ARLINGTON, VA - OCTOBER 30: Staff members attend an event where Homeland Security Secretary Janet Napolitano delivered remarks at the opening ceremony of the new U.S. Computer Emergency Readiness Team/National Cybersecurity and Communications Integration Center facility October 30, 2009 in Arlington, Virginia. The center is designed to help protect the technical infrastructure of the United States. (Photo by Win McNamee/Getty Images) (2009 Getty Images)
Now that we know how many people were actually impacted by last month’s exposed hack of the U.S. Office of Personnel Management (OPM)—a staggering 21.5 million, or about five times as many as were initially thought—it’s time for stronger cyber protections and immediate congressional action. The resignation of OPM Director Katherine Archuleta is the beginning of much needed action. More needs to be done to shore up our cyber assets and ensure a breach of this magnitude doesn’t happen again; America needs to wake up and pay attention.
Cybersecurity is a shared responsibility, and greater collaboration between government and private sector companies is needed to share information, best practices, and potential threats.
Of the 21.5 million records stolen, 19.7 million of those include individuals who have gone through extensive security clearance background checks dating back to 2000. As if that wasn’t bad enough, 1.1 million fingerprints were obtained. Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency, categorized the theft of these fingerprints as “probably the biggest counterintelligence threat in my lifetime.” Put another way, what happened through OPM’s inattention may be more important than the revelations made by Eric Snowden.
Though we have our suspicions, we still don’t know who orchestrated the attack, and no retaliatory steps have been taken. This attack and the lack of action by the United States government could embolden other potential hackers, as the flaws and vulnerabilities in our systems have been exposed.
Just this week, Department of Homeland Security Secretary Jeh Johnson told lawmakers that federal cybersecurity “is not where it needs to be,” shedding light on security flaws in government networks and on the administration’s sluggish response to strengthen its cyber defenses. National Security Agency (NSA) Director Admiral Mike Rogers has warned that he doesn’t expect this to be a “one-off” attack, and described a security situation under which “you must prepare and assume that you will be penetrated.”
What America needs now, more than ever, is an aggressive approach to cybersecurity, which will save us significant money and heartache in the long term. We will continue to use the Internet – which is why the government and private corporations must address the underlying issue and invest in the right security and take all the extra precautionary steps needed to protect our systems in the future.
The OPM hack is important because it demonstrates that money alone won’t address cybersecurity vulnerabilities. The government already spends $13 billion on cybersecurity a year – a number that has been steadily increasing. According to a recent article in Fortune Magazine, the amount of money spent on cyber defense—across both the public and private sector—has dramatically increased from $10 million to $70 billion. But as spending on cybersecurity has skyrocketed, the number of high profile hacks in the government and the corporate world has dramatically risen, as well.
The average cost of a breach for U.S. companies is about $20 million. And the total costs of government breaches, like to the OPM, are still being calculated. They are expected to be staggering.
First and foremost, the government must update their outdated systems. A Financial Times analysis based on reports from the Government Accountability Office and the Office of Management and Budget reported that over half of the government’s 24 agencies had failed to take some of the most basic security steps, including “patching software holes, using strong authentication technology and continuously monitoring systems.” Tony Scott, the U.S.’s new chief information officer, testified to Congress this year that “one of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats.”
Cybersecurity is a shared responsibility, and greater collaboration between government and private sector companies is needed to share information, best practices, and potential threats.
The most important tool in securing our cyber footprint is knowledge and innovation. While the explosion of new technologies has made our world more interconnected and simplified our lives, we as a society have become entirely reliant on them before ensuring their security. We should continue to learn and innovate, but must do so in a safe way. More attention must be paid, warnings should be heeded, and in government, cybersecurity must be elevated to a national security issue.
Get the recap of top opinion commentary and original content throughout the week.