The federal government is owning up to the modern-day reality that data breaches, no matter the quality of cyberdefenses in place, are inevitable.
With an eye to future hacks, the government is searching for contractors to keep on call — and it’s prepared to pay at least half a billion over the next five years to manage post-breach cleanup.
A pair of breaches at the Office of Personnel Management last year affected millions of current, former, and prospective federal employees and their families, and demonstrated the federal government’s need to quickly deal with a recurring problem.
After the first breach, which was announced in June, OPM signed a contract with a company called CSID to notify the affected individuals and provide them with identity-protection services. But when a second breach turned out to be more than five times larger in magnitude, the government decided it needed to take a different approach.
Instead of offering another one-off contract, the government is currently soliciting bids for “government-wide identity monitoring data breach response and protection services.”
Those services will include everything from basic credit reporting to in-depth identity monitoring — which involves keeping an eye on sketchy corners of the Internet and court records for a victim’s name, address, and Social Security number — as well as identity-theft insurance and a program that helps restore a victim’s identity in case of fraud.
“It signals an end to the ‘It will never happen here because we have good IT teams’ syndrome,” said Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University.
The General Services Administration, with the help of the Department of Defense, is looking to enter into a five-year “blanket purchase agreement” with multiple contractors. That would allow the government to keep a group of response teams on call for when the data breach hits, and have an agreed-upon pricing structure already in place for when services are needed quickly. The contract winners’ services would be available to all federal agencies.
But while the decision to take on the more complex process is an apparent effort to keep the government from having to scramble after it’s hit with the next big data breach, it comes with some short-term drawbacks.
For one, developing the requirements for the contract took the government many weeks after the scope of the second breach was announced in July, delaying the notification process for the 21.5 million people it affected.
Although the five-year agreement will include multiple contractors, only one will be chosen to deal with the fallout of the most recent OPM data breach. That contractor will have 12 weeks from the date of the award — likely Aug. 21 — to send the millions of notifications, and will offer identity-protection services to the affected individuals at no cost to them. (Bids are due at 8 p.m. on Friday.)
The identity-protection services will last for three years, and will also be available to affected individuals’ dependent minor children, adding 6.4 million to the total number of individuals eligible for service.
Compared to the first round of notifications, which began to go out just days after the agency announced the first breach, the second round of notifications is significantly delayed. The late-August contract award means that by the time notifications begin to be sent, more than a month and a half will have passed since the second breach was announced in July.
Further, the five-year agreement will not be cheap. The government estimates the contract is worth $500 million, but stipulated that its estimate is “not a ceiling” and that the total cost could “exceed this amount without modification to the [contract].”
That’s compared to the roughly $20 million cost of sending more than 4 million notifications and covering approximately 1 million individuals who signed up for identity-protection services after the first data breach. Acting OPM Director Beth Cobert asked federal agencies last month to pitch in to help fund the cost of the services.
The personnel agency was criticized after its first data breach for how its contractor, CSID, handled the notification and sign-up process. Notification emails and letters arrived in fits and starts, and lawmakers complained that their constituents were subjected to long wait times when they called in to a public hotline for more information.
In a media blitz after the first round of notifications was complete, CSID President Joe Ross told the press many of the problems his company ran into were really the government’s fault. He said the long call-center wait times, for example, were the result of a decision to make the hotline public, which inundated representatives with calls from people worried they had been affected by the hack.
The new contract — which was developed by a task force staffed by representatives from OPM, DOD, GSA, the Office of Management and Budget, the Department of Homeland Security, and the Federal Trade Commission — specifically requires that contractors’ call-center wait times not exceed an average of 10 minutes.
And because several legislative proposals have been put forward that would lengthen the terms of breach-response services or increase the amount of identity-fraud insurance offered to affected individuals, the request for bids was designed with the flexibility to “accommodate legislative or other changes,” according to an addendum with answers to frequently asked questions.
But simply having a system in place to easily provide breach victims with monitoring and protection is not enough, Toregas said in an email.
“We need to take seriously the almost total lack of awareness of cyber threats and good cyber hygiene, and organize (sadly after the fact) a way to bring some awareness and knowledge to the American public,” he wrote.
What We're Following See More »
"Christopher Steele, the former British intelligence officer who wrote the explosive dossier alleging ties between Donald Trump and Russia," says in a new book by The Guardian's Luke Harding that "Trump's land and hotel deals with Russians needed to be examined. ... Steele did not go into further detail, Harding said, but seemed to be referring to a 2008 home sale to the Russian oligarch Dmitry Rybolovlev. Richard Dearlove, who headed the UK foreign-intelligence unit MI6 between 1999 and 2004, said in April that Trump borrowed money from Russia for his business during the 2008 financial crisis."
"The British publicist who helped set up the fateful meeting between Donald Trump Jr. and a group of Russians at Trump Tower in June 2016 is ready to meet with Special Prosecutor Robert Mueller's office, according to several people familiar with the matter. Rob Goldstone has been living in Bangkok, Thailand, but has been communicating with Mueller's office through his lawyer, said a source close to Goldstone."
"Russian Ambassador Sergey Kislyak said on Wednesday that it would take him more than 20 minutes to name all of the Trump officials he's met with or spoken to on the phone. ... Kislyak made the remarks in a sprawling interview with Russia-1, a popular state-owned Russian television channel."
"Rev. Jamie Johnson resigned Thursday as the head of faith-based and neighborhood partnerships at the Department of Homeland Security," following a CNN report on "inflammatory past comments he made about the black community and Islam. In past radio appearances, Johnson had said the black community was responsible for turning major U.S. cities into 'slums' and argued that Islam's only contribution to society was 'oil and dead bodies.'"
"An NBC News investigation into the Trump Ocean Club, in conjunction with Reuters, shows that" a high-end condo project in Panama, to which Donald Trump licensed his name, "was riddled with brokers, customers and investors who have been linked to drug trafficking and international crime. Ceballos, who investigated the project, went as far as to call the skyscraper 'a vehicle for money laundering.' The investigation revealed no indication that the Trump Organization or members of the Trump family engaged in any illegal activity, or knew of the criminal backgrounds of some of the project’s associates. But [they] never asked any questions about the buyers or where the money was coming from."