Is It Time to Appoint a Data Security Czar?

The increasingly alarming news about government-held data security breaches should cause Americans to seriously question whether the U.S. government at all levels is doing everything it could—and should—to protect the data it collects.

In May, we learned that cybercriminals had stolen approximately 100,000 records of taxpayer information from the IRS; as of August, the number of records stolen had risen to over 300,000.

In June, it was disclosed that malicious hackers (likely state-sponsored) had carried off over 4 million pieces of data like Social Security numbers from systems maintained by the Office of Personnel Management (OPM).

In July, it was revealed that more than 21 million records had actually been stolen from OPM, and that the stolen data provided access to highly sensitive and personal data on federal employees and individuals who have applied for or maintained security clearances over the last decade.

Much of the discussion surrounding these crimes has centered on who the perpetrators could be, why and how they did it, who has been victimized, and whether and how the government will pay for identity-theft protection coverage.

There has also been speculation about what the perpetrators could do with such sensitive data. The release of Social Security numbers and other personal information is highly distressing to victims because the stolen information could lead to identity theft, medical and tax fraud and other serious financial harm perpetrated by cybercriminals. Just as worrisome is the possibility of blackmail, advanced social-engineering attacks, and more sophisticated intelligence targeting and espionage by state-sponsored actors.

Also important is the conversation about whether the government could and should have done more to prevent such events in the first place, what level of accountability the government should be held to and whom should be held responsible.

The federal government's public response to the government breaches mirrors the response typical of other hacks: notifying the public (when required, since only 47 states and Washington, D.C., have data breach notification laws, and there is no federal notification law); providing free credit monitoring; promising to revamp its security posture and give a good, hard look at the current state of things; and firing or publicly reprimanding a top official (whether or not the person is responsible).

The type of information stolen from OPM goes beyond traditional personal information such as name, date of birth and Social Security number. Data taken from OPM includes information on the citizenship of relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use and previous addresses.

Some argue that this warrants remediation measures much more aggressive than the two years of free identity-theft protection coverage being offered to victims, and a stronger examination of how these breaches were allowed to occur in the first place.

The information security risks on government systems are similar to those in the corporate world: Absence of a mature vulnerability scanning program, inadequate system monitoring and no multifactor authentication. For systems that hold such sensitive data, the lack of these relatively basic security solutions is concerning.

Americans should continue to raise their voices and ask why this sensitive information was kept on a server connected to the Internet in an insecure fashion, without encryption, and with poor authentication and access control; who approved this approach and how such decisions are made; what data protection options have been considered and how those will change in light of recent breaches.

More generally, Americans should be asking whether government data-protection protocols are up to the challenge. Many government agencies collect and maintain information about U.S. citizens, and it is reasonable to expect that this information should be treated with the utmost of care. When dealing with public sector entities, consumers often have little choice but to comply with requirements and use their online systems.

The increased disclosure of data breaches suggests that such intrusions are becoming the norm, and that defensive software cannot win this arms race. Government officials will not be able to claim they are doing everything they can to protect personal data if they continue to put it on Internet-accessible computers. (The OPM admits it wasn't doing everything it could because of concerns about the costs of upgrading systems.)

The public trusts the government to take care of some of its most personal and sensitive data. As such, should the government simply be held to the same laws and regulations about the security of sensitive data that it requires of private sector organizations that hold sensitive data? Or should the public demand more?

Perhaps it's time to appoint a data security czar who can establish guidelines and oversee how government agencies manage sensitive data. Or perhaps all citizens, companies and government officials should place greater importance on security, no matter the cost or inconvenience—real or perceived.

This may mean spending more resources on hiring talent, paying for more tools, taking the time to immediately upgrade systems when patches are released or promoting secure coding and product development.

Cybersecurity needs to become more of a priority for the government and private corporations. Whatever the solution, public and private officials need to do a better job of weighing the risk-benefit calculation of storing data on Internet-accessible computers and justifying data-handling protocols. Otherwise, continued breaches of databases containing sensitive personal information could very well lead to more strident public demands for a change in the status quo.

Susan Everingham is a senior policy analyst, and Lillian Ablon is a researcher at the nonprofit, nonpartisan RAND Corporation.