Reports that China (most likely) has breached Office of Personnel Management (OPM) systems and stolen personal information (PI) of over four million current and/or former federal employees raises all sorts of questions regarding the government’s responsibilities to protect PI it has in its possession; the government’s enforcement against the private sector for failing to prevent similar losses of information; and setting appropriate priorities across branches of government for protecting privacy.
Everyone would likely agree that the government has an important responsibility to protect PI that it retains—whether that is the PI belonging to government employees retained by OPM, or financial information belonging to private citizens retained by IRS. But what are the consequences when government fails to protect information, as compared to when a corporation fails to protect information? The FTC and other government regulators are taking a hard look at, and in some cases bringing enforcement actions against, companies for inadequate data protection practices. (The issue of how the FTC decides to bring cases is itself an issue, as highlighted in this recent FOIA case filed against the agency). The question arises: what is the appropriate mechanism for ensuring that OPM or any other government agency is accountable for data protection? And who or what entity is in the position to judge whether government agencies’ data protection practices are adequate?
One amusing answer might be to deny the U.S. government enforcement authority over any standard that it cannot, itself, meet. Less rhetorically, however, it is time, and past time for the U.S. government to subject itself to a comprehensive cybersecurity audit, measured against the NIST standards, and conducted by an independent outside commission using non-government assessment tools. Eight years after President Bush began reform of the federal government’s own cybersecurity practices in the Comprehensive National Cybersecurity Initiative, it is appropriate to take stock of how well we are doing.
Relatedly, given the steady stream of data breach reports originating both from the government and private sectors, it is hard to imagine how protection of information and cybersecurity could be viewed as any more important. And, yet, the NSA surveillance debate has perhaps consumed so much of the oxygen of important lawmakers, policymakers, advocates and public servants that it has taken attention away from other important issues, cybersecurity being one of them. From a privacy perspective, why shouldn’t we be more concerned about what China or Russia might do with the information they are stealing about Americans, than we should about what NSA is doing with information it collects in its “highly regulated” (as Senator Whitehouse notes in his thoughtful remarks at NSA posted on Lawfare) activities designed to protect the public from national security threats?
The reports about the OPM breach are especially ironic given the near-coincidental timing of the New York Times disclosure of the unremarkable fact that the NSA is using its surveillance authorities to pursue foreign hackers. There seems little doubt that the Times story was intended to derail the CISA bill and yet its “revelations” seem especially curious in light of on-going Chinese activities. Ought not the NSA be in the business of trying to track the hackers?
Perhaps the OPM hack will also highlight the need for more careful consideration of prioritization of government resources devoted to protecting privacy. It is more than likely that in the past two years, civil liberties and privacy officers in the Intelligence Community, at the Department of Justice, and at other relevant government agencies have spent a substantial – if not, in some cases, the majority of their time – working on issues relating to the Snowden disclosures, FISA oversight, and resulting transparency initiatives. As have their agency heads. As have relevant Members and staff in Congress. There is no way they could not have: domestic constituencies, international partners and legislative initiatives all demanded it. And the operational impact of the recent surveillance debate is one the government doesn’t really talk about or quantify. But it is worth considering whether the time that ground-level analysts, operators and lawyers; mid-level management; as well as senior leadership have spent – and, more importantly, will continue to spend – on the narrow issue of FISA-governed surveillance is arguably out of proportion to the other aspects of privacy protection that government need address.