A hacker claimed this week to have stolen 200 gigabytes of sensitive government information, including personal details about 30,000 employees at the Department of Homeland Security and FBI.
How did he do it? When his initial attacks failed, he posed as a confused government employee and called the agency’s customer service line. They proved very helpful, immediately providing him with a valid token code. This frequently-changing access code is supposed to improve security, because employees are only able to obtain it through a government-issued device they’re meant to carry with them. But token codes aren’t much protection when people give them out to strangers over the phone.
Having defeated their own security system, customer service let the hacker help himself to up to a terabyte of information through a Department of Justice computer.
This sort of story might have seemed hard to believe a year ago. But today, it is par for the public course. The federal government, with its annual budget of $3.8 trillion and civilian workforce of more than 2 million, is the biggest and best-funded entity in the known universe. It is also hopelessly incompetent to perform many of its multitudinous functions. One of its special incompetencies is protecting sensitive data, on which it nevertheless spends a staggering $80 billion per year.
Not only do cabinet secretaries arrogantly compromise national secrets for personal convenience (Hillary Clinton), but the nuts and bolts of data security and the common sense of those protecting data appear non-existent.
One example cropped up in 2013. The healthcare.gov website was a hot mess of data insecurity, although this was largely overlooked because of its many other failings. It was constructed so poorly for launch that anyone who logged in at the beginning could gain access to everybody else’s private health insurance data instantly simply by changing their browser URL.
Then, last year, came the big one. The Office of Personnel Management admitted that two massive data breaches had apparently put sensitive or compromising information into the hands of a foreign government. The first breach affected 4 million federal employees, the second contained sensitive background investigation data on 22 million others.
The biggest government in history has the biggest data breaches in history. It figures.
Among the information stolen was millions of private citizens’ personal, financial and health information, and in many cases even their fingerprints.
These breaches were avoidable. OPM had been warned a year earlier by its inspector general that several systems were insecure and should be shut down. But bureaucrats and the agency’s former director ignored these warnings.
The broader lesson is that the federal government does lots of things very badly. Congress, candidates for president, and policy makers need to think big about reforms to cut the volume of sensitive data that the feds store, even if that means reducing government’s role or refraining from expanding it into new areas such as health care.
Data security concerns should prompt those who regard government as the great problem-solver to question their assumptions. The federal government must have some data, and it should protect it, just as it must protect national secrets. But it should be allowed to see far less personal information than it currently demands, and which it is abjectly failing to protect.
