I thought the announcement June 4 of a cyber hack at the Office of Personnel Management was the biggest screw-up in the history of the agency. OPM failed miserably to protect the most valuable information it had: personally identifiable information on federal employees. But OPM proved me wrong. It’s caused two bigger disasters in the last week. The first disaster was its horrible response to the attack. That response was a two-pronged failure of historic proportion. Prong one: The agency either misled employees about the scope and length of the breach, or the forensics team that investigated the breach didn’t know what it was looking at. Last Thursday, the agency said the attack happened in April of this year and affected 4 million people. By Wednesday, the date had been moved back to December 2014, and the number of affected people grew 350 percent to 14 million. That doesn’t exactly engender confidence that the date won’t slide back again, and/or that more people will learn their information was taken. And it reveals a longer period of cluelessness about our adversaries cracking open the safe that holds the family jewels. Prong two: The agency botched the most critical part of the response to the hack — communications with employees. It sent cryptic, vague emails that didn’t really answer the main questions employees had — who has my information, what do they have, and what does it mean? While some media outlets quote unnamed government officials saying China was behind the attack, OPM treated the attacks as identity theft, offered employees tips like “monitor your credit report,” hunkered down and went silent. Meanwhile, every cyber expert I could find called this an espionage play the Chinese could exploit to further penetrate government networks. To make the response worse, the emails notifying employees they were at risk came from a non-government email address, and looked for all the world like a phishing attack. Those emails contained some of the most common elements of phishing attempts: multiple links that take the recipient to non-OPM sites, and a password to enter. Even the notification email, though, shirked the responsibility the agency has to its employees. It states, “nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.” In other words, a government lawyer somewhere made sure neither OPM nor anyone else admitted any blame or accepted any responsibility that caused the personal information of 4 million employees to go to a foreign government. Here’s your credit monitoring and liability insurance, now go away. The second disaster was the revelation that there were in fact two hacks, not one. This story includes some of the most chilling information I’ve ever read, as far as its implications for federal employees: “Deeply personal information submitted by U.S. intelligence and military personnel for security clearances — mental illnesses, drug and alcohol use, past arrests, bankruptcies and more — is in the hands of hackers linked to China, officials say. … The Office of Personnel Management, which was the target of the hack, did not respond to requests for comment. OPM spokesman Samuel Schumach and Jackie Koszczuk, the director of communications, have consistently said there was no evidence that security clearance information had been compromised. … The White House statement said the hack into the security clearance database was separate from the breach of federal personnel data announced last week — a breach that is itself appearing far worse than first believed.” If you are a federal employee, past or present, and you are not outraged after reading that, you aren’t paying attention. The most personal of personal information is now public. OPM has clammed up and is saying nothing. After the government told employees through spokespeople — not from principals — security clearance information wasn’t compromised, we learn security clearance information was compromised. And we learn that two, not one, of the government’s most valuable databases are now in the hands of a foreign government. If the agency isn’t lying, it looks like it is. If it isn’t lying, and the chain of events has gone down the way it now appears, then OPM Director Katherine Archuleta has a responsibility to everyone affected to hold people accountable — immediately. That means both federal employees and contractors. The blame here falls squarely on OPM. Its Inspector General Office saw this coming last November. It’s not like there was no notice; the draft version of that Federal Information Security Management Act (FISMA) report was likely sent to the offices of Archuleta and the agency’s CIO, Donna Seymour, well before the November release. So no one should be surprised here, except the federal employees and their associates who trusted OPM. Thanks to the agency’s awful response to this crisis, no one believes OPM about anything, and no federal employee should ever trust it again.
Francis Rose is host of Federal News Radio’s In Depth radio show, which airs weekdays from 4-7 p.m. MORE COMMENTARY FROM FRANCIS ROSE: Best way to prevent more sequestration damage: kill the sequester now Make a budget deal already! Three takeaways from Management of Change 2015 Postal Service needs some transformation pain now to avoid desperation later Time is right for a civilian employee compensation commission New Congress ‘worst places to work’ hotline: right idea, wrong question