Won’t know that until an investigation is done. The federal government should treat its own the same way they treated Target.
If the information is going to be useful, it pretty much has to be on a network of some kind. Even if it’s a closed network, not attached to the internet, and accessible only to employees who badge into a building, there are still opportunities for breaches. The Natanz nuclear facility in Iran was air gapped and surrounded by thick concrete walls. The US and Israel still got malware onto the systems there and mucked about with the enrichment processes (Stuxnet).
Well, you keep saying this. But, absent our doing the research to back up your argument, all we have is your assertion that there WAS any difference.
So, in what way was the Federal government coming down like a ton of bricks on Target, at this point in the story of that data breach?
It’s nice to wave around that $3 trillion figure, but it’s not like the President can do whatever he damn well pleases with it.
The U.S. government has often been described as a retirement program with an army. The bulk of the money is going to Social Security, Medicare, Medicaid, and defense programs. And what’s left has largely been allocated to specific programs. It would be nice if the President could simply shut down some defense boondoggle, and spend the money on information security, or more USDA and FDA inspectors, or whatever.
But we settled this one back in the Nixon Administration: the President can’t just take money that Congress has allocated to a particular purpose, and spend it on something else, or just not spend it. He has to carry out the laws as passed by Congress, to the extent that Congress gives him the resources to do so.
And in the case of the budget, that’s pretty straightforward, unless Congress fails to extend the debt ceiling one of these days.
Keeping IT systems current can be covered under departments’ existing budgets. Or are we to assume that the DoD can’t keep a Chinese hacker from launching our nukes?
And you realize the difference in vulnerability between networked and non-networked machines?
Most importantly, I recognize the difference in accountability between corporations and the government. If a corporation gets hacked, the corporation is responsible and faces punitive action from the government. If the government gets hacked, it’s just an unfortunate incident and we have to live with it. And please, continue to voluntarily give your personal info to the government. Otherwise, it will become mandatory.
So you think government IT offices don’t have performance metrics and don’t face consequences when they don’t meet them?
Its early and I was up till 1:00 AM last night helping my company respond to a hack. So I’m not running on all cylinders yet. But, what punitive actions does the government take against companies that have been hacked? HIPAA provides for some sanctions for noncompliance, but as far as I know they haven’t hit very many healthcare organizations with them as the direct result of a hack. SOX provides penalties for noncompliance and for filing fraudulent financials, but I don’t think it has penalties for being hacked. I’m having a hard time remembering any corporation that was penalized by the feds for being hacked.
-Bayard
Computer forensics and incident response guy
So what are the consequences? The general view is that only total fuckups get fired if they work for the government.
On an agency level, screw up enough Congress gets upset. Get Congress upset, and they either micromanage you or they just cut funding. Get the administration upset at you, and you may find your agency lose power very quickly.
On a management level, screw up bad enough and someone is going to have to resign in disgrace. It’s not pretty.
On an individual level, you can definitely get fired, especially for hard lapses like something that violates privacy policy. You can also be demoted. More likely, you’ll end pushed out, assigned to do filing alone in a basement somewhere until you either get the hint or your career is totally derailed.
Unfortunately, I think you’ll find that many agency computer systems are contracted out to commercial companies, who only have to make target percentages of patched/secured/updated systems. And the contract will also be written to exclude responsibility for any data breaches that occur. So, yeah, an agency system gets hacked. Investigation reveals one user clicked a bad attachment, and caused an opening that allowed other hackers in. The network was 95% patched in accordance with the contract, so the contractor is not at fault. Information Security is now a required line item in agency budgets, and the agency can show they have been screaming for more money but not getting it. Various heads of departments say “Not my fault, I’m not responsible. Here’s my Statement of Work, and I’ve exceeded all targets as shown by my annual review”
So whose fault is it? Nobody. The only punishment would be to the poor person who clicked the attachment. And nobody gets fired for that, certainly not a government employee.
The one with enough tech savvy to run her own email server from her house? 
That just speaks to transparency, of course, not security. We do not know what security Clinton was running or how her system performed against hacks.
We could achieve the same result simply by prohibiting OPM from informing the public about hacks. Personally, as an employee who was potentially affected, I prefer an employer who will at least tell me when it happens.
If the contractor didn’t hit the targets, the contractor and possibly the person managing the contract is responsible. If the targets don’t comply the agency policy, then whoever set and approved them gets is responsible. If the agency policy is inadequate, then IT security team that developed them is responsible.
But yeah, if the targets are reasonable given resources available, then it’s either a case of “we did what we could with what we got” or “stuff happens”. IT departments are not staffed by ninjas and magicians. They can only do things that are possible to do.
Well, that was…less than reassuring. I tried to call OPM to inquire about any efforts being made to notify former employees of the data breach, and if there are any, the info sure hasn’t made its way to the front desk of the IT department. Even after I mentioned that I hast worked for the Feds in 1994 and several addresses ago, I was told a letter would be sent to my home address, or I would receive an e-mail.
Uh, the only e-mail address I had in 1994 when I left was my DOJ one.
I tried the webform - maybe I will have better luck there. I also left a voice mail for the local office where I worked, for someone I worked with who is now the admin manager. Hopefully that will get better results 
Wired is reporting that the hack encompassed the SF-86 forms used to apply for a security clearance. Which would mean they know everything: former addresses, close associates, employment history, mental health treatment, foreign contacts. Basically lots of stuff that might be used to blackmail someone is now in the hands of blackmailers.
According to Wired, OPM had no IT security staff until 2013.
Wow, the government is really proving the critics right on this one. No IT security until 2013? That’s insane.