An inspector general report last year had advised OPM to shut down many of its computer systems because they were running without sufficient security. The agency ignored that recommendation.
In the audit report published November 12, 2014, OIG found that 11 out of 47 computer systems operated by OPM did not have current security authorizations. Furthermore, the affected systems were “amongst the most critical and sensitive applications owned by the agency.” Two of the unauthorized systems are described in the report as “general support systems” which contained over 65 percent of all OPM computer applications. Two other unauthorized systems were owned by Federal Investigative Services, the organization which handles background investigations in connection with government security clearances. OIG warned bluntly, “any weaknesses in the information systems supporting this program office could potentially have national security implications.”
Because of the volume and sensitivity of the information involved, OIG recommended OPM “consider shutting down systems that do not have a current and valid Authorization.” But OPM declined, saying, “We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness.”
The head of OPM also claimed in recent House hearings that their failure to close these systems down was justified since the hackers were already in the system when the recommendation was made.
In other words, we didn’t do anything to make the system secure, and when hackers broke in it was further justification for not doing anything.
Yeah, let’s put our healthcare under their control also!