I won’t pretend to understand the implications of the massive hack of OPM, particularly not when the government’s story about what actually got hacked seems to be changing from day to day, but they seem to be pretty terrible. The latest story is that a second hack managed to compromise security clearance paperwork, which means the hackers may have deeply personal details on, say DOD employees with clearance, including some covert operatives (whose covers are now obviously blown). Aside from the national security risks, this potentially puts people’s lives and/or privacy at grave risk.
What I will say is that if OPM can’t manage to protect the personnel data it’s charged with keeping, then it’s not clear why OPM should exist at all. Maybe there’s just no way to run an agency tasked with maintaining that much data and still have it work numbly enough to stay ahead of threats, though reporting like this piece at arstechnica suggests that OPM didn’t even really try. Heck, maybe the government is too gridlocked for an agency like OPM to get approval to make the kind of changes it needs to make. Whether the problem is just plain incompetence at OPM or some structural incompatibility between operating a gigantic single government personnel clearinghouse and keeping pace with the speed of change in terms of cyber-security, it still seems like it’s time to break the OPM up and task every department or independent agency in the government with running its own HR. Whatever benefits there are to having a single HR office for (most of) the government can’t possibly be enough to outweigh the damage that an attack like this one can cause. And even if you blame the whole thing on incompetence, there’s no guarantee that the next group running OPM, or the one after that, won’t be just as incompetent as this one was.
Breaking up OPM and moving personnel information to specific departments won’t fix everything, but it will at least be harder for hackers to access so much personnel information from a single place. And maybe if federal departments, especially those with highly vulnerable employees like DOD, are responsible for securing their own employees’ private information, they’ll take the job more seriously than OPM seems to have taken it. If banks that are too big to fail should be broken up, and they should, then government agencies that are too big to do their jobs probably should be also.
The Foreign Exchanges Companion 