Full dollar cost of OPM breach still a giant unknown
When you add up credit monitoring costs and cybersecurity spending, fallout from the OPM breach could potentially rocket past $1 billion. How much will be well spent? And what unknown costs are lurking?
With the long-awaited announcement of a second contract for credit monitoring and other mitigation services at the beginning of this month, it might seem as if Uncle Sam can close the Office of Personnel Management breach ledger.
But the number OPM trumpeted on Sept. 1 – $133 million – doesn’t begin to tell the whole story.
The true costs of the breach will be much greater – and many of them remain unknown.
Credit monitoring is pricey – and maybe unnecessary
The Sept. 1 award to Identity Theft Guard Solutions LLC, doing business as ID Experts, will cover credit monitoring and identity theft insurance up to $1 million for all of the affected feds, civilians and their dependent children (roughly 28 million people).
Fully executed, the contract will cost the government just shy of $330 million through December 2018.
But of course, that’s not the full cost of credit monitoring services generated by the OPM breach. Despite the fact that the massive exfiltration of personal data was one sustained assault, OPM classified the debacle as two separate breaches, and awarded a $20 million contract for the mitigation of the “first” breach (affecting roughly 4 million people) in a single week to the firm CSID.
CSID’s work was plagued with problems, and Sen. Mark R. Warner (D-Va.) remarked that the lightning turnaround was “highly unusual,” echoing other calls for an investigation into the award process.
In response, OPM went to the opposite end of the spectrum for the second round, enlisting the help of the General Services Administration and Naval Sea Systems Command and taking months to award the contract.
The resulting contract for $330 million fell under the umbrella of a five-year, $500 million GSA blanket purchase agreement.
Key differences between the “first” and “second” breach response contracts: The CSID contract covers only 18 months of services, while the ID Experts contract covers three years. In the former, CSID had to provide notifications to individuals while in the second, ID Experts is off the hook because the Defense Department will issue notifications.
That’s another eventual cost.
DoD will bill the rest of the government for notifications
Beth Cobert, OPM’s acting director, surprised the rest of the government when she penned a July memo informing other agencies they would have to pitch in for credit monitoring. Each agency’s “portion” will be based on the number of affected individuals from each agency, Cobert wrote, though some have noted those numbers would be difficult if not impossible to break down accurately.
The ultimate divisions are still up in the air, but Federal News Radio reported last month that the DoD, likely the outfit with the biggest chunk of potential victims, will pony up $132 million as its share of the credit monitoring costs.
But DoD will get some back by taking a cut for providing the newest round of notifications.
“The costs for these services are still being determined,” DoD spokesperson Valerie Henderson told FCW. “Once determined, OPM will provide DoD funds from the OPM account that contains funds from all government agencies impacted by the recent OPM cybersecurity incident.”
Millions in lifetimes of costs?
Further complicating the cost analysis: the prospect of lifetime credit monitoring.
In lawsuits filed against OPM and OPM officials, the American Federation of Government Employees and the National Treasury Employees Union have both called for the government to provide feds with lifetime protection.
Those suits are still working their way through the courts, but should either prove successful, they would present an additional cost – and it seems no one’s quite sure how much.
OPM spokesperson Sam Schumach told FCW that OPM had not produced a cost estimate for providing individuals with lifetime credit monitoring. The Office of Management and Budget did not return a request for comment on the issue, and both the unions said they had not produced their own cost estimates.
“NTEU continues to pursue lifetime coverage,” affirmed Anthony Reardon, NTEU president, in a statement to FCW. An NTEU spokesperson added, “NTEU does not have a cost estimate.”
“AFGE stands by its demand for lifetime credit monitoring,” an AFGE spokesperson said, adding that the government can only blame itself for any costs incurred.
“We have not produced a cost estimate of such monitoring, but any concern for the cost of remediating the breach went out the window with our members’ personal data,” the spokesperson said. “If the government was concerned about the costs, the time to address that was before the breach, when cost-effective measures could still have been taken to protect our data.”
What’s the use?
The final piece of the puzzle is cybersecurity improvement costs.
Those could be high – OPM’s infrastructure modernization project could top $100 million alone, and that’s to say nothing of cyber sprint costs – but those are costs that likely would have been incurred eventually anyway. Most of the truly “new” costs are associated with credit monitoring and identity theft insurance, and they may prove to be a wasted expense.
“It gives you a false sense of security, a false sense of hope,” said longtime federal consultant Larry Allen. “I don’t think that credit monitoring is going to do much for anyone.”
From the beginning, security experts have been warning that the OPM attack is probably not aimed at exploiting individuals’ financial data.
“The people who hacked this data weren’t after your credit score or the ability to open a MasterCard,” Allen said, noting that if the culprit is the Chinese government, as officials have indicated, then the stolen data will likely be used for blackmail and other, yet unknown espionage purposes.
Maybe credit monitoring won’t help protect anybody, but it could help make exposed individuals feel “loved” by Uncle Sam and less likely to flip when foreign intelligence agencies come calling, Allen posited.
“It’s something,” Allen said of credit monitoring services. “It’s like a gift bag. It doesn’t really matter what’s in it, it’s the thought that counts.”
But ultimately, all the credit monitoring in the world won’t fix America’s underlying security issues, he added.
“Way too many people have security clearances today that don’t need them,” Allen said, noting the massive trove of clearance information made an irresistible, valuable target for foreign adversaries.
The government needs to focus on modernizing systems and culling the ranks of those who hold clearances and privileged access to federal systems, Allen said. “That’s where the investment has to come.”