What the Office of Personnel Management Got Right
Weekly Article
Sept. 24, 2015
As Chinese President Xi Jinping comes to Washington, much of the talk centers around whether and how Washington should respond to China's likely copying of more than 21 million records from the US Office of Personnel Management. Many think that the massive cybersecurity breach requires a diplomatic (and, as Kendall Burman explained, complicated) response.
But the question of when and how the United States should respond overlooks a deeper issue, one that stands at the intersection of technology and policy: Why was the Office of Personnel Management running their own servers in the first place? OPM only has roughly seven thousand employees in total--less than 0.3% of the total federal government. Its mission is "recruiting, retaining and honoring a world-class force to serve the American people"--there's nothing remotely high-tech in that. Why, then, was OPM asked to build deep in-house expertise on cybersecurity? Outside of government, this would not happen. Running servers would have been outsourced to an organization fit for that purpose.
From a pure management and policy perspective, the Office of Personnel Management is actually a positive example of a centralized approach. By making OPM responsible for a range of strategic Human Resources dynamics across federal agencies, the government benefits from an elite and specialized center of expertise and capacity that helps every single one. Centralizing responsibility in a single office is a smart way of conducting personnel management--and it could be an efficient approach for conducting tech management, too.
A single tech services team could support many federal agencies by managing their servers, protecting their data, and ensuring robust security practices. As within OPM, the work would be centralized, with unified standards and the ability to more easily make enhancements that would apply across other agencies.
Such a team probably would have something high-tech in its mission, but it wouldn't need to reinvent the wheel. Many federal agencies, running the gamut from the Social Security Administration to the Commerce Department, already have some solid data management techniques. One of those teams could perhaps be resourced and empowered to scale its work into a service for other agencies. Or the endeavor could be begun from scratch, with personnel carefully recruited from the most successful federal agency teams.
Adopting this approach doesn't mean an agency loses control of its own technology. The core servers and security features are centrally maintained, but each federal agency could nonetheless use and develop its own technology to extend that core. Netflix, for example, does not maintain its own servers, but rather runs on computers managed by Amazon Web Services. The buzzwords “cloud computing” and “managed servers” are all about companies moving to that model, which is more secure and less expensive than running your own servers.
Federal agencies do not need to be responsible for managing their own servers. And, given the stakes, they shouldn’t be. The Office of Personnel Management demonstrates that centralized service models can work in government. They got that right. But they shouldn’t have to be the ones to get it right when it comes to cybersecurity. It's just a question of applying the centralized model to technology.