Markets In Action

OPM Hack Shows Need for Stronger Cybersecurity. So Why Is Congress Stalling?

In early June, the U.S. Office of Personnel Management (OPM) announced the agency’s servers had been hit by hackers, who accessed personal data on millions of federal employees, in what may be one of the most significant data breaches in history.

The scope and sophistication of the OPM attack, only the latest in a long string of cyberattacks on public and private sector entities, raises a critical question: When will Washington get serious about addressing cybersecurity?

According to OPM, the agency responsible for federal workforce management, the reported breach of the agency’s systems has exposed the personal information of more than 4.2 million past and present federal employees. Other reports indicate the actual number may be much greater—FBI officials have said the total could go as high as 18 million. According to the Washington Post, the White House estimates that the hacks may have exposed sensitive information about at least 22.1 million people. OPM Director Katherine Archuleta was forced to resign as a result.

The origin of the OPM attack remains unclear, according to media reports, though speculation centers on China as the source. Regardless of who’s responsible, it represents a particularly brazen attack on the personal data of millions of American taxpayers.

If there was ever a time for Congress and the Obama administration to focus on action to strengthen the nation’s cybersecurity defenses, the OPM breach has made it undeniably clear—that time is now.

But after a promising start earlier this year, which saw both Congress and the administration embracing the push for stronger cyber protections and improved information sharing, the effort has stalled. It’s time to get moving on this critical priority to protect both business and consumers.

Cyberattacks: Growth of a Troubling Trend

The OPM hack is only the latest incident in this troubling trend. In recent months, institutions of every type have been targeted, with data breaches reported by health care organizations, universities, retailers and other corporate leaders, non-profit organizations, government agencies and others.

And it’s not just the big players getting hit —a June 11 article in The New York Times detailed how small businesses are also increasingly targeted.

“Cybercrime traditionally has been more a scattershot approach,” Nart Villeneuve, a threat intelligence analyst with the security firm FireEye, tells the Times. “But they are going after large and small retailers and restaurants and point-of-sale companies that service them.”

The trend line is clear, and the steady drumbeat of media reports about cybercrime in recent years has understandably heightened public anxiety.

In October, Gallup reported that Americans fear being hacked more than any other crime—69 percent said that having their credit card information stolen was the crime they worried about most.

“Americans may be more worried about hacking because a relatively high percentage of them say they have had their information hacked,” Gallup explained. “A quarter of Americans, 27%, say they or another household member had information from a credit card used at a store stolen by computer hackers during the last year – making this the most frequently experienced crime on a list of nine crimes. Eleven percent say they or a household member have had their computer or smartphone hacked in the last year, also in the top half of crimes on the list.”

Keep in mind that those polling results are from last fall—months before the OPM attack was discovered and reported. It’s likely that Americans are only growing more concerned as the attacks grow in size, frequency and sophistication.

And of course, the implications of data breaches extend far beyond the realm of personal privacy—cyberattacks also raise serious concerns for national security. In a 2014 survey of national security experts, 45 percent cited cyberattacks as the top threat to the nation’s security.

It’s important to remember that most cyberattacks fail, thanks in part of the strong system of protocols that industry has developed to thwart hackers.

But that doesn’t mean we can rest on our laurels, because the reality is that hackers who fail at first don’t just give up. They keep working to refine their lines of attack and to seek out new vulnerabilities.

In response, industry and government must work together to harden our defenses and strengthen our response.

The Need for Action

Given those stakes, it’s disappointing that Congress and the Obama administration have thus far failed to move the ball forward on cybersecurity.

Earlier this year, President Obama rolled out a promising agenda of cybersecurity proposals and hosted a White House summit on the issue.

The Securities Industry and Financial Markets Association (SIFMA), along with an array of leaders from the financial industry and broader business community, welcomed the president’s proposals, and have lent strong support to the push for cybersecurity.

“We have long encouraged Congress to pass cybersecurity legislation that strengthens our nation’s cyberdefenses by codifying liability protections that promote enhanced information sharing between the industry and government while balancing the need for important privacy protections for individuals,” SIFMA president and CEO Kenneth E. Bentsen said earlier this year. “The industry remains committed to doing everything it can to prepare for and defend against a cyberattack.”

And the industry is not just standing on the sidelines calling on Washington to “do something.” SIFMA has also led the way in articulating cybersecurity standards for regulators, conducting broad-based cyberattack simulations to test existing systems, and developing IT security guidance for small firms.

That’s why it’s important that Congress move to pass legislation to build upon these efforts.

Unfortunately, progress on cybersecurity in Washington has been halting—despite the fact that most are in agreement that it’s desperately needed. The House passed the Protecting Cyber Networks Act in April, but on the Senate side, the similar Cybersecurity Information Sharing Act (CISA) has been stalled by partisan disputes.

SIFMA and other leading industry organizations have urged the Senate to pass CISA, which would help to increase and encourage cyberthreat information sharing among businesses, the government and law enforcement, helping financial institutions and other sectors mitigate cyberattacks and protect consumers.

The size and scope of the OPM hack make it clear we can’t afford to wait and neither can we rely on government alone to take action. Solutions will require a collaborative effort by the public and private sectors.

Stronger liability protections and information-sharing measures will be a step in the right direction toward protecting both businesses and consumers—which is why Congress and the Obama administration should move swiftly to make these bills a reality.