A few months ago, when the OPM breach first hit, and the OPM said it would leverage a third-party to send out notification emails to affected individuals about the compromise, we warned of the dangers of this approach. In the post "OPM Breach, From Bad to Worse", we noted how the use of email notifications,especially from a third party, would open up all government employees to potential phishing attacks.
Yesterday the OPM announced a revision to the expected notification and its timing, highlighting that email notifications will come from either a dot-mil or dot-gov address. Instead of using a contractor for notifications, the Defense Department will be alerting all victims this time around.
This is by no means a perfect solution. While harder to do, employees could still be tricked by addresses that include mention of ‘mil’ or 'gov', but are in fact from spoofed domains. It is also reasonable to expect an increase in scams around credit monitoring as the letter will probably include URLs that are prone to pharming and phishing redirection. Additionally, once attackers capture personal information of users being impacted they can certainly blackmail them especially around release of medical history, etc. All of this brings up the larger question - is it time to rethink the way we handle identity?
The US and other countries for a long time now, have had ways to address the physical identity of their citizens - from birth certificates, to passports, to drivers licenses. But, as of yet, no mechanisms exist to truly confirm your digital identity. Private industry has stepped in to address things like credit reporting, but this is just one piece of the puzzle. What else can be done?
Can the federal government step in at this point and create a new kind of digital identity for its constituents? Or will this likely be driven in the private sector, by consumer demand?
Could we require anti-identity theft insurance, as a requirement to those participating in a digital world, much like we currently require car insurance before driving a vehicle? What would something like that cover?
How do we address the release of sensitive information, such as drug use, mental illness and other life circumstances that might be part of a dossier for security clearance applicants?
OPM has clearly realized their earlier mistakes, and is moving quickly to address them with the newer email rollout. They are also likely communicating to federal employees the ways to spot malicious/spoofed emails, phone calls and social interactions. But human beings are fallible, and relying on them as the last line of defense has proven a losing strategy. We know we can do more to protect our citizens, the question is who will do it, and how long will it take.