Warning came too late for millions of hacked workers

It’s disturbing enough to discover that hackers were able to steal millions of federal employees’ personnel files, including such information as Social Security numbers.

But what’s at least as troubling is learning that the government’s technological infrastructure is as badly out of date as the nation’s physical infrastructure and so ill-equipped to withstand an attack by a foreign government.

The New York Times reports that the inspector general of the federal Office of Personnel Management – which keeps records and security clearance information for current and retired employees – warned in November that the agency’s computer system was vulnerable to hacking. In fact, hackers by then had already made one data raid and soon would make a bigger, much more fruitful attack, gaining personal information on at least four million employees. The scale of the breach was “staggering,” says a congressman on the House Intelligence Committee.

Some of the information could allow the hackers – at this point believed to be private contractors working on behalf of the Chinese government – to access emails of employees directly involved with security clearance. Among other things, that would allow China to identify an employee’s foreign contacts or learn compromising information about employees who could be recruited as spies.

It could also give foreign agents clues that could be useful for accessing more secure accounts and gaining access to classified information. Trying to hack into someone’s account becomes much easier if you have a birth date, children’s names, city of birth, schools attended, and other information commonly used in passwords and security questions.

To adopt basic authentication protocols common in the private sector would have required computer upgrades in what one agency official described as an “antiquated environment.” That process was so difficult and time-consuming that only the most urgent vulnerabilities could be addressed. In fact, the data breach was discovered when security upgrades were being installed.

Cybersecurity must be a higher priority for government. It’s moving up installation of a new defense system, dubbed “Einstein,” from 2018 to 2016. But no one was willing to say whether that would have prevented this recent breach.

The OPM data breach is not unusual; similar attacks by industrial spies have targeted corporations, and criminals have hacked into companies like Target to steal customer information.

On Monday, President Obama said to expect more such attacks on government and civilian databases because both criminals and foreign governments are “sending everything they’ve got trying to breach those systems,” which he described as “very old.”

Clearly what’s needed is updated equipment and technical expertise that affords better protection against foreign hack attacks. But Americans must recognize that 100 percent cybersecurity probably isn't a realistic expectation, either for governments or for individuals.

Everything we do to make it easier for us to access our online accounts – using the same, easy-to-remember passwords, for instance – also makes it easier for hackers. The best we can probably hope for is to try to stay one step ahead of people whose entire focus is on getting at our information and take steps to minimize the effects of the almost inevitable breaches.