Massive Data Breach Puts a Spotlight on Shared IT Services

When the Homeland Security Department released a statement on Thursday explaining the data breach affecting 4 million federal employee records at the Office of Personnel Management, it alluded on background to the role of an Interior Department data center, “which is a shared service center and a means for federal agencies to collaborate and achieve efficiencies.”

While the precise role of Interior’s shared data center in the breach is not yet known, a key component of the Obama administration management agenda has been to expand on the 40-year-old movement to encourage agencies to outsource to other agencies such functions as payroll, software acquisition and office supply purchases.

The damage from the attack revealed this week is still being calculated by OPM and the FBI, and current and former federal employees whose personal information might have been stolen are being alerted and provided with credit monitoring.

But the attack is unlikely to derail the shared services campaign, according to agencies and industry specialists. Many see improved information technology as the solution to both cyber threats and a need to streamline functions.

OPM press secretary Samuel Schumach, while declining to point to a direct link between the current breach and the fate of shared services, told Government Executive on Friday that “for several years the government has been implementing a strategy to increasingly move to IT shared services. It reflects long-standing private-sector best practices to streamline and simplify complex IT networks and systems. This can help improve IT management, strengthen security, increase efficiency and reduce costs,” he said.

Having “fewer systems and networks are typically less expensive, more efficient, easier to manage, and more secure than many environments,” he added. “Moving to more shared services reflects private-sector best practices. It’s good for the taxpayer, it improves security, and we constantly find ways to improve how we are executing.”

An official at Interior, which runs a shared services data center outside Denver, said the department “is working closely with OPM, the Department of Homeland Security and the FBI as they investigate this cybersecurity incident potentially affecting personnel data,” he said.

“Interior is employing a comprehensive, multi-pronged remediation strategy to prevent, detect and act against malicious activity on our network in order to respond and recover following an incident. Central to this effort are measures to protect the personnel data of our employees.”

For its part, Homeland Security has circulated information regarding the potential incident with all federal chief information officers to “ensure that all agencies have the knowledge they need to defend against this cybersecurity incident.” Other agencies that offer shared services include the General Services Administration, NASA and the Transportation and Agriculture departments.

Industry specialists point out that the main obstacles to expanding shared services are not technological, but organizational and cultural -- fear of layoffs, and insufficient economic data to demonstrate the return on investment.

John Marshall, a small-business owner who is founder and CEO of the Shared Services Leadership Coalition, told Government Executive that the breach is unlikely to discredit shared services because the movement itself seeks to remedy the governmentwide “proliferation of nonstandardized platforms that are getting older and haven’t been enhanced to the level of security alignment we have today,” he said. “Shared services would consolidate platforms on a trajectory to become more modernized and high-performing, to meet security standards and comply with legislation requiring transparency” such as the DATA Act, he said. Members of his coalition, he added, have a great deal of interest in data transparency as well as improving data security.

Jerry Irvine, chief information of the Chicago-based Prescient Solutions and a member of the National Cyber Security Task Force, agreed that “reasons for delay in the implementation of more shared service models have been personnel or politically motivated. New policies, processes and standards will be the responsibility of the government to define, implement and take responsibility for,” he added, suggesting a new central shared services agency could be formed, similar to efforts to create a single cyber authority.

This week’s OPM breach and others like it “point out existing weaknesses in IT and cybersecurity expertise,” Irvine said, “and should become a great motivator for agencies to obtain the required expertise, systems and standards to appropriately protect their information. Whether they will do that with publicly accessible shared services via cloud service providers or develop a larger bureaucracy is the question.”

(Image via SOMMAI/Shutterstock.com)