The hack at the Office of Personnel Management shows what happens when lax security gets combined with organizations or governments getting too big. CNN has a pretty interesting rundown on how the hackers may have found a way to get into OPM servers. One way involves figuring out which agency hasn’t had their servers updated in some time.
Let’s say there is a U.S. government agency — Agency X — that does not update its server operating system software patches. We don’t know which agency it is because the federal government doesn’t want to reveal everything it knows to the Chinese and the cyber links the agency had to the Office of Personnel Management.
The “Agency X” could be any of the dozens of alphabet agencies in Washington DC, designed to control our lives and well being in one shape, form, or another. The easy solution to plugging the cyber security hole is making sure all the agencies have the best security. The tougher question is figuring out which agencies even have to exist. This isn’t just a call for dissolving the agencies conservatives and libertarians tend to target, like the EPA or Department of Education, but to take a hard look at the federal government as a whole. Does the U.S actually need a Food and Nutrition Service; Food, Nutrition And Consumer Services; AND Center for Nutrition Policy and Promotion? Should there be a Rural Business-Cooperative Service, Rural Development, Rural Housing Service, and Rural Utilities Service? Do the General Services Administration, the Office of Management and Budget, and Council on Economic Advisers need to exist? These are questions the federal government, and people in general, need to ask as they study the ins and outs of the hack.
The same goes for private businesses. Sony Pictures Entertainment was hacked last year by…someone (the claims by the U.S. government it was North Korea are a little suspect). Sony Pictures has 25 divisions, ranging from animation to television ad sales to home entertainment. JPMorgan Chase saw its data get breached last year with 83 million accounts exposed. The bank has 46 executives for around 30-36 departments and who knows how many sub-departments. Hackers have also hit major corporations including Target and their 47 executives and 36 departments. Visa, MasterCard, Home Depot, American Airlines, and United Airlines have also been hit by hackers, but those were through 3rd party vendors. Not every hack happens because businesses are too big. Michaels has a smaller board, but got hacked because of lax security. AT&T saw data get stolen by 43 employees who were corrupt. Yahoo! isn’t the biggest company out there, but has been hacked multiple times. LinkedIn’s 2012 hack came because their security system wasn’t as strong as believed. Security breaches happen and this is why it’s important for businesses and their customers to protect their own data as much as possible. But it’s also important to look at the size of a business (or government) and the dangers of having too many fingers in too many pies.
This is NOT an anti-corporate screed, but a word of caution. Businesses need to ask if it’s smart to be involved in a new venture or if a spinoff company with a completely different leadership team, balance sheet, data center, etc. should handle it. The same goes for government agencies. Congress and the president should seriously take a look at their operations and decide whether “Agency X” should exist or not. Or whether “Agency X” should even be involved in the area of governance it’s involved in or if the private sector should handle it. The nature of government is to grow so it’s highly unlikely a review will actually happen. But it’s something the right needs to be aware of and elect leaders who are aware of it as well. After all, holding PR-driven, government-run summits on cybersecurity and consumer protection only goes so far. The same goes with naming the person who ran your 2012 National Political Director as head of the OPM. Just an idea.