The magnitude of the Office of Personnel Management breaches grows worse by the week.
When news of the breach broke in June, OPM officials said more than 4 million current and former federal employees and federal job seekers might have had their personal data compromised. Now, government officials acknowledge the figure is more than 21 million. That means 1 in 15 Americans is directly affected by these hacks. But when you count the families of those who have been exposed, the actual number is far higher. And sources familiar with the situation say that what has been acknowledged publicly may only be the tip of the iceberg.
So, it's shocking that the Senate is considering a cybersecurity bill that would inevitably lead to government agencies collecting and storing even more sensitive information on still more Americans. If the bill is passed, it means that any future data breach could be far more catastrophic as many more Americans' data could be compromised.
The Cybersecurity Information Sharing Act (CISA) is the brainchild of Sen. Richard Burr (R) of North Carolina, chairman of the Senate Intelligence Committee. While he has touted the bill as paving the way for government and industry to trade valuable information about cybersecurity threats, critics have called it a surveillance bill in disguise. Earlier this year, dozens of civil society organizations including X-Lab (Editor's note: Sascha Meinrath heads X-Lab), issued a letter blasting it as a de facto "back door" for dramatically expanding domestic surveillance because it would create new mechanisms for collecting Americans' data.
After reading the latest version of this bill, not only do we agree with this assessment, but our critique goes much further.
CISA authorizes Internet service providers to share virtually unlimited personal identifying information (PII) on huge numbers of individuals based upon undefined "cyberthreat indicators," all without judicial review or any indication of actual wrong-doing (e.g., guilt by association would likely be enough to target both you and everyone you know).
Our colleague, Jennifer Granick, spelled out some of the implications. "Imagine you are the target of a phishing attack: Someone sends you an e-mail attachment containing malware. Your e-mail service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your e-mail company please share all your e-mails with the government? Knowing more about you, investigators might better understand the attack."
Not only is that scenario likely, but by collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone's vulnerability in future hacking attacks.
Given the federal government’s abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high. In essence, CISA will make everything you do and say online less safe and more susceptible to government eavesdropping.
In short, CISA is anti-cybersecurity and it’s a recipe for making existing problems far worse.
Fortunately, solutions exist for helping prevent the kinds of data breaches that are currently plaguing our government, and they don’t necessarily require Congress to pass new laws. Instead, we need government to take a fundamentally different approach to data and cybersecurity.
As former OPM director Katherine Archuletta told a Senate committee in June before her resignation, one of the OPM breaches occurred because an outside contractor’s username and password were compromised – giving the hackers seemingly legitimate and widespread access to government databases. But left unanswered was why so much personal information on federal employees, retirees, or job seekers was available to a single user in the first place.
Likewise, this breach makes clear that this information is not encrypted within these databases by default, and does not require separate access to an encryption key to unlock a someone's file or otherwise access their data. That should be the case given the highly sensitive nature of this information. It’s also fair to ask why OPM and other federal agencies with sensitive information aren’t investing resources in encryption concepts that hold the promise of making databases more secure.
In 2009, IBM researcher Craig Gentry developed the first functioning form of homomorphic encryption – a kind of encryption that allows someone to query encrypted information for a specific piece of data without that data being decrypted and putting that information at risk of exposure. Mr. Gentry’s work is ongoing, and there are still some implementation challenges to overcome, but his approach is extremely promising and it should be a key area of focus for both government and private sector efforts to secure databases containing personal information.
In the meantime, the federal government should avoid implementing ill-conceived "information sharing" surveillance schemes like CISA, cease-and-desist its efforts to undermine public key encryption, and terminate existing mass surveillance programs that accumulate more personal information on government IT systems that have proven time and again to be insecure and that have done almost nothing to protect us from terrorist threats.
Patrick G. Eddington is a policy analyst in Homeland Security and Civil Liberties at the Cato Institute, and an assistant professor in the Security Studies Program at Georgetown University. Follow him on Twitter @PGEddington.
Sascha Meinrath is the director of X-Lab, a tech policy think tank, and a cofounder of the Civil Liberties Coalition, a pan-partisan coalition that fights to ensure that surveillance does not infringe upon our fundamental constitutional rights. Follow him on Twitter @saschameinrath.