Friday, April 7, 2017

URSP Student Clara Currier Investigates the OPM Data Breach

The US House finished their investigation on the Office of Personnel Management (OPM) data breach and published the majority report September 7th, 2016. Reading through it, one would get the impression that the leaders of that agency were completely incompetent in allowing Chinese hackers to steal the security clearance information of 21 million people. I wondered if it was really that simple. After reading books by Charles Perrow and Joseph Tainter, who both wrote on catastrophic failures in large organizations due to complexity, I began to suspect that this event was not caused by incompetence but by something deeper. It is possible that we misunderstand the nature of cyber attacks and system vulnerability so fundamentally that the OPM hack was inevitable in our current culture of cyber security.

This question has led me on a long and winding journey through multiple decades’ worth of accident and disaster literature. I read reports almost every day about tragedies that sociologists and engineers have spent years analyzing such as Three Mile Island and Challenger. My goal is to better understand what happened in OPM by looking for similarities with other large-scale organizational failures. At times, it can feel like I am running in circles. I often rotate between a variety of theories. Books and articles I read refute each other frequently and judging who is most convincing is difficult. At this time of writing I suspect that it was not the inherent size of OPM that caused the issues per se, but an internal breakdown in communication caused by something akin to office politics.

Cyber defense is a craft within a complex system. It faces an onslaught and is prone to catastrophic failure. How we treat information systems and cyber threats inside of large organizations like government agencies can now influence the course of geopolitics. By continuing the discussion on OPM, I hope to encourage officials and policymakers to consider more thoroughly the ramifications of security and organizational policy.