More Transparency Needed on WH BreachSenator Seeks Answers from Obama on Possible PII Exposure
The actions - or inactions - of the Obama administration suggest that last year's breach of a White House IT system, believed to be by Russians, did not expose personally identifiable information of individuals. Or, at the very least, it did not expose PII in a way that would have caused any substantial harm to individuals.
Office of Management and Budget regulations require federal agencies - including the White House - to notify affected individuals - and alert Congress - if PII breaches cause harm. Although White House officials briefed Congress on the matter, Sen. John Thune, R-S.D., wants more clarity on whether PII was exposed. And the American people deserve clear answers.
Thune, who chairs the Senate Commerce, Science and Transportation Committee, which is considering legislation to create a national data breach notification standard, sent President Obama a letter dated April 30 "to seek your assurance that recent attacks on the White House information system have not compromised the personally identifiable information of our fellow Americans, and to ensure that, if such information has been compromised, the White House will move quickly to notify the affected individuals."
In October, the White House issued a release saying it "identified activity of concern on the unclassified EOP (Executive Office of the President) network." Later, the State Department - after temporarily taking down its email system - said a hack of its system was linked to the attack targeting the White House (see State Department, White House Hacks Linked).
The White House this week declined to comment on the Thune letter, other than acknowledging its receipt. "While we will not comment further on details of the EOP activity, [which] we have previously publicly disclosed and briefed to the Hill, we have consistently supported timely notification in the event of data breaches, consistent with existing federal policy," says Mark Stroh, a National Security Council spokesman. "It is White House practice to act consistent with this policy and its security considerations that are necessary to protect federal networks."
Stroh's statement implies - or its readers could infer - that PII wasn't exposed to the level that would have required notification under OMB rules. And several U.S. officials privately told the Washington Post that no evidence exists that personally identifiable information was taken.
Still, Thune raises concerns that the White House should directly address, and not leave Congress - and the public - reading between the lines to determine definitively whether hackers breached personal information.
"Increasing reports of attacks across executive branch departments and agencies raise serious questions as to whether they are adequately prepared to address vulnerabilities and protect sensitive information," Thune says. "Given this recent hack, as well as prior incidents in 2009 and 2011, concerns remain that the White House's network infrastructure remains vulnerable."
What PII on citizens would the White House store in its servers? Thune points out that requests from individuals to visit the White House grounds - whether for official business, tours or social functions - are often funneled via email to the White House from members of Congress. And those requests contain individuals' birthdates, Social Security numbers and places of residence.
Thune poses four questions to Obama:
- Did the recent White House cyber-incident involve the access or loss of PII?
- If yes, has the White House ensured that those affected have been notified in a manner consistent with OMB policy on data breach notification, the Privacy Act and in keeping with your own recommended direction to business entities under your data breach notification legislative proposal?
- What steps is the White House taking to protect against similar incidents going forward?
- What policies does the White House have in place to ensure that individuals are properly notified when their personal identifiable information has been compromised due to a breach of its information systems?
Good questions. Thune asked the White House to respond by May 15. The White House should respond, and make its answers public. After all, it's a matter of building confidence in our government.