and investigations.” The upshot: The agency has produced a detailed internal improvement plan, and appointed three outside experts to guide the improvement effort, including a former astronaut. And what of the Office of Personnel Management, from which vast amounts of personal data on current and former federal employees were stolen? The lag between discovery and disclosure is troubling. More disturbing is the frequency of similar attacks and the seeming ease with which whomever — China, some lunatic insider, maybe a combination of both — is getting into federal data bases. As Jason Miller reported this week, the government has experienced nine incidents in less than a year in which hackers attempted or succeeded in stealing personal information on government and contractor employees. How did the agency react? OPM did the obligatory offers of credit monitoring. It worked with US-CERT and the FBI, but the US-CERT report is incomplete, and in any case isn’t available at its website. The agencies still don’t know how much data was taken, or else they haven’t said. The stain is still spreading. As pointed out in my interview with cyber expert Rodney Joffe of Neustar, the loss of SP-86 data exposes not only employees, but friends, neighbors, and any foreigner they’ve ever done any sort of business with. Plus travel records and passport information. That lost data could pester people for the rest of their lives. OPM says its techies secured remote server access and installed new cyber tools. The White House ordered the acceleration of Einstein 3A monitoring tools, not that the current version worked so well. Lots of sturm und drang, but no clear sense that the government is doing much more than improvising against something it only dimly understands and only feebly deal with. My hope is that when the scope of the OPM breach is known, the same unflinching, critical and public self analysis exhibited by NIH and NHTSA will occur in the federal cybersecurity apparatus.
Tom Temin is host of The Federal Drive, which airs 6-9 a.m. on Federal News Radio (1500AM). This post was originally written for his personal blog, Temin on Tech.