Skip to Content

3 leadership lessons from the U.S. government’s data hack

Katherine ArchuletaKatherine Archuleta
Office of Personnel Management Director Katherine Archuleta testifies before the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill in Washington, Thursday, June 25, 2015, during a hearing on Federal Cybersecurity and the OPM Data Breach. (AP Photo/Susan Walsh)Photograph by Susan Walsh — AP

The U.S. government’s Office of Personnel Management chief Katherine Archuleta resigned last week in the wake of a massive data breach involving social security numbers and other personal information of nearly 21.5 million people. Despite the seriousness of the breach, the Obama administration was supportive of Archuleta even while Republicans wanted her gone. While it’s impossible to tell how much autonomy Archuleta really had in handling the aftermath and in revealing information to the public, as the keeper of the records, her responsibility was heavier than anyone else’s.

The following are 3 areas where Archuleta failed as a leader.

Ignoring a credible threat

The primary function of the OPM is to serve as the human resources office for the federal government. As part of this function, it gathers and maintains mountains of sensitive information on prospective candidates and current employees, and securing that data should be a priority for the agency. Cybercrime is neither a new phenomenon nor is it obscure anymore. It’s a major threat to all organizations and especially one like the OPM that is a treasure trove of personal information.

Despite this, the agency showed a shocking insouciance toward cybersecurity. Its computer systems reportedly lacked even basic security procedures like two-factor authentication and encryption of social security numbers. Even the Department of Homeland Security’s intrusion detection system, called EINSTEIN, apparently failed to detect data breaches until it was too late.

Ignoring a credible threat is a sign of bad leadership. While the DHS might deserve some of the blame, it was ultimately Archuleta’s responsibility to maintain the integrity of the OPM’s database, and she failed at doing that.

Not sounding the alarm

The OPM’s computer vulnerabilities were not unknown. The agency had been warned about the risks of its outdated technology as early as 2007, but no remedial steps were seemingly taken, according to The New York Times. To be fair, it’s certainly possible that Archuleta asked for funds to upgrade the OPM’s systems and was denied, or was thwarted by inter-governmental politics, but nothing has surfaced so far to indicate that.

A good leader would have acknowledged that something was very wrong and sounded the alarm. Had the OPM moved proactively to modernize its cybersecurity eight years ago, the current breach might never have taken place. Sounding the alarm might have pitted Archuleta against those who didn’t consider a hack of this magnitude to be likely or had budgetary concerns, but that was no reason for her to stay silent. She could also have taken her concerns to the press to force action on the issue. It was Archuleta’s job to be bold and take the lead in fixing an obvious problem.

Downplaying the problem

Once the breach had been discovered, Archuleta should have acknowledged the full scope of the hack, but instead she tried to downplay it. According to a Wall Street Journal report, the OPM at first denied that security clearance forms, known as SF-86s, were stolen in the hack, even though the FBI had informed the OPM of that fact. Once it came out, the agency hid behind semantics, claiming that they had agreed with the White House to treat the breach of security clearance forms as a separate incident from that of personnel files and therefore not addressed it initially. Bad politics, but also bad leadership.

The result of this seeming obfuscation was that initial reports of the hack greatly underestimated the number of people who were affected. Given that it wasn’t just social security numbers that were compromised but fingerprint records, financial and mental health histories as well, Archuleta should have shown more empathy with the victims and come clean about the scope of the problem from the beginning.

S. Kumar is a tech and business commentator. He has worked in technology, media, and telecom investment banking.