I’m inclined to agree with the editors of the Wall Street Journal that something should be done about the data breach of the Office of Professional Management announced last week other than issuing a stern demarche:
U.S. government incompetence seems to grow by the month, and now we know it’s becoming a threat to national, and even individual American, security. The Obama Administration announced last week that Chinese hackers made off this year with personnel files that may have included those of all 2.1 million federal employees, plus former employees going back to the 1980s.
This is no routine hack. The Office of Personnel Management (OPM) lost background-check data to the Chinese nine months before this breach and still hadn’t locked the cyber front door. OPM’s inspector general issued a damning report last November that parts of its network should be shut down because they were riddled with weaknesses that “could potentially have national security implications.†You can’t ring the alarm much louder than that, but the failure to take basic precautions continued.
As to the form that retaliation should take, I’m of mixed minds. There are all sorts of possibilities. As I said a couple of days ago whether the Chinese government ordered and supervised the data breach or not the Chinese have not been good Internet citizens. There is no doubt in my mind that the Internet as a whole would be better off if China were cut off from the rest of the world network. And it wouldn’t be particularly hard to do.
I’ll throw the question on the floor. What should be done?
When the barn door is open the very least should should do is close the barn door even if the horses have fled. It’s a good habit to get into, you might have more horses some day, and you’re signalling a willingness to keep the door closed. A good place to start would be considering the OECD’s guidelines for data privacy, promulgated 35 years ago. They are
- Notice—data subjects should be given notice when their data is being collected;
- Purpose—data should only be used for the purpose stated and not for any other purposes;
- Consent—data should not be disclosed without the data subject’s consent;
- Security—collected data should be kept secure from any potential abuses;
- Disclosure—data subjects should be informed as to who is collecting their data;
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
and it pertains to private institutions as well as governments. If Target can’t protect my credit card information from hackers, I see no reason they can be trusted with any other personally identifiable information and that includes my email address, my phone number, or my Social Security number.
Due to the way our legal and political systems work I couched my proposal in terms of property rights. The phone company, your credit card company, and the Social Security Administration shouldn’t be thought of as owning the information about you that they hold. You should. And they should be required to retain and use it within strict restrictions.
I’ve known about this breach for a while now and am glad it’s finally making it into the press given how bad it is. The hackers got the PII motherlode as they were able to access the SF-86’s for probably everyone who’s had a high-level clearance over the past couple of decades. For those who don’t know, the SF-86 is the form to begin a background investigation for high level clearances and it includes very detailed personal information going back 5-10 years that includes just about every aspect of your life. Since all the information must be verified, it includes contact information for friends, coworkers, associates, neighbors, along with family members. So this breach doesn’t just affect government workers, but potentially anyone who knows, lives near or is related to them. It’s…bad.