Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM ID Theft Monitoring: Waste of Money?If China Stole OPM Secrets, Funds Should Go Toward Stopping the Next Attack
At the risk of offending victims of the U.S. Office of Personnel Management breach - more than 20 million individuals and counting - if an espionage agency stole their data, as senior White House officials appear to have confirmed, then spending millions of dollars on identity theft monitoring services for victims is a waste of money.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
That's because, in that scenario, the stolen data would be socked away in some type of "big data" espionage database - most likely operated by the Chinese - to be used to profile "persons of interest" to intelligence agencies. Accordingly, there would be nearly zero chance that the stolen data would ever be bought or sold on underground forums, allowing criminals to commit fraud or identity theft. Hence, there would be no need for ID theft monitoring.
"Allocate the funds to ensure that OPM and other agencies can repel tomorrow's hack attacks."
But here's how OPM has pitched the prepaid ID theft monitoring services: "We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future," Beth Cobert, who's serving as OPM's acting director, said earlier this month. That's when the government announced that it would be spending $133 million for Identity Theft Guard Solutions - which does business as ID Experts - to provide ID theft monitoring services to victims of the background-records breach (see OPM Breach Notifications: 21.5 Million Are Still Waiting).
Cybercrime vs. Espionage
Cobert's choice of language here is interesting - and potentially erroneous - because it is not clear that criminals were behind the attack. Instead, some top officials have suggested that the hack was an act of espionage, perhaps to help Chinese spy agencies better identify who might be working for U.S. intelligence agencies, or who Chinese spies might want to recruit. Notably, U.S. Director of National Intelligence James Clapper told a Washington intelligence conference in June that China is the "leading suspect" behind the OPM breach, although the Chinese government continues to deny that assertion.
Testifying before Congress Sept. 10, Clapper repeatedly said that he would not characterize the OPM breach as an attack. "There was no destruction of data or manipulation of data," Clapper told legislators. "It was simply stolen - so that's a passive intelligence collection activity, just as we do."
I asked ID Experts if it expects to see any actual ID theft associated with the data stolen from OPM - given China's suspected involvement - but the company declined to comment. If the Chinese government was responsible, however, the upside for OPM victims is that there's little chance that their personal details would ever get leaked, meaning that the $133 million could have been put to much better use, such as beefing up cybersecurity at OPM and other agencies.
Multiple security and privacy experts have voiced similar concerns. "I feel the money spent on ID theft monitoring would be better served being spent on better security controls within organizations, promoting and supporting public cybersecurity awareness campaigns, or building better threat sharing frameworks for businesses to better identify threats," Dublin-based information security consultant and Europol cybersecurity adviser Brian Honan tells me. "At this stage, most people will have multiple ID theft plans, given the spate of breaches."
American Civil Liberties Union principal technologist Christopher Soghoian voiced similar concerns back in July after a Senate panel voted to extend the credit monitoring offered to OPM victims to 10 years, and to include $5 million in liability protection. "Do we think China is going to sell the OPM data to identity thieves? How is this anything but a waste of money?" Soghoian tweeted.
Of course, spending $133 million is an easy way to appear to be doing something about the breach. Lots of culpability for the breach should be allocated to Congress, which has oversight of agencies' cybersecurity practices. Legislators could have been reading - and acting on - OPM Inspector General reports that had warned, for years, that the agency's information security practices were deficient (see Analysis: Why the OPM Breach Is So Bad). Awarding a $133 million contract for ID theft protection after the fact is no fix.
To be clear, if I was an OPM data breach victim, then my gut reaction might be to demand that the agency not only give me identity theft monitoring services, but also get its information security house in order, as multiple lawsuits are attempting to do (see OPM Sued Again ... This Time by a Judge).
Many victims - as with any breach - feel that someone should pay, both figuratively and literally, to clean up the damage. Given OPM's delay in offering three years of prepaid ID theft monitoring services to 21.5 million victims, some victims report that they have already begun paying out of pocket for ID monitoring services too.
And as with every data breach - OPM included - it is a travesty that the people whose data was exposed in the breach now have to keep policing their payment card statements, credit reports, insurance claims and so many other aspects of their life, just because somebody else screwed up. But if the White House, which was quick to blame the hack of Sony Pictures Entertainment on "North Korea actors," thinks it knows who hacked OPM, and if it was a case of "spy versus spy," then the best way to serve OPM breach victims - and by extension all government workers - is not to waste money on ID theft monitoring services. Instead, allocate the funds to ensure that OPM and other agencies can repel tomorrow's hack attacks.