Alright, we’ll do bad news first. Not because I’m a cynic (I’m not), but because I want to get it out of the way and talk about some positive things that are happening with the federal government as they relate to safeguarding American citizens’ personal and private information.
The bad news is we are continuing to see data breaches of federal government agencies. The list of departments suffering hacks resulting in the compromise of the personal information of hundreds of thousands of Americans continues, with two additional breaches publicized this week:
- In January, “attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.” (Source: Computerworld, “Identity thieves obtain 100,000 electronic filing PINs from IRS system,” by Lucian Constantin, February 10, 2016)
- And earlier in the week, it was the DOJ that revealed that, “Hackers [ ] published contact information for 20,000 FBI employees [ ] just one day after posting similar data on almost 10,000 Department of Homeland Security employees,” including names, job titles, phone numbers and email addresses. (Source: CNN, “Hackers publish contact info of 20,000 FBI employees,” by Mary Kay Mallonee, February 8, 2016).
These latest breaches come on the heels of numerous other federal agency breaches, most notably the breach of the Office of Personnel Management (“OPM”) announced in June of last year, which involved the records of more than 18 million people (some accounts put the number closer to 21.5 million) and which has been described by federal officials as, “…among the largest breaches of government data in the history of the United States.” (Source: Wikipedia, Office of Personnel Management Data Breach).
Ok, so that’s the bad news. What’s the good news, then? Well the good news is that apparently (fingers -and toes – crossed), the feds have gotten the message and are now taking concrete steps to make changes towards securing the data of not only Americans who work for the government, but folks working in the private sector, as well.
According to news reports earlier this week, the Obama administration is taking a number of steps to “step up,” as it were, the cyber defenses of our Nation’s government, and to help guide private enterprise in the same mission. Here is a ‘short list” of what’s happening and what’s being requested:
- the President sent to Congress a proposed 2017 budget that includes a request for $19 billion for IT upgrades and cyber initiatives (a 35% increase over 2016)
- the President signed two (2) Executive Orders, that created two (2) new entities: (a) a Commission on Enhancing National Cybersecurity (CENC), and (b) a Federal Privacy Council (FPC)
- the CENC “will be made up of business, technology, national security and law enforcement leaders who will make recommendations to strengthen online security in the public and private sectors. It will deliver a report to the president by Dec. 1″
- the FPC “will bring together chief privacy officers from 25 federal agencies to coordinate efforts to protect the vast amounts of data the federal government collects and maintains about taxpayers and citizens.”
- “The White House said it also plans to create the new position of Chief Information Security Officer to coordinate modernization efforts across the government, including a a $3.1 billion Information Technology Modernization Fund.”
- the Administration’s plans include “training and shared resources among government agencies” and “48 dedicated teams to respond to attacks”
- recruiting top IT talent will also be prioritized and bolstered through student loan forgiveness programs and incentives
- there are also plans to encourage multi factor authentication and reduce the use of SSNs as unique identifiers for Americans
There is a lot to like in these efforts, which if implemented should go a long way towards securing the private and personal information of millions of Americans. Of course, how long it will take and how effective these “good news” actions will be if and when they’re taken remain unanswered questions, the answers to which will say much about just how serious American elected officials are about cybersecurity and the privacy and security of their constituents.