The disclosure in December 2020 of a massive cyberattack on federal agencies, one of the worst in U.S. history, is a powerful reminder of the continued fragility of systems, including those that contain personally identifiable information (PII).
The Office of Personnel Management (OPM) is a target for these types of attacks because it houses enormous amounts of PII. The nature of OPM’s work is such that it is impossible for them to avoid storing PII on everyone in the federal government (as well as all federal retirees.) OPM maintains health insurance, life insurance, and retirement systems, along with a massive database of background investigation data. Their mission ensures they are always going to be a target.
How agencies protect employee data
OPM is not the only federal agency that maintains large stores of PII. Every agency has to have records of its employees. Those records include:
- Date of birth.
- Social Security number.
- Names of immediate family members (on beneficiary forms).
- Previous addresses (in investigative records and payroll/personnel history files).
In fact, virtually every bit of information someone needs to steal the identity of a federal employee, ruin their credit, and cause massive disruption to their lives is sitting in federal human resources (HR) systems.
The amount of PII housed by HR organizations might lead one to think, “How many cybersecurity employees do most HR organizations have?” The answer might surprise most readers: none. Agencies typically rely on their Chief Information Officer (CIO) and security staff, along with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), to provide services needed for protecting employee information and recovering from breaches. Agencies generally assume the providers of the systems they buy will ensure those systems offer secure employee data protection.
While it is clearly not the mission of HR to provide cybersecurity services, it is their mission to guard the PII they obtain from employees. We should rethink how HR approaches this responsibility and consider placing assets from the CIO’s team (or whichever organization the agency assigns cybersecurity to) in the HR office. Embedding some of those resources in the HR team (while organizationally remaining attached to the CIO) will give agencies a far better picture of federal data security, the types of data being gathered, how they are used, and what is happening to them.
Federal data security risks
The cyber realm is the next great battlefield. So much of our world is now driven by information technology that it has become a highly effective method of attack. Bad actors, whether states or criminals, will continue to find ways to exploit weaknesses in federal data security systems. There is no way to avoid having large stores of employee data, and there is no way to guarantee employee data protection.
We cannot have perfect cybersecurity, but we can have effective cybersecurity. Agencies that view cybersecurity and federal data protection as nothing more than a compliance exercise, where they make certain their employees complete a few minutes of annual training and they install updates as vendors provide them, are putting themselves and their workforce at risk.
That workforce risk is substantial. Although agencies generally worry more about mission systems than employee data protection, data theft consequences are mission risk. If employees are worried about the disclosure of their financial and personal information, they may be less productive or unwilling to remain in the federal government. If deeply personal information included in security questionnaires is stolen, they may be subject to blackmail. If their identities are stolen, or they suffer financial harm, they may be more susceptible to being lured into disclosing agency information for money. Disrupting the workforce could be a very effective means of disrupting an agency’s operations.
While it remains unclear if the 2020 cyberattack affected HR systems, it nevertheless highlights the inherent risk of these systems and may encourage others to go after employee data. The number of HR systems is mind-boggling. In 2011 we had almost 400 different HR systems in DHS alone; while not all of them contained PII, many do. Agencies must use the most current tools and practices for protecting employee information, including intrusion detection and response, identity management, credentialing, and access management for any HR system that includes PII. These HR systems need to be treated as the mission-critical systems they are.
Three ways to reduce data theft consequences
If we recognize the certainty of continued cyberattacks and the likelihood of another breach, what can we do to reduce the risk of data theft consequences?
The first step: better cybersecurity.
Agencies have to do a better job of protecting the employee information they gather and produce. Because we know breaches will still occur, we need to do more to help prepare employees. That means protecting employee personal information and providing employees with the training and tools they need to protect themselves.
Here are four steps that would move us in the right direction:
- Know your data and where it resides. It is imperative that you know what data you manage, how sensitive it is, and where it is stored, transmitted, and processed. Cybersecurity professionals utilize various Federal Information Processing Standards and NIST Special Publications to do this. Their work can be made simpler with an enterprise architecture that maps out the relationships between processes, data, systems, and infrastructure. Through an up-to-date enterprise architecture, you can get a clear view of what your data is and where it resides—making it easy for cyber professionals to identify the controls needed to protect sensitive information.
- Provide better federal data protection training to employees to protect their own data and to recognize threats that may occur when their PII is stolen. For example, most people use simple passwords—and use the same password—repeatedly in every system they access. If their information is stolen from one system, the thieves have a head start on accessing other systems because they already have the employee’s overused password. Bad actors will continue refining their approaches, but that does not mean we have to hand our information data to them on a silver platter.
- Disclose breaches as soon as it is operationally possible to do so. Experts discovered a December 2014 OPM breach in April 2015 and disclosed it in June 2015. Agencies may have legitimate security reasons for not immediately disclosing a breach, but they must base delays in disclosure on security risks and not on political and public relations concerns.
- Provide ongoing credit monitoring services for all federal employees. Employees cannot refuse to provide PII to their employer, and the federal data protection steps they can take on their own are limited. Credit monitoring does not protect employee information, but it does help employees discover threats to their financial security, even when an agency has not discovered or disclosed a breach in federal data security.
Cybersecurity is an ongoing concern that will never go away. As our dependence on technology grows, so will the efforts of people with bad intent. Federal workers need to know that their employer is doing everything possible to protect employee information from data theft—even when the federal government does not know it has happened.