Influencers: OPM chief should be held responsible for breach
The Office of Personnel Management chief听should be held responsible for the lapse in security that led to the breach of millions of personal records, a whopping 84 percent of Passcode鈥檚 pool of听security and privacy experts听said.听
The White House backs Katherine Archuleta,听the agency鈥檚 director,听after the data听breach that exposed the most intimate details from the personal lives of those applying for security clearances, including potential听drug and alcohol abuse, bankruptcies, criminal activity, and even their sex lives.听
But Passcode听Influencers say Ms.听Archuleta must take responsibility, and some, such as Rep. Jim Langevin (D) of Rhode Island, say she should lose her job.听
鈥淭here is no excuse for leaders in government or the private sector to operate without a risk-based听cyberstrategy,鈥澨齭aid听Representative听Langevin, cochair of the Congressional Cybersecurity Caucus. 鈥淚 have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach.听I therefore believe that Ms. Archuleta should tender her resignation immediately.鈥
Langevin said he hopes other agency directors are 鈥減aying close attention to this incident and taking the opportunity to quickly and thoroughly reexamine their own cyber risks.鈥澨
The听Passcode听Influencers poll is a regular survey of more than 100 security and privacy experts. The full list of Influencers and their responses听is below.听To preserve the candor of their responses, Influencers have the option to comment on the record or remain听anonymous.听
When it comes to cyberattacks,听鈥測ou never want to blame the victim,鈥 said Daniel Castro,听vice president of the Information Technology and Innovation Foundation think tank. 鈥淏ut in this case,鈥 Mr. Castro continued, 鈥淥PM is not the victim.鈥澨
The victims were the millions of听federal听employees, contractors, and job applicants who had their personal information exposed in the breach, Castro said. 鈥淥PM was negligent, plain and simple,鈥 he said.听Another Influencer, who chose to remain anonymous,听added:听鈥淎ll the warnings were there and OPM and others appear to have failed in their leadership and management miserably.鈥澨
Director of National Intelligence James Clapper听named China as the primary suspect in the cyberattack last week 鈥斕齧eaning this deeply personal data could be in the hands of foreign hackers seeking to blackmail or otherwise听exploit workers to gain entry to US systems.听
鈥淭he loss of [Standard Form 86] data represents a life-long risk to the affected employees,鈥 said HD Moore, chief research officer at security firm听Rapid7, referring to the forms required in听security clearance applications that contain incredibly personal information.听鈥淪tandard responses such as credit monitoring are meaningless in the face of blackmail.鈥澨
Influencers also supported the finger-pointing if only to inspire other senior officials听at other government agencies to pay better attention to cybersecurity.听鈥淭he Navy relieves captains of their ships when these ships run aground,鈥 says Martin Libicki, senior management scientist at RAND Corp. 鈥淚t isn鈥檛 always fair but it keeps ships afloat. It is almost irrelevant why OPM screwed up so badly in so many ways. The ship鈥檚 aground, the captain must go. This way, every other department head is put on notice.鈥澨
A slim 16 percent minority of Influencers defended Archuleta, insisting she should not be held responsible for the lapse in security. Some, like Moss, said that if Archuleta听loses听her job, it听would actually send the wrong message听other agencies.听
鈥淚 say 鈥榥o鈥 because I want more Secretaries of departments to go digging for security problems,鈥 says Jeff Moss, founder of DEF CON Communications. 鈥淭he issues at OPM predated the current director by years. If she is to take the fall for all the past wrongs when she was already a year into trying to fix them, then why would a head of any agency ever look for security problems if all it leads to is their public shaming and removal?听
A commitment to cybersecurity, Moss continued, 鈥渋s only taken seriously if it comes from the very top of an organization and is followed up with actions.听I will wait and judge the OPM chief based on if she holds people accountable and can start to reform the systemic issues that lead to this total disaster in the first place.鈥澨
What鈥檚 more, said Steve Weber, professor at the听University of California at Berkeley鈥檚听School of Information, blaming one person听will not even听fix the bigger听problem at OPM.听鈥淟et鈥檚 not imagine we can fix this problem 鈥撎齱hich is widespread 鈥斕齜y 鈥榖laming the boss鈥 and having one person fall on a sword,鈥 Weber said. 鈥淚t would be much more courageous 鈥斕齛nd effective 鈥斕齠or the White House to focus on the deeper, systemically absurd security practices that made is embarrassingly easy to break into OPM.鈥澨
What do you think?听听of the Passcode Influencers Poll.听
Who are the Passcode Influencers? For a full list, check out our听
听
Comments: Yes
鈥淭he administration should immediately cease adding any sensitive information to any government database, unless its security is assured. The harm to national security cannot be overstated. In a pre-digital world, a tiny fraction of this information would have been an intelligence win for a foreign nation. The scale of this is stunning. We have taken some of the most sensitive and valuable information on millions of government officials, and placed it a rusty leaking bucket.鈥澨鈥 Passcode Influencer听
鈥淭he mission of the OPM is 鈥榬ecruiting, retaining and honoring a world-class force to serve the American people.鈥 This breach has significantly harmed OPM鈥檚 ability to conduct its mission. This goes beyond a cybersecurity failure ... it is a mission failure and leadership should be held accountable.鈥澨鈥 Passcode Influencer听
鈥淭he threats were well known, there were numerous examples of similar breaches, and the head of OPM did NOTHING to make sure the information she was responsible for was secure. Such incompetence, if not outright malfeasance, should not be tolerated.鈥澨鈥 Passcode Influencer
鈥淓veryone who stores our data should have a legal responsibility to take reasonable measures to keep it safe. It seems that the security here was far below what was reasonable given the vast amount of sensitive information. It鈥檚 time to start thinking seriously about these obligations and shift our focus toward building and incentives for more secure systems instead of just on 鈥渋nformation sharing鈥 and forensics. more secure systems鈥澨鈥 Cindy Cohn, Electronic Frontier Foundation
鈥淭here appear to have been repeated failures at many levels of OPM. But, OMB should also be accountable for the very high FISMA metrics scores they showed for OPM this year.鈥澨鈥 John Pescatore, SANS Institute听
鈥淩esponsibility shouldn鈥檛 end at OPM. Someone at the White House should also be held responsible for OPM鈥檚 disgraceful security.鈥澨鈥 Passcode Influencer
鈥淭he breadth and severity of breaches continues to expand. We have to expect that executives will increasingly be held accountable for failures in security risk management and privacy.鈥听鈥 Passcode Influencer
鈥淭he buck stops with the Chief Executive 鈥 CEO鈥檚 of large US companies have been held accountable 鈥 not so much for the breach itself (that would be everyone) but rather how they mishandled the incident response and communications.鈥听鈥 Passcode Influencer
鈥淓very agency leader, by now, is aware of the need for better security practices. Although they do not get much help from DHS and other agencies they should take their security seriously.鈥澨鈥 Richard Stiennon, IT-Harvest听
鈥淚 believe the tradition of sacking people (particularly security people like chief information security officers) in the aftermath of breaches is becoming counterproductive. It鈥檚 not unlike firing your doctor because you caught a cold.听However, the scope of this breach is unprecedented, and it may take decades to truly assess the consequences of this breach on the lives of the people whose most private details were leaked. It doesn鈥檛 appear to be limited to Federal employees, but potentially everyone who has ever been investigated for a security clearance.听There appears to be a serious governance problem with this organization. Were this a private company, I think we鈥檇 be seeing legislators calling for existential sanctions against the organization where this happened.听In the public sector, there are few feedback mechanisms to aggressively force organizational change, and one of those is public censure and termination. A thorough post-mortem should occur, ignoring media and political concerns, and if the findings are there, a serious 鈥榟ouse cleaning鈥 may well be justified, as well as personal liability of staff in cases of documented negligence.鈥澨鈥 Bob Stratton, MACH 37听
鈥淭he OPM chief should not have to be technical. But the chief is always responsible for what goes on within the organization. And while the chief does not have to be technical they must be able to hire and empower the right people that are technical. Given that cyber security is such a big topic item for the government it is embarrassing to have numbers such as 鈥10 million attacks per month鈥 being spouted off to Congress during the Congressional hearing. I thought that was grossly misleading to the American public. If the chief doesn鈥檛 understand why that number is misleading, and the staff that the person hired does not stop those type of metrics, then the issue is at the top and not within the tech.鈥澨鈥 Robert Lee, Dragos Security听听
鈥淟eaders are accountable and this could have been predicted based on prior events.鈥澨 Passcode Influencer
鈥淵ou do not get to build an information-based business today without taking responsibility to secure it. When there are people鈥檚 lives at stake, there is literally not enough capital in the world to underwrite the risk.鈥澨鈥 Passcode Influencer
鈥淭he best way to ensure that future leaders of various organizations place the necessary priority on operational security is to start holding them accountable for what happens on their watch.鈥澨鈥 Sascha Meinrath, X-Lab听
鈥淪hould the captain of a ship be held responsible if it hits the Rock of Gibraltar? Yes to both questions.鈥听鈥 Passcode Influencer
鈥淭he OPM was repeatedly warned by the Inspector General of significant security lapses dating back to 2012. OPM leadership repeatedly failed to take the OIG鈥檚 warnings seriously. The potential consequences of this breach may be devastating for military and government personnel who hold clearances due to the highly personal data contained in SF-86 forms stored on OPM鈥檚 network. The White House, Congress, and the American people should hold OPM responsible and accountable for this breach due to negligence.鈥澨鈥 Jeffrey Carr, Taia Global听听
鈥淭he leader of an agency is responsible for his or her organization, even if there are seemingly insurmountable institutional obstacles. That鈥檚 not unique to government. This was a data breach unlike any other, as CDT鈥檚 CEO Nuala O鈥機onnor said in an excellent piece on the CDT website.鈥澨鈥 Passcode Influencer
鈥淭he OPM chief should be held ultimately responsible. To have ignored prior warnings about the state of security, and to have not adequately assessed the level of sensitivity of the data contained in the system, is inexcusable from a privacy standpoint and an operational standpoint. There have been privacy laws on the books in the US since the early 1970s. The E-gov Act in more recent years directed all agencies to have privacy programs. The private sector is held to a high standard during data breaches, and this breach goes far beyond most of those in the scope and complexity of the data revealed.鈥澨鈥 Nuala O鈥機onnor, Center for Democracy and Technology听
鈥淎bsolutely. The Homer Simpson defense (It was like that when I got here) should never work, especially after two years on the job.鈥澨鈥 Passcode Influencer
鈥淪et aside what happened before the breach was known, the absurd way they talked about cybersecurity afterwards demonstrated a lack of awareness of the basics of not just cybersecurity, but leadership.鈥澨鈥 Passcode Influencer
鈥淲hile it is not the failure of one person, accountability is a first step in creating a better culture of preparedness in the public sector.鈥听鈥 Passcode Influencer
鈥淭he conditions that led to this highly preventable breach are themselves a symptom of a widespread culture in government to treat unclassified data as unimportant. But OPM leadership long knew of the deficiencies in their information security posture, and chose to prioritize other activities as opposed to taking fundamental steps to better protect the personal data of those entrusted with our most sensitive national security secrets.鈥澨鈥 Nick Selby, StreetCred Software听
鈥淎gency heads are responsible for the operations of their organizations. Cybersecurity is a critical operational component. It is gaining more visibility because of the need to protect information. Oddly it seems to not have enough visibility (perhaps its understanding) across agencies, either at the executive level or the day to day level. Holistically, when you don鈥檛 have a strong federal workforce in cyber, you don鈥檛 have CISO鈥檚 with a span of control (budget, training etc) and the Cybersecurity roles within the government still unclear, these elements combine with bad day to day practices results in adversaries getting into federal systems and staying for a long time. These things work against us and can鈥檛 be addressed separately.鈥澨- Geoff Hancock, Advanced Cybersecurity Group听
鈥淢y answer is yes and no. It depends upon what 鈥渉eld responsible鈥 means. Of course this person must be expected to manage as well as possible and provide oversight over the people and technology under her/his purview. It isn鈥檛 always possible for any leader, however, to manage her/his way out of security breaches. When you word a question in this manner on a topic like this you should consider offering a response choice of 鈥測es and no.鈥听鈥 Janna Anderson, Elon University听
鈥淭he OPM Chief is ultimately responsible for the actions of her department. However, if everyone is getting 鈥渉acked鈥 our cybersecurity strategy is not working. Instead of looking to place blame we should address the problem of cybersecurity.鈥澨鈥 Passcode Influencer
鈥淟eadership is a fundamental ingredient for the success of any organization and includes both responsibility AND accountability. Prioritizing multiple complex strategic activities, asking hard questions of your team to understand the unknowns, and resourcing critical activities are measures that cannot be delegated.鈥澨鈥 Mark Weatherford, Chertoff Group 听
鈥淵es of course the head of an agency is responsible for the protection of the data it is entrusted in holding.鈥澨鈥 Anup Ghosh, Invincea听
鈥淭he operations of OPM - including their technology - are the responsibility of their chief. However, this is not her fault; this is a result of underfunded and change-averse Federal policies around technology. Congress needs to properly incentivize maintenance of existing and legacy information systems.鈥澨鈥 Passcode Influencer
鈥淭he buck stops at the top in terms of taking responsibility for a security incident - and taking responsibility in a breach includes conducting a thorough investigation or the scope of the incident, the failures that lead to it, and determining the steps for recovery. All software and networks contain security vulnerabilities. Breaches of this type are not uncommon among networks that have been inherited and built up on legacy systems, without adequate protection of sensitive data. The effectiveness of the response and remediation going forward will determine how well the OPM chief fares in all this. One must never waste a good crisis.鈥听鈥 Katie Moussouris, HackerOne听
鈥淎ll leaders are responsible for what happens in their organizations. But I don鈥檛 necessarily think he should be terminated as a result of this breach.鈥澨鈥 Passcode Influencer
鈥淚鈥檓 not sure what 鈥渉eld responsible鈥 means here. Certainly, there should be a 鈥渂uck stops here鈥 approach adopted by OPM leadership and a demonstrated commitment to finding and fixing problems. None of that gets my data back though.鈥澨鈥 Passcode Influencer
鈥淭he most logical following question would be 鈥榙o you expect it?鈥 Certainly we don鈥檛 have a rich tradition in federal of sacking perpetrators of major gaffes.鈥澨鈥 Passcode Influencer
鈥淥PM Director Katherine Archuleta told the House Oversight and Government Reform Committee on 23 June that nobody was to blame for the OPM breach. She said, 鈥淐yber Security problems take decades; Cybersecurity problems are decades in the making. The whole of government is responsible.鈥 [She also said] 鈥淚 don鈥檛 believe anyone [at OPM] is personally responsible.鈥 I did not expect that response. It is one thing to say that you weighed the risks and chose to spend resources elsewhere on other matters that I thought were more important. That is what leaders get paid to do. It is quite another to disavow all responsibility and blame some vague concept of Big Government as being at fault. Chairman Jason Chaffetz, R-Utah, pushed back pretty hard. He told her that the Inspector General has been telling OPM about the risks since 2007 and she decided not to take the warning. Second,听There is a lot of blame to spread here. You can blame Director Archuleta鈥檚 security staff for not conveying how significant the risk of a non-secured personnel database is to the functions of our government. You could blame her staff again for not preparing Director Archuleta for her committee hearing with better answers then 鈥渋t was not our fault.鈥 But the ultimate blame goes to Director Archuleta for not owning the risk to her organization that she has been in charge of since 2013. If she would have owned that risk from the start, the result may have been the same, but at least she could convey the reasons that resources were spent on other priority items than on the things that the Inspector General recommended. She should definitely be held accountable.鈥澨鈥 Passcode Influencer
听
Comments: No
鈥淐hanging a person will not help 鈥 it is purely symbolic, and such听symbolic gestures are precisely, totally, and without debate what听happens in political hierarchies (read, Washington) whenever there听is bad news to handle.听Even talking about whether to fire someone听is a criminally profligate waste of the citizenry鈥檚 attention span.听What is neither a waste nor a diversion is the question that matters:听When data is scarce or precious, there may be compelling reason to听centralize it, but if and only if that centralization is risk听cognizant. When data is either plentiful or of marginal value,听then centralizing it can only create risk, never value.听 Therefore,听what is to be asked of those to whom OPM reports is what, exactly,听was their raison d鈥檈tre for assigning the OPM its role as centralizer听(scarcity or preciousness of what, exactly), and whether they听delegated to OPM their own duty of risk cognizance on purpose or by听accident. If wanting prediction, then the supposed reforms embodied听in the Dodd-Frank law massively removed resilience from the financial听system by forcing the centralization of functions previously widely听dispersed into what now can only be described as freshly minted听single points of failure waiting to happen.听 It is the urge to听centralize that is what political hierarchies do.听 It is apologists听for, and hucksters of, centralization that should lose their jobs.鈥听鈥 Dan Geer, In-Q-Tel听
鈥淚鈥檓 saying 鈥榥o鈥 not because I don鈥檛 believe in accountability, but because I think the question obscures the problem. The breach is the result of, sadly, quite common security practices. The head of an agency is surely responsible for what that agency does (or fails to do), but let us not confuse that legal and cultural fiction with an actual belief that most leaders in Katherine Archuleta鈥檚 position have an easy way of knowing what鈥檚 going on in IT security and improving the situation 鈥斕齮he failure here is systemic and all too common.鈥澨鈥 Jonathan Zittrain, Harvard University听
鈥淎sking OPM to protect infrastructure developed in COBOL 30 years ago is the same as leaving US soldiers to protect their humvees by welding on scrap metal. The congressional sequester of funding and programmatic authorities, denying federal agencies modern information systems, is as much to blame.鈥澨鈥 Chris Finan, Manifold Security听
鈥淚t鈥檚 important not to punish people for looking to identify and solve their problems. This could have been actively ignored, and upon discovery, this could have been swept under the rug. That鈥檚 not what happened. There鈥檚 no question there鈥檚 some deep issues at OPM. I stand concerned about disincentivizing the next cleanup. What, you think OPM鈥檚 the only hacked agency?鈥听鈥 Dan Kaminsky, White Ops听
鈥淣o. Piling on agency leaders isn鈥檛 likely to help matters. In the wake of the hack of the Office of Personnel Management鈥檚 (OPM鈥檚) computer system, the Chamber stressed in a blog that this episode should prompt Congress to pass cyber information-sharing legislation once and for all. The cyber fingerprints of the reported Chinese espionage against OPM need to be shared with appropriate public- and private-sector organizations in a timely manner. Also, policymakers should help OPM get its house in order. Pointing fingers at hacking victims like the agency may be politically fun for some, but it鈥檚 the rough equivalent of a sugar or caffeine rush 鈥斕齣t鈥檚 good while it lasts but offers few sustained benefits. Indeed, the private sector has received its fair share of finger pointing in the wake of cyber incidents, so while a touch of schadenfreude is tempting, it鈥檚 ultimately empty and unserious. We听鈥斕齣ndustry and government 鈥斕齨eed to be battling the bad guys together. Asking OPM authorities what they need to assist federal employees and apply additional security controls will serve them best. Above all, this incident should push Congress to pass information-sharing legislation with strong safeguards for business. Sophisticated criminal gangs and malicious actors in China, Iran, North Korea, and Russia (or their proxies) should not be allowed to put people鈥檚 sensitive information at risk of abuse Their actions can be restricted--of not prevented 鈥斕齮hrough improved information sharing.鈥澨鈥 Matthew Eggers, US Chamber of Commerce听
