Legislation was recently introduced in the House to establish a new position to help federal employees who are the victims of cyber attacks.
As we have seen, the federal government isn’t the best at protecting its employees’ personal data that are stored within its computer databases. In 2015, the Office of Personnel Management suffered two massive data breaches in which personal data of over 25 million current and former federal employees was stolen including information from background checks and fingerprints.
Data breaches such as these led Congressman Anthony Brown (D-MD) to introduce the Cyber VICTIM (Valuing Individual Cybersecurity Through Interagency Measures) Act (H.R. 3403).
“The United States has fallen victim to several cyberattacks in recent years. From the 2014 hack that exposed the information of 800,000 Postal Service workers, to its biggest data breach in 2015 when 21.5 million records including 5.6 million fingerprints were stolen from OPM. While we have taken steps to improve our defenses against future breaches, the federal government must support those who have fallen victim to these attacks,” said Brown.
He added, “We must make it a priority to both protect against information theft and guarantee robust response if an attack occurs. These breaches are becoming much too commonplace. Information theft should not be an occupational hazard of federal employment.”
Interagency Cyber Victim Coordinator
The bill would create a new position to “coordinate efforts to respond to data breaches and other cyber attacks on Federal employees.”
This person would have the following duties:
- Coordinate activities of the Federal Government relating to incidents of data breaches in which the data of Federal employees, including Social Security numbers, personal financial information, addresses, and other private identifying information, has been compromised, to:
- Ensure victims receive appropriate response and assistance from the Federal Government; and
- Ensure synchronization of intelligence and responses among Federal law enforcement agencies to incidents of cyber attacks against Federal employees
- Chair an interagency working group consisting of appropriate personnel of the Federal Government with purview over response to cyber attacks against Federal employees
- Ensure sufficient representation of each Federal agency and department at any interagency working group
- Develop processes and procedures to keep victims informed of efforts to mitigate damage from data breaches and prosecute perpetrators
- Provide an annual report to Congress summarizing the office’s response to attacks that have occurred throughout the federal government
Some Questions
The legislation as written does not indicate if this is new Interagency Cyber Victim Coordinator would be a temporary or a full time position. Presumably, it would be a new full time position designated to help federal employees deal with the repercussions of being victimized by data breaches.
The federal government has established a lousy track record of protecting its computer networks (and therefore its employees’ personal data). However, are cyber attacks really the norm rather than the exception? In other words, does the occasional data breach really warrant a new full time position?
Brown himself said, “We must make it a priority to both protect against information theft and guarantee robust response if an attack occurs.” (emphasis added) This again suggests the new position is more of an insurance policy by having a position in place in case another data breach occurs in the future.
But assuming there is a data breach once every few years, it stands to reason this person would not have a full time job. How would s/he spend the rest of his/her time?
AFGE came out in favor of the bill; the union’s national president J. David Cox said, “Congressman Brown’s legislation would provide for a coordinated federal response to these attacks [2015 OPM data breaches] and any future data breaches targeting federal workers. It is the government’s responsibility to ensure that agencies can respond to these incidents and provide employees with assistance in as timely a manner as possible. This bill will help make that happen, and AFGE thanks Congressman Brown for introducing this important legislation.”
The statement again suggests the position would function more like an insurance policy to have a person on standby when/if future breaches take place.
Assuming the bill even advances, perhaps modifications made to it along the way might clarify some of these missing details.