Editor’s Note: Paul Callan is a CNN legal analyst, a former homicide prosecutor and media law professor. He is “of counsel” to two law firms: Edelman & Edelman, PC and Callan, Koster, Brady & Nagler, LLP. The opinions expressed in this commentary are his.
As many as 18 million Americans may have had personal data hacked due to invasion of federal databases
Callan: Massive breach of federal employees' personal data shows the need to make officials step up the level of security
During the past few weeks, much of the nation was mesmerized by the daring escape of two convicted murderers from a maximum-security prison in upstate New York. The saga ended with one of the fugitives dead from gunshot wounds while the other convict is in custody recovering from wounds of his own. Two prison employees have been charged with aiding and abetting in the escape.
The prison break is the kind of case that the law and law enforcement have dealt with for decades. It’s straightforward and the courts know how to assess blame and hold people responsible. Less clear is the 21st century kind of crime that has played out more quietly in Washington.
In a United States Senate hearing room, the director of the federal Office of Personnel and Management, Katherine Archuleta, and James Trainor, acting assistant director of the FBI’s cyber division, engaged in a heated dispute about whether hackers had successfully stolen sensitive personal information of only 4.2 million, or the FBI’s larger estimate of 18 million, federal employees and other assorted American citizens.
The stolen information included Social Security numbers, health and family data, and even detailed background information customarily listed on federal employment applications. Much of the data theoretically could be used by foreign government agents to humiliate or blackmail federal employees in a quest for intelligence secrets.
Making the story worse was the information revealed in the congressional hearing that suggested gross negligence and a reckless disregard for the cyber safety of federal employees and the American public by the officials responsible for safeguarding the data.
According to the Washington Post, congressional questioners asked why the data was not encrypted and why no changes were made after the agency’s inspector general recommended shutting down computer security systems considered vulnerable – a number of which had not been certified as meeting security standards.
The New York Times reported that state-of-the-art security procedures were not used to limit access despite the sensitivity of the data.
And agency officials said some of the systems were decades old.
The hackers, if they are based in China, are unlikely to ever be brought to justice in the United States. A year ago, five members of China’s People’s Liberation Army were indicted in a Pennyslvania court on 31 counts of violating federal law by hacking U.S. businesses and other entities, but the defendants in that case were charged in absentia and are not subject to U.S. authorities. That could well be the case here too.
What about the U.S. officials who didn’t correct vulnerabilities in the computer system?
Attaching criminal or civil liability to the people or federal agency who failed to prevent this egregious breach of cyber security is theoretically possible under current American law, but would be difficult. Yet in the end, the threat of a criminal investigation and a civil lawsuit might be the pressure needed to force reforms.
To prove a crime, prosecutors would have to have an identifiable victim who has suffered identifiable injuries. Right now, the actual damage that the breach has caused federal employees is unclear.
Other countries would undoubtedly handle such a big breach of cyber security in a very different manner than our kindly federal authorities. In North Korea or China itself, we can be reasonably certain that whoever was responsible for permitting such a breach of security would have already been placed in front of a firing squad.
No one, of course, is suggesting such draconian measures in the United States, but at the very least the American public has the right to expect accountability and the construction of effective defenses immediately.
It will probably surprise many that American law offers few ways to punish those responsible for failing to prevent such a spectacular breach of U.S. cyber security.
In some respects, the situation in Washington is similar that of a soldier on guard duty abandoning his or her post. Under Article 113 of the Uniform Code of Military Justice, the soldier would be subject to court-martial. The punishment in peacetime would be a dishonorable discharge and up to a year in prison, or even the death penalty in time of war.
Here, the federal cyber sentinel seems to have fallen asleep at the digital gate. But in truth, criminal punishment for even gross negligence in the performance of employment duty rarely exists in civilian life. A civil lawsuit by victimized federal employees may bring some relief to them, but the breach here demands a firmer response.
If officials are brought up on departmental charges for failing to prevent the hacking, their lawyers will undoubtedly claim, perhaps with justification, that they didn’t have the funding or the staff needed to fully protect the federal database. They would further assert that the rapid advance of technology has given an edge to a hacker army supported by China.
Still, holding people responsible for their actions when the stakes are high – when American citizens suffer grievous injury as a result of corporate fraud and irresponsibility – is a policy now being implemented by the Justice Department. Recently, creative prosecutors have used fraud statutes to lodge criminal charges against food industry executives in food poisoning and adulteration cases involving peanut butter and eggs.
The Department of Justice has also recently taken an aggressive stance by launching criminal probes against Toyota of Japan and the Takata Corporation in connection with product liability claims in the auto industry. GM is now under the DOJ microscope regarding the ignition system used in some GM vehicles.
Manhattan’s media-friendly U.S. Attorney, Preet Bharara, recently fired a warning shot in the direction of Corporate America, telling the Wall Street Journal:
“The first line of defense is self-policing within the company. The second is regulators… When all those things have failed, prosecutors come along with the blunt hammer. That does get some attention in the boardroom.”
Perhaps it’s time that Mr. Bharara use his hammer to place Washington on notice that cyber security is an urgent priority. Just as the American public has the right to expect the auto industry to provide safe and effective air bag and ignition systems; it has the right to expect an effective cyber security program from its government.
Funding, personnel and leadership are all required now.
In this raging cyber war, perhaps governmental employees should be held accountable just like our young soldiers in the field. Otherwise, China’s future weapon of choice might be built with stolen American secrets and it won’t be a hammer.