How the Largest Employer in the U.S. Fares on Cybersecurity

When it comes to cybersecurity, large organizations have to be vigilant to prevent a single hack or intrusion from turning into a disaster. As we heard in class last week, high-profile hacks of notable companies have led to significant consequences. The hackers who compromised Target’s databases in 2013 gained access to 40 million credit card numbers, leading to an $18.5 million fine and Target’s CEO Gregg Steinhafel’s resignation [1]. In 2015, the health insurance giant Anthem reported that nearly 80 million of its customers had been affected by a security breach, exposing personal information such as names, birthdays, and social security numbers [2]. With the dangers of cyber intrusions, it seems fair to evaluate companies on how well they are doing on cybersecurity. Let’s take a look at the largest employer in the United States, which currently employs over 2.7 million people. Can you guess who it is?

You might have guessed Wal-mart, which would be a good guess as Walmart employs about 2.3 million people. However, the largest employer would be the U.S. Federal Government, a massive sprawling bureaucracy that encompasses a myriad of federal agencies. With such a large organization, cybersecurity should be a priority, as not only would an attack that takes down federal government computer systems be highly disruptive to our day-to-day lives, it would also possibly compromise vast troves of sensitive information about American citizens. So how has the government done on its recent cybersecurity scorecard?

Unfortunately, we see some very glaring, troubling issues with the way that the government approaches its cybersecurity commitments. As a government employee, I received an unwelcome letter in 2015 telling me that my personal information had been exposed. I was just one of 21.5 million government employees and applicants affected by the breach of the Office of Personnel Management (OPM), the master federal government agency for keeping personnel records for hiring, identity, and security clearances. Information going back almost 30 years was compromised [3]. So far, not too great.

Part of the problem comes from aging IT infrastructure. We heard from Richard Rogers, the CTO of California on how many aging legacy systems exist in the State of California’s government. At the federal government level, this problem is even worse. As consumers, we are aware that our computers, phones, and other devices have limited lifespans. Most of us don’t think much about replacing and upgrading our devices every couple of years, as they begin to slow down or lose battery life. Not so simple for the federal government, which finds itself with millions of outdated, aging hardware every couple of years to replace. Often, the government defers and delays necessary upgrades. Over at the Department of Defense, the U.S. Navy paid Microsoft millions to continue supporting Windows XP in 2015, as many systems which support critical command and control systems have not been tested for use with more modern operating systems [4]. Microsoft stopped supporting Windows XP in 2014, making the operating system highly vulnerable to cyberattacks. Strike 2.

I’m don’t think it would be too difficult to find a third, or fourth, or fifth example of poor cybersecurity at the federal level. I’m sure you can find plenty of examples of slow, outdated, insecure systems in the various branches of the federal government. Point is, every large organizations have cybersecurity challenges. The federal government has some very serious ones, exacerbated by shrinking budgets. Until the federal government gets serious about fixing these major cybersecurity flaws, we continually leave an important part of our lives open to attack. If the recent Mark Zuckerberg hearing at Congress tells us anything, it may take some serious public prodding to make things right.