The treasure trove of personal information that federal agencies collect and store on every person in America makes them a prime target for online attacks. Unfortunately, federal agencies are still not doing a good job of protecting our privacy.
According to the federal government watchdog, the Government Accountability Office, cyber incidents affecting federal agencies spiked 1,300 percent over the last decade from 5,500 in 2006 to over 77,000 in 2015. Despite warnings and recommendations, agencies have failed to implement security protections, which continues to make our private data vulnerable. According to the GAO, some 1,000 of the 2,500 recommendations (40 percent) they’ve made have yet to be implemented.
It’s not just that federal agencies are ignoring an annoying oversight group nipping at their heels, but federal law and policy that have created a framework for how to address cybersecurity across all federal systems. The problem is that where it’s even been implemented, it’s been inconsistently implemented.
There are three areas for agencies to address: deficiencies in their security programs, how they respond to and even mitigate cyber incidents, and establishing a qualified cybersecurity workforce. A lapse in any of these leads to the kinds of embarrassing and dangerous breaches that occurred last year.
In June 2014, more than 20 million Americans learned that their very private information had been hacked. In two separate attacks, the federal government’s HR office (i.e., the Office of Personnel Management) had the name, addresses, personal information of past and current federal workers as well as those who applied for jobs stolen. The fingerprints of about five million Americans were also ripped off. What was stolen was more than enough to do damage to somebody's credit and finances.
That hack was just one example of what can go wrong when cybersecurity is ignored by federal agencies. As the director of information security issues noted in the report:
Virtually all federal operations are supported by computer systems and electronic data, … ineffective controls can result in significant risk to broad array of government operations and assets. For example:
· Resources, such as payments and collections, could be lost or stolen.
· Computer resources could be used for unauthorized purposes, including launching attacks on others.
· Sensitive information, such as intellectual property and national security data, and personally identifiable information, such as taxpayers’ data, Social Security records, and a medical records, could be inappropriately added to, deleted, read, coped, disclosed, or modified for purposes such as espionage, identity theft, or other types of crimes.
· Critical operations, such as those supporting national defense and emergency services could be disrupted.
I don’t know about you, but the prospects of any of those occurring sends me chills. Our federal government as a responsibility to protect the information they collect and store on each of us, otherwise why collect it?
Apparently, we should feel encouraged that federal agencies have gotten better, according to the Washington Post:
Although the report indicates that about 40 percent of the GAO’s recommendations have not been implemented at any one time, in an interview, Wilshusen said the government’s long-term record is significantly better. Within four years, 88 percent to 90 percent of the recommendations are followed, he said by phone. “Over time,” he added, “the agencies do a pretty good job of implementing our recommendations.”
The challenge is that anything can happen “over time” while these agencies get their act together.
Imagine you had a child who constantly left the front door wide open day and night or left the keys lying around near the door. Even after burglars stole things, that child didn’t get the message–you would probably do something drastic.
What will it take for our agencies to put the time and effort into securing their systems? If not the data breach of over 20 million Americans, what?