We’ve been covering the massive data breach at OPM since it was first exposed and there’s never been very much in the way of good news. The incident exposed not only the personal records of huge numbers of people, but the potentially crippling flaws in our own cybersecurity systems. Work continues to see what can be done to prevent similar exposures in the future, but with court cases making their way through the system this year people are also asking if there wasn’t anything that could have been done to prevent it in the first place.
Until now, the general consensus seems to be that it was regrettable, but nobody could have seen it coming. The lighting fast evolution of web technology just makes it too difficult to anticipate every eventuality. To a certain extent that may remain true, but in the specific case of the OPM records, two NASA contractors claim they warned the government about this threat nearly ten years ago but they chose to ignore it. (NextGov)
Aerospace engineer Dennis Byrnes and astronomer Bob Nelson, who both worked as NASA contractors, opened letters from OPM informing them their personal data had been compromised.
The two say they saw the whole thing — a massive data breach involving sensitive background investigation forms — coming almost 10 years ago.
In a case that made it all the way to the Supreme Court, Byrnes, Nelson and 26 other NASA contractors argued that the risk of a large-scale hack against the federal government was one of many reasons they should not be forced to submit to what they felt were too-intrusive background checks.
But the risk of a large-scale hack was too hypothetical to even address in court proceedings, Supreme Court justices concluded, and the contractors lost their case.
The headline of the NextGov article is, perhaps, a bit more dire sounding than the underlying reality. True, the contractors did raise the alarm and foresee this possibility and they went through the normal court system so the warning was heard at all levels. Nothing was done in response, so that looks fairly bad for the government.
But at the same time, let’s look at the meat of the complaint raised by the contractors. Their goal in bringing the suit was to prevent the government from collecting so much personal information. (And to be honest, that’s a complaint I have some sympathy for. Some of the questions, including sexual history, etc. seem far afield from what could be useful in determining their trustworthiness.) They weren’t bringing any sort claim that the system was too weak to protect that data nor offering a better way to keep it secure. They simply argued that the data shouldn’t have been there in the first place.
With all that in mind, I don’t see how this particular revelation makes the government any more or less culpable than they already were. The data which was hacked could have been as simple as nothing more than the employees’ names, social security numbers and dates of birth. It would still be a very bad thing to have it compromised, but it wouldn’t have been any more or less secure than it was when the hack took place. Basically, Byrnes and Nelson just raised their hands and said, ‘Hey. Some smart hackers could break in and get all this information.’ And of course, that’s just what happened. But the fact that hackers exist in the world was already known before they pointed it out. This revelations may, however, carry some weight in the civil suits now making their way through the courts because it demonstrates that the government stored all of that incredibly personal information while knowing that a hack could happen.