Rep. Will Hurd, R-Texas, a former cybersecurity executive, says the federal government is hypocritical when it comes to accountability for data breaches, like the two massive ones at the Office of Personnel Management.
Those breaches put sensitive information about 21.5 million Americans in the hands of hackers.
"The hypocrisy is that while the government leaves its networks and the data of millions of Americans at risk, it fines private companies for security breaches," the former CIA officer writes in an op-ed scheduled to run in the Wall Street Journal Saturday. "Last year the Department of Health and Human Services levied a $4.8 million fine against New York Presbyterian Hospital and Columbia University Medical Center for a security breach that left 6,800 people's medical records open to the Internet and visible from search engines.
"In its 2014 review, the Federal Trade Commission boasted that it had brought more than 50 cases against companies that put consumers' personal data at unreasonable risk," he writes.
Hurd chastised former OPM Director Katherine Archuleta for ignoring warnings from her inspector general dating back to 2010 — something that wouldn't happen in the private sector, the House Oversight and Government Reform IT subcommittee chairman writes.
"Often high-risk problems were fixed even before our final report was written," he said about when he conducted security reviews for private companies. "Why? Because the private sector is held accountable — by shareholders and the public, by civil or criminal litigation, and by the market forces that drive the economy."
He points out that Target's CEO and board chairman both stepped down after the retailer's files were hacked, compromising 70 million customers' account information.
"If federal agencies wish to provide effective oversight of the private sector, then they should start by looking in the mirror," Hurd wrote. "Other agencies have the same problems as the OPM, deploying outdated legacy systems and exercising poor cyber-hygiene. In the wake of this data breach, the heads of other agencies should pull out their own inspector-general reports and begin to address their vulnerabilities."
Before Archuleta stepped down earlier this month, she ordered OPM to suspend its electronic system for processing government background checks and temporarily return to paper questionnaires as a precaution. The Electronic Questionnaires for Investigations Processing system, or e-QIP, has been offline since June 26, when OPM determined that the web-based platform was vulnerable to hacking.
On Thursday, OPM said potential federal workers and contractors who need security clearances to do their jobs could resume using e-QIP.
In doing so, the federal government's human resources department stressed again that e-QIP was never actually hacked.
"This action was not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited," OPM spokesman Sam Schumach said in a statement. "The system has been brought back online less than four weeks after being taken down, and OPM is working closely with agencies to re-enable e-QIP users incrementally in an effort to resume this service in an efficient and orderly way.
"Based on the security enhancements and the extensive testing that has been completed, OPM is re-enabling access to e-QIP with confidence in the security of the system," he added.
As OPM continues dealing with the technical fallout, the Senate Appropriations Committee worked on the ramifications for the people affected by the breaches.
On Thursday appropriators added a provision into the 2016 financial services and general government spending bill to offer the 21.5 million Americans whose information was compromised 10 years of credit monitoring services and $5 million in liability insurance for identity theft-related losses.
Originally, OPM offered 18 months of credit monitoring and $1 million in liability insurance. It has since upped the credit monitoring to three years.