“I’ve got nothing to hide,” is a phrase commonly spoken by supporters of government surveillance and those too apathetic to protect themselves against it. It’s a phrase only spoken by the ignorant. With each working professional committing an average of three felonies a day there are no grounds for anybody to claim they have nothing to hide from the government. But even those who don’t believe they have anything to hide from the government likely feel as though they have something to hide from the general public. With the breach of the Office of Personnel Management’s (OPM) network we were shown another important fact: the government’s network security is in such a poor state that any data it collects could be leaked to the general public.
Now we’re learning that the OPM wasn’t the only government agency with deplorable network security. It’s a chronic problem within the government:
Under a 2002 law, federal agencies are supposed to meet a minimum set of information security standards and have annual audits of their cybersecurity practices. OPM’s reviews showed years of problems.
But the issue is far more widespread than with just one agency. According to the Government Accountability Office, 19 of 24 major agencies have declared cybersecurity a “significant deficiency” or a “material weakness.” Problems range from a need for better oversight of information technology contractors to improving how agencies respond to breaches of personal information, according to GAO.
“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats,” the watchdog agency said in a report earlier this month.
A large majority of major agencies have declare their network security to be unfit. In addition to general network security there are also concerns about overseeing contractors; which is pretty legitimate after Edward Snowden, an at the time contractor, walked off with a lot of National Security Agency (NSA) secrets; and abilities to respond to breaches.
Many mass surveillance apologists have pointed out that the OPM isn’t exactly the NSA because they assume the latter has far better security. As I mentioned above, Edward Snowden proved otherwise. And even if some agencies do have effect network security the problem of inter-agency sharing is a real concern. Assume the Internal Revenue Service (IRS) actually has adequate network security but it shares information with the OPM. In the end the data held by the IRS is still acquired by malicious hackers because they were able to compromise an agency that also held the data. Security is only as strong as the weakest link.
The next time somebody claims they have nothing to hide from the government ask them to post all of their personal information to Pastebin. If they’re not willing to do that then they should be concerned about government surveillance considering the state of its networks.