The resignation of the head of the U.S. Office of Personnel Management in the wake of a staggering cyber attack by hackers thought to be operating in China leaves deep-seated cyber security problems at the agency and across the federal government unsolved.
Members of Congress in both parties had been calling for Katherine Archuleta, the agency’s head, to step down since the agency first disclosed a massive hack of government personnel databases containing personal information on millions of current and former federal employees.
As the reports on the number of affected people grew from four million to north of 21 million on Thursday, Archuleta, who had previously resisted calls to resign, had little choice as political pressure grew. Now it will be up to President Obama to appoint, and for Congress to confirm, a new head of the agency who will be charged with the thankless job of cleaning up the resulting mess and ensuring that nothing like it ever happens again.
The odds will not be in that person’s favor. The federal government’s problems with computer security won’t be easily solved with changes at the top. Reports by the Government Accountability Office dating back to at least 2011 identified a cyber security “skills gap” among federal workers at numerous agencies.
The report cited cyber security as one of six “mission critical skills gaps” detected within the federal workforce and said it posed a “high risk to the nation.”
An earlier GAO report released in 2011 found that agencies struggled to hire technically competent employees in part because their hiring processes were slow and complex, and because they couldn’t pay them enough to stay on the job. Several agencies tried to address the problem, but did so inconsistently and didn’t coordinate well, often duplicating their efforts.
The problem with adequate staffing is just another way that federal agencies suck at securing their computer systems. Government agencies rank dead last when compared to the private sector in fixing security holes in the software they use, in part because there are often no regulations requiring them to do so in a timely manner or even at all.
The attack on the OPM systems was first discovered in April and initially concerned some four million current and former federal employees. Rumors about larger numbers circulated right away and were eventually confirmed on Thursday when the OPM said that a second breach discovered while investigating the first may have compromised the information on 21.5 million people.
The larger breach included information collected for background investigations used in granting security clearances required for government jobs. The breach also included personal information on nearly two million spouses and co-habitants of those applicants, the agency said. More than a million of those records included fingerprints. The breach affects employees and applicants who underwent background investigations as far back as 2000.
The Obama administration has responded with what it calls a “30-day cyber security sprint” headed up by Tony Scott, the U.S. chief information officer and a former executive of Microsoft, General Motors and Disney. Scott is expected to announce the results of the effort on July 20.
This article originally appeared on Recode.net.