Last night I was asked on Fox News what I thought the impact of the OPM hack would be and I commented on the incredulous amount of information that has been stolen and the potential impact on over 21 million Americans. In my opinion, no more valuable a trove of information can be found outside of actually compromising our national defense systems.
For those of you that don’t have a security clearance, the information that is on these forms is staggering. Due to the fact that an initial security background has to be complete in order to properly “vet” the individual for access to classified data, applicants are required to pretty much place their entire life on this forms: addresses, positions, next of kin, SSN, criminal background, medical issues, drug use etc. I don’t know of one other single source of information that is so complete about an individual.
For this reason, I am astounded that, at a minimum, none of this data was at least considered critical enough to national security for it to be encrypted and possibly be declared classified. These “crown jewels” should not have been left in an antiquated IT architecture with 80 various agencies having access to it, without being protected. Even after the 2 contractors that had the contracts to conduct background checks were hacked, nothing was done to increase the security around this data and to keep it from nefarious hands.
The OPM and the Obama administration needs to move fast to fix this. Right now, there are 21 million Americans, including me, whose lives are now compromised and will be, for decades. This data must be taken off line and encrypted, if not placed behind a closed architecture with limited access. There must be some basic cyber security procedures taken such as these to at least provide this information with the protection it warrants. Making some easy decisions such as these and moving fast will show the American people that this cyber-attack is being taken seriously.
Assigning attribution for this hack and having a plan of attack to counter this threat should be of the highest priority. The American people should know that the data they entrust to the USG is safe and that those people or counties that violate that agreement will be punished. While the #1 culprit, presumably is China (and personally I agree that no other country has more to gain through the theft of this data), it is critical to identify the entity behind this act and resolve the damage through a combination of diplomatic, legal, economic or military action.
Oh, and 3 years of credit monitoring doesn’t even come close to compensating these victims for this hack. The USG should move to provide compensation for each American who has to find the time to fix identify theft associated with this. Additionally, creating a law enforcement capability or augmenting an existing agency such as the FBI to review stolen records and monitor various healthcare, insurance, tax and yes OPM systems for fraud, exploitation and impersonation would help provide the necessary increase in vigilance.