Influencers: OPM chief should be held responsible for breach
The White House backs Katherine Archuleta after the data breach, but a whopping 84 percent of Passcode’s pool of security and privacy experts say she should be held accountable.
Illustration by Jake Turcotte
The Office of Personnel Management chief should be held responsible for the lapse in security that led to the breach of millions of personal records, a whopping 84 percent of Passcode’s pool of security and privacy experts said.
The White House backs Katherine Archuleta, the agency’s director, after the data breach that exposed the most intimate details from the personal lives of those applying for security clearances, including potential drug and alcohol abuse, bankruptcies, criminal activity, and even their sex lives.
But Passcode Influencers say Ms. Archuleta must take responsibility, and some, such as Rep. Jim Langevin (D) of Rhode Island, say she should lose her job.
“There is no excuse for leaders in government or the private sector to operate without a risk-based cyberstrategy,” said Representative Langevin, cochair of the Congressional Cybersecurity Caucus. “I have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach. I therefore believe that Ms. Archuleta should tender her resignation immediately.”
Langevin said he hopes other agency directors are “paying close attention to this incident and taking the opportunity to quickly and thoroughly reexamine their own cyber risks.”
The Passcode Influencers poll is a regular survey of more than 100 security and privacy experts. The full list of Influencers and their responses is below. To preserve the candor of their responses, Influencers have the option to comment on the record or remain anonymous.
When it comes to cyberattacks, “you never want to blame the victim,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation think tank. “But in this case,” Mr. Castro continued, “OPM is not the victim.”
The victims were the millions of federal employees, contractors, and job applicants who had their personal information exposed in the breach, Castro said. “OPM was negligent, plain and simple,” he said. Another Influencer, who chose to remain anonymous, added: “All the warnings were there and OPM and others appear to have failed in their leadership and management miserably.”
Director of National Intelligence James Clapper named China as the primary suspect in the cyberattack last week — meaning this deeply personal data could be in the hands of foreign hackers seeking to blackmail or otherwise exploit workers to gain entry to US systems.
“The loss of [Standard Form 86] data represents a life-long risk to the affected employees,” said HD Moore, chief research officer at security firm Rapid7, referring to the forms required in security clearance applications that contain incredibly personal information. “Standard responses such as credit monitoring are meaningless in the face of blackmail.”
Influencers also supported the finger-pointing if only to inspire other senior officials at other government agencies to pay better attention to cybersecurity. “The Navy relieves captains of their ships when these ships run aground,” says Martin Libicki, senior management scientist at RAND Corp. “It isn’t always fair but it keeps ships afloat. It is almost irrelevant why OPM screwed up so badly in so many ways. The ship’s aground, the captain must go. This way, every other department head is put on notice.”
A slim 16 percent minority of Influencers defended Archuleta, insisting she should not be held responsible for the lapse in security. Some, like Moss, said that if Archuleta loses her job, it would actually send the wrong message other agencies.
“I say ‘no’ because I want more Secretaries of departments to go digging for security problems,” says Jeff Moss, founder of DEF CON Communications. “The issues at OPM predated the current director by years. If she is to take the fall for all the past wrongs when she was already a year into trying to fix them, then why would a head of any agency ever look for security problems if all it leads to is their public shaming and removal?
A commitment to cybersecurity, Moss continued, “is only taken seriously if it comes from the very top of an organization and is followed up with actions. I will wait and judge the OPM chief based on if she holds people accountable and can start to reform the systemic issues that lead to this total disaster in the first place.”
What’s more, said Steve Weber, professor at the University of California at Berkeley’s School of Information, blaming one person will not even fix the bigger problem at OPM. “Let’s not imagine we can fix this problem – which is widespread — by ‘blaming the boss’ and having one person fall on a sword,” Weber said. “It would be much more courageous — and effective — for the White House to focus on the deeper, systemically absurd security practices that made is embarrassingly easy to break into OPM.”
What do you think? VOTE in the readers’ version of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our interactive masthead here.
Comments: Yes
“The administration should immediately cease adding any sensitive information to any government database, unless its security is assured. The harm to national security cannot be overstated. In a pre-digital world, a tiny fraction of this information would have been an intelligence win for a foreign nation. The scale of this is stunning. We have taken some of the most sensitive and valuable information on millions of government officials, and placed it a rusty leaking bucket.” – Passcode Influencer
“The mission of the OPM is ‘recruiting, retaining and honoring a world-class force to serve the American people.’ This breach has significantly harmed OPM’s ability to conduct its mission. This goes beyond a cybersecurity failure ... it is a mission failure and leadership should be held accountable.” – Passcode Influencer
“The threats were well known, there were numerous examples of similar breaches, and the head of OPM did NOTHING to make sure the information she was responsible for was secure. Such incompetence, if not outright malfeasance, should not be tolerated.” – Passcode Influencer
“Everyone who stores our data should have a legal responsibility to take reasonable measures to keep it safe. It seems that the security here was far below what was reasonable given the vast amount of sensitive information. It’s time to start thinking seriously about these obligations and shift our focus toward building and incentives for more secure systems instead of just on “information sharing” and forensics. more secure systems” – Cindy Cohn, Electronic Frontier Foundation
“There appear to have been repeated failures at many levels of OPM. But, OMB should also be accountable for the very high FISMA metrics scores they showed for OPM this year.” – John Pescatore, SANS Institute
“Responsibility shouldn’t end at OPM. Someone at the White House should also be held responsible for OPM’s disgraceful security.” – Passcode Influencer
“The breadth and severity of breaches continues to expand. We have to expect that executives will increasingly be held accountable for failures in security risk management and privacy.” – Passcode Influencer
“The buck stops with the Chief Executive – CEO’s of large US companies have been held accountable – not so much for the breach itself (that would be everyone) but rather how they mishandled the incident response and communications.” – Passcode Influencer
“Every agency leader, by now, is aware of the need for better security practices. Although they do not get much help from DHS and other agencies they should take their security seriously.” – Richard Stiennon, IT-Harvest
“I believe the tradition of sacking people (particularly security people like chief information security officers) in the aftermath of breaches is becoming counterproductive. It’s not unlike firing your doctor because you caught a cold. However, the scope of this breach is unprecedented, and it may take decades to truly assess the consequences of this breach on the lives of the people whose most private details were leaked. It doesn’t appear to be limited to Federal employees, but potentially everyone who has ever been investigated for a security clearance. There appears to be a serious governance problem with this organization. Were this a private company, I think we’d be seeing legislators calling for existential sanctions against the organization where this happened. In the public sector, there are few feedback mechanisms to aggressively force organizational change, and one of those is public censure and termination. A thorough post-mortem should occur, ignoring media and political concerns, and if the findings are there, a serious ‘house cleaning’ may well be justified, as well as personal liability of staff in cases of documented negligence.” – Bob Stratton, MACH 37
“The OPM chief should not have to be technical. But the chief is always responsible for what goes on within the organization. And while the chief does not have to be technical they must be able to hire and empower the right people that are technical. Given that cyber security is such a big topic item for the government it is embarrassing to have numbers such as “10 million attacks per month” being spouted off to Congress during the Congressional hearing. I thought that was grossly misleading to the American public. If the chief doesn’t understand why that number is misleading, and the staff that the person hired does not stop those type of metrics, then the issue is at the top and not within the tech.” – Robert Lee, Dragos Security
“Leaders are accountable and this could have been predicted based on prior events.” – Passcode Influencer
“You do not get to build an information-based business today without taking responsibility to secure it. When there are people’s lives at stake, there is literally not enough capital in the world to underwrite the risk.” – Passcode Influencer
“The best way to ensure that future leaders of various organizations place the necessary priority on operational security is to start holding them accountable for what happens on their watch.” – Sascha Meinrath, X-Lab
“Should the captain of a ship be held responsible if it hits the Rock of Gibraltar? Yes to both questions.” – Passcode Influencer
“The OPM was repeatedly warned by the Inspector General of significant security lapses dating back to 2012. OPM leadership repeatedly failed to take the OIG’s warnings seriously. The potential consequences of this breach may be devastating for military and government personnel who hold clearances due to the highly personal data contained in SF-86 forms stored on OPM’s network. The White House, Congress, and the American people should hold OPM responsible and accountable for this breach due to negligence.” – Jeffrey Carr, Taia Global
“The leader of an agency is responsible for his or her organization, even if there are seemingly insurmountable institutional obstacles. That’s not unique to government. This was a data breach unlike any other, as CDT’s CEO Nuala O’Connor said in an excellent piece on the CDT website.” – Passcode Influencer
“The OPM chief should be held ultimately responsible. To have ignored prior warnings about the state of security, and to have not adequately assessed the level of sensitivity of the data contained in the system, is inexcusable from a privacy standpoint and an operational standpoint. There have been privacy laws on the books in the US since the early 1970s. The E-gov Act in more recent years directed all agencies to have privacy programs. The private sector is held to a high standard during data breaches, and this breach goes far beyond most of those in the scope and complexity of the data revealed.” – Nuala O’Connor, Center for Democracy and Technology
“Absolutely. The Homer Simpson defense (It was like that when I got here) should never work, especially after two years on the job.” – Passcode Influencer
“Set aside what happened before the breach was known, the absurd way they talked about cybersecurity afterwards demonstrated a lack of awareness of the basics of not just cybersecurity, but leadership.” – Passcode Influencer
“While it is not the failure of one person, accountability is a first step in creating a better culture of preparedness in the public sector.” – Passcode Influencer
“The conditions that led to this highly preventable breach are themselves a symptom of a widespread culture in government to treat unclassified data as unimportant. But OPM leadership long knew of the deficiencies in their information security posture, and chose to prioritize other activities as opposed to taking fundamental steps to better protect the personal data of those entrusted with our most sensitive national security secrets.” – Nick Selby, StreetCred Software
“Agency heads are responsible for the operations of their organizations. Cybersecurity is a critical operational component. It is gaining more visibility because of the need to protect information. Oddly it seems to not have enough visibility (perhaps its understanding) across agencies, either at the executive level or the day to day level. Holistically, when you don’t have a strong federal workforce in cyber, you don’t have CISO’s with a span of control (budget, training etc) and the Cybersecurity roles within the government still unclear, these elements combine with bad day to day practices results in adversaries getting into federal systems and staying for a long time. These things work against us and can’t be addressed separately.” - Geoff Hancock, Advanced Cybersecurity Group
“My answer is yes and no. It depends upon what “held responsible” means. Of course this person must be expected to manage as well as possible and provide oversight over the people and technology under her/his purview. It isn’t always possible for any leader, however, to manage her/his way out of security breaches. When you word a question in this manner on a topic like this you should consider offering a response choice of “yes and no.” – Janna Anderson, Elon University
“The OPM Chief is ultimately responsible for the actions of her department. However, if everyone is getting “hacked” our cybersecurity strategy is not working. Instead of looking to place blame we should address the problem of cybersecurity.” – Passcode Influencer
“Leadership is a fundamental ingredient for the success of any organization and includes both responsibility AND accountability. Prioritizing multiple complex strategic activities, asking hard questions of your team to understand the unknowns, and resourcing critical activities are measures that cannot be delegated.” – Mark Weatherford, Chertoff Group
“Yes of course the head of an agency is responsible for the protection of the data it is entrusted in holding.” – Anup Ghosh, Invincea
“The operations of OPM - including their technology - are the responsibility of their chief. However, this is not her fault; this is a result of underfunded and change-averse Federal policies around technology. Congress needs to properly incentivize maintenance of existing and legacy information systems.” – Passcode Influencer
“The buck stops at the top in terms of taking responsibility for a security incident - and taking responsibility in a breach includes conducting a thorough investigation or the scope of the incident, the failures that lead to it, and determining the steps for recovery. All software and networks contain security vulnerabilities. Breaches of this type are not uncommon among networks that have been inherited and built up on legacy systems, without adequate protection of sensitive data. The effectiveness of the response and remediation going forward will determine how well the OPM chief fares in all this. One must never waste a good crisis.” – Katie Moussouris, HackerOne
“All leaders are responsible for what happens in their organizations. But I don’t necessarily think he should be terminated as a result of this breach.” – Passcode Influencer
“I’m not sure what “held responsible” means here. Certainly, there should be a “buck stops here” approach adopted by OPM leadership and a demonstrated commitment to finding and fixing problems. None of that gets my data back though.” – Passcode Influencer
“The most logical following question would be ‘do you expect it?’ Certainly we don’t have a rich tradition in federal of sacking perpetrators of major gaffes.” – Passcode Influencer
“OPM Director Katherine Archuleta told the House Oversight and Government Reform Committee on 23 June that nobody was to blame for the OPM breach. She said, “Cyber Security problems take decades; Cybersecurity problems are decades in the making. The whole of government is responsible.” [She also said] “I don’t believe anyone [at OPM] is personally responsible.” I did not expect that response. It is one thing to say that you weighed the risks and chose to spend resources elsewhere on other matters that I thought were more important. That is what leaders get paid to do. It is quite another to disavow all responsibility and blame some vague concept of Big Government as being at fault. Chairman Jason Chaffetz, R-Utah, pushed back pretty hard. He told her that the Inspector General has been telling OPM about the risks since 2007 and she decided not to take the warning. Second, There is a lot of blame to spread here. You can blame Director Archuleta’s security staff for not conveying how significant the risk of a non-secured personnel database is to the functions of our government. You could blame her staff again for not preparing Director Archuleta for her committee hearing with better answers then “it was not our fault.” But the ultimate blame goes to Director Archuleta for not owning the risk to her organization that she has been in charge of since 2013. If she would have owned that risk from the start, the result may have been the same, but at least she could convey the reasons that resources were spent on other priority items than on the things that the Inspector General recommended. She should definitely be held accountable.” – Passcode Influencer
Comments: No
“Changing a person will not help – it is purely symbolic, and such symbolic gestures are precisely, totally, and without debate what happens in political hierarchies (read, Washington) whenever there is bad news to handle. Even talking about whether to fire someone is a criminally profligate waste of the citizenry’s attention span. What is neither a waste nor a diversion is the question that matters: When data is scarce or precious, there may be compelling reason to centralize it, but if and only if that centralization is risk cognizant. When data is either plentiful or of marginal value, then centralizing it can only create risk, never value. Therefore, what is to be asked of those to whom OPM reports is what, exactly, was their raison d’etre for assigning the OPM its role as centralizer (scarcity or preciousness of what, exactly), and whether they delegated to OPM their own duty of risk cognizance on purpose or by accident. If wanting prediction, then the supposed reforms embodied in the Dodd-Frank law massively removed resilience from the financial system by forcing the centralization of functions previously widely dispersed into what now can only be described as freshly minted single points of failure waiting to happen. It is the urge to centralize that is what political hierarchies do. It is apologists for, and hucksters of, centralization that should lose their jobs.” – Dan Geer, In-Q-Tel
“I’m saying ‘no’ not because I don’t believe in accountability, but because I think the question obscures the problem. The breach is the result of, sadly, quite common security practices. The head of an agency is surely responsible for what that agency does (or fails to do), but let us not confuse that legal and cultural fiction with an actual belief that most leaders in Katherine Archuleta’s position have an easy way of knowing what’s going on in IT security and improving the situation — the failure here is systemic and all too common.” – Jonathan Zittrain, Harvard University
“Asking OPM to protect infrastructure developed in COBOL 30 years ago is the same as leaving US soldiers to protect their humvees by welding on scrap metal. The congressional sequester of funding and programmatic authorities, denying federal agencies modern information systems, is as much to blame.” – Chris Finan, Manifold Security
“It’s important not to punish people for looking to identify and solve their problems. This could have been actively ignored, and upon discovery, this could have been swept under the rug. That’s not what happened. There’s no question there’s some deep issues at OPM. I stand concerned about disincentivizing the next cleanup. What, you think OPM’s the only hacked agency?” – Dan Kaminsky, White Ops
“No. Piling on agency leaders isn’t likely to help matters. In the wake of the hack of the Office of Personnel Management’s (OPM’s) computer system, the Chamber stressed in a blog that this episode should prompt Congress to pass cyber information-sharing legislation once and for all. The cyber fingerprints of the reported Chinese espionage against OPM need to be shared with appropriate public- and private-sector organizations in a timely manner. Also, policymakers should help OPM get its house in order. Pointing fingers at hacking victims like the agency may be politically fun for some, but it’s the rough equivalent of a sugar or caffeine rush — it’s good while it lasts but offers few sustained benefits. Indeed, the private sector has received its fair share of finger pointing in the wake of cyber incidents, so while a touch of schadenfreude is tempting, it’s ultimately empty and unserious. We — industry and government — need to be battling the bad guys together. Asking OPM authorities what they need to assist federal employees and apply additional security controls will serve them best. Above all, this incident should push Congress to pass information-sharing legislation with strong safeguards for business. Sophisticated criminal gangs and malicious actors in China, Iran, North Korea, and Russia (or their proxies) should not be allowed to put people’s sensitive information at risk of abuse Their actions can be restricted--of not prevented — through improved information sharing.” – Matthew Eggers, US Chamber of Commerce