The Human Cost of the Hack on OPM and Its National Security Impact

Herb Lin
Saturday, July 11, 2015, 5:56 PM

By now, everyone knows about the OPM hack and the fact that the private and sensitive information compromised may make employees of the U.S. government—especially those with security clearances—more subject to blackmail, bribery, or extortion and more vulnerable to more realistic phishing attacks. But there’s one more aspect that needs airing.

Published by The Lawfare Institute
in Cooperation With
Brookings

By now, everyone knows about the OPM hack and the fact that the private and sensitive information compromised may make employees of the U.S. government—especially those with security clearances—more subject to blackmail, bribery, or extortion and more vulnerable to more realistic phishing attacks. But there’s one more aspect that needs airing.

According to OPM, the hack compromised data for 4.2 million current and former government employees. Median tenure for a US Government employee is 8.5 years according to the Bureau of Labor Statistics. Since many of the compromised records (specifically the information derived from background investigations) go back to 2000, my conservative guesstimate for the number of current employees affected is 1 million of the total 2.8 million employed by the U.S. government.

The OPM website exhorts individuals to protect their identities by spotting the warning signs of identity theft; being aware of phishing scams; update their passwords; and getting up to speed on computer security. (This last item is noted without further comment.) In the website’s section of “what we’re doing to help”, OPM says they are “supporting people who have been affected” by “sending notifications to those affected by the incident involving personnel data [and] offering free identity theft monitoring and restoration services” to those affected by the personnel data breach and these services as well as “identity monitoring for minor children, continuous credit monitoring, and fraud monitoring services beyond credit files” for those affected by the background investigation incident.

In an email sent to US government employees affected by the data breach involving personnel data, OPM describes the breach, offers the services described above to help affected individuals deal with the consequences, asserts that the letter does not indicate U.S. government liability for the events described in the email, and in the next to last paragraph, says “we regret this incident.”

I go through all of this in such excruciating detail to underscore what the email does NOT say. Nowhere does it offer an apology to the employees: an expression of regret is not the same as an apology. And nowhere does it offer the employees any compensated time to engage any of the protective services OPM offers, which were necessitated by the OPM screw-up in the first place.

Estimates for how long it takes to clean up a case of stolen identity vary wildly—a quick search on the web reveals numbers as low as 12 hours to as much as 600 hours. (I suspect these numbers vary so much due to differing definitions of “clean up”.) But let’s say 8 hours are needed for affected employees to engage with the services offered. That’s a full workday. And employee must use personal leave to clean up a mess that OPM gave them???

What’s going on here? Has anyone at OPM considered whether employees who have not received an apology and have had to use their own leave time to clean up a mess not of their own making be more likely or less likely to take seriously the task of protecting U.S. government information? The U.S. government is rightly more worried now than before about attempts to compromise government information, but I can easily see current employees saying to themselves “the government didn’t protect my information, why should I go out of my way to protect government information?”

Perhaps someone in the administration who reads this list might suggest to OPM that a concrete gesture like giving employees a half-day or a day of comp time might go a long way towards recognizing that making employees pay the human costs of a breach is not the way to nurture a workforce that cares about cybersecurity. I recognize such an action might cost several hundred million dollars – I suspect it would be worth the cost.


Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare