Katherine Archuleta resigned Friday, before anybody even got a chance to show her the door. It had to be.
There was no way Archuleta could remain in charge of the federal Office of Personnel Management, not after it was revealed to be a hacker’s dream. For eight years, cyber-security experts had warned that the office was vulnerable to hacking — by the Chinese, by the Russians, maybe by some whiz kid down the street — and yet the office under Archuleta failed to take the most basic precautions.
But Archuleta’s resignation was only a necessary first step. This latest appalling theft of critical personal information, which compromised the privacy and safety of some 21.5 million people, begs for fast and dramatic action to create the most stringent safeguards possible against hacking — not only by government, but by the private sector at all levels.
Congress frets about illegal immigrants. It worries about airport security. But the single greatest threat to our nation’s safety, capable of throwing whole institutions into chaos, is cyber terrorism.
On Friday, more details emerged about how a hacker vacuumed up Social Security numbers; health, criminal, financial, employment and residency histories; information about families and acquaintances, and even more than a million fingerprints. All this data was secured with a lock that could be picked with the electronic version of a bobby pin.
EDITORIAL
// <![CDATA[
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, ‘script’, ‘twitter-wjs’);
// ]]>It’s hard to overstate the disaster here. These weren’t credit card numbers, which could be changed. This was deeply personal and permanently relevant information that people had submitted to the federal government as part of confidential background checks, believing it would go nowhere else —addresses, names of spouses and children and close friends, neighbors and travel destinations. More than 21 million people — basically anyone who has undergone a security check in the last 15 years — likely were victimized by the theft.
All this data could function as a recruiting list for China — which federal officials believe is responsible for the hack — or other foreign powers. Looking for a chance to threaten, blackmail or intimidate? Be our guest. Looking for an American who might feel disaffected? Here are the clues. No wonder some people are calling this our nation’s “cyber Pearl Harbor.” And it’s not breach that can be fixed with free credit and identity theft monitoring.
It has long been alarmingly clear that both government and many businesses don’t take online security seriously enough. It’s boring, it’s expensive, it’s never-ending and the victims are somebody else — citizens or customers. And the politics won’t get you as much mileage as shouting for a better border fence.
The OMB, which keeps the records and security clearance information for millions of current and retired federal workers and employees of outside contractors, was warned as early as 2007 that it was vulnerable. But a security measure as basic requiring two different passwords at two stages of access was never put into place.
In fact, the OMB didn’t know which devices and computer servers could access its networks. It didn’t bother with the basic authentication procedures that are common at the corner bank. It didn’t regularly check its system for vulnerabilities. According to its own inspector general, some of its systems were not “operating with a valid authorization.”
Security was so lax that inspector general wanted part of the system shut down temporarily because of the risks to national security. Now, those risks have become a reality. The intruder was able to penetrate the system using a compromised contractor credential.
Online security breaches are on the rise, and almost any large organization is likely to be attacked. The list of companies that have lost personal customer data to cyber thieves continues to grow. As computers get more powerful, security technology will have to advance as well.
After turning a deaf ear to warnings for two decades, government agencies now are scrambling to improve their security. They need to understand that this is a top priority. And it will remain one as long as ever more sophisticated cyber attacks continue.
Follow the Editorial Board on Twitter: Follow @csteditorials
Tweets by @CSTeditorials// <![CDATA[
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+"://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script”,"twitter-wjs”);
// ]]>
