OPM Data Breach Does Not Justify Latest Cybersecurity Legislation

If no two data breaches are alike, then the United States Office of Personnel Management hack’s unique identifier is the nearly instantaneous uproar it caused in Washington. The OPM breach, which was made public on Thursday, June 4, is believed to have compromised the personally identifiable information (PII) of approximately 4 million former and current government employees. At risk are employee records, which include names, Social Security Numbers, dates and places of birth, current and former addresses, job assignments, training records, and benefit selection decisions. 

Although China has been implicated as the responsible party, Washington is looking much closer to home for someone to blame.

On Friday, White House press secretary Josh Earnest pointed fingers at Congress: “We need not just improved efforts on the part of the federal government, but improved coordination with the private sector on these matters, and that effort to coordinate requires congressional action. The fact is, we need the United States Congress to come out of the Dark Ages and come into the 21st century to make sure we have the kinds of defenses that are necessary to protect a modern computer system.”

President Obama reiterated Earnest’s message on Monday from the G7 Summit in Germany: “We have known for a long time that there are significant vulnerabilities and that these vulnerabilities are going to accelerate as time goes by, both in systems within government and within the private sector. This is why it is so important that Congress moves forward on passing cybersecurity legislation that we’ve been pushing for.” Obama concluded with a call for government to be more aggressive, attentive and well-resourced.

The most immediate piece of legislation Earnest and Obama are referring to is the Cybersecurity Information Sharing Act (CISA), which has found itself conveniently in the spotlight following last week’s hack. On Tuesday, Senate Majority Leader Mitch McConnell capitalized on Washington’s newfound momentum and proposed rolling CISA into defense legislation currently under debate.

To counter the hype, Senator Ron Wyden—the Senate Intelligence Committee dissenter who called CISA “a surveillance bill by another name”—reminded us that this particular legislation will not actually protect Americans from future data breaches: “The so-called cybersecurity legislation in the Senate creates new ways for the government to sift through Americans’ private information without a warrant, and lacks the privacy protections necessary to safeguard private data. Even worse, the bill gives corporations blanket immunity for providing information to the federal government, and would prohibit that data from being used to regulate those corporations, but it would allow federal law-enforcement agencies to go after Americans for unrelated crimes based on this data.  I reject the notion that corporate privacy is more important than individual privacy.

"Finally, although I believe sharing information about cyber-threats is a worthy goal, it is unlikely that information sharing by private companies would have made any significant difference in protecting federal employee data. That's why cybersecurity experts say that passing a bill like this will do little to reduce security breaches."

The OPM hack has thrown Washington into an uncharacteristic flurry of panicked activity. If McConnell is successful in pushing CISA through Congress, the United States will need to accept that the post-Patriot Act era has not yet arrived.