Government Works Badly (TSA & Office of Personnel Management)

By David Henderson of EconLog.

"Two huge recent scandals, both of which involve the federal government, strongly support the case that the government should not be given more power and, in fact, should have much of its power stripped away. 

The two scandals are the horrible performance of the misnamed Transportation Security Administration (TSA) and the poor security measures of the Office of Personnel Management which led to hackers getting access to data of virtually all federal employees.

1. TSA. On June 1, ABC News reported:

An internal investigation of the Transportation Security Administration revealed security failures at dozens of the nation's busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95 percent of trials, ABC News has learned. 

The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting out to beat the system.

According to officials briefed on the results of a recent Homeland Security Inspector General's report, TSA agents failed 67 out of 70 tests, with Red Team members repeatedly able to get potential weapons through checkpoints.

The risk of actual weapons getting through was always low, in large part because there are just not that many people with the desire and the ability to get an explosive or a weapon onto an airplane. But now we learn that the TSA would likely not have caught more than a tiny percent of this tiny percent. So we are not made appreciably safer and, on top of that, have had to sacrifice our freedom of travel, our convenience (carrying a bottle of wine on board, for example), our privacy from intrusive searches by radiation or groping hands, billions of dollars in tax money, and, by now, billions of hours of our time. Yet, the acting head of the TSA, Melvin Carraway, has been "reassigned," not fired). And President Obama's nominee for Administrator of the TSA, Peter Neffenger, announces his solution:

There may be a need to introduce some inefficiencies to address the recent findings of the inspector general.

Oh joy.

 Notice what is not talked about: learning the lesson of United Flight #93 on 9/11, of the Richard Reid shoe bomber case, and the Detroit underpants bomber case. The lesson, as I've written earlier here and here, is in his Hayek's article "The Use of Knowledge in Society." It is that we passengers have the "local knowledge" to handle the threats from airline terrorists. Will we always do 100%? No, but so far we have batted 100%.

2. The federal government's Office of Personnel Management has data on virtually every federal employee. And now hackers, who might just be employees of China's government, now have access to those data. Here, writing in Wired, are Kim Zetter and Andy Greenberg:

At first, the government said the breach exposed the personal information of approximately four million people--information such as Social Security numbers, birthdates and addresses of current and former federal workers. Wrong. 

It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant's interactions with foreign nationals--information that could be used against those nationals in their own country.

I recently filled out such a form and took about six or so hours to do it. It is important to get all the facts right because the employee signs a statement under threat of perjury that he has. In my case, I can't think of anything a hostile government would learn from my form SF-86 that he or she could use to blackmail me. But that's certainly not the case for every federal employee.

Maybe we can tell ourselves that at least some OPM IT security employee was enough on top of the job to discover this breach. Even if that were so, that would be small comfort. But no. Zetter and Greenberg write:

What's more, in initial media stories about the breach, the Department of Homeland Security had touted the government's EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong. 

Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it, which means the EINSTEIN system failed. According to a statement from the OPM, the breach was found after administrators made upgrades to unspecified systems. But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.

Here's the Wall Street Journal story referred to above.

Here's the most shocking line in the Wired article:

The OPM had no IT security staff until 2013

Remember that every time the government has a program that gets data on us--whether it be Medicare, Obamacare, or any other government program--there's a substantial risk that hackers will get it too."