David R. Henderson  

Government Works Badly

PRINT
How egalitarianism failed Japa... Interpersonal utility comparis...

Two huge recent scandals, both of which involve the federal government, strongly support the case that the government should not be given more power and, in fact, should have much of its power stripped away.

The two scandals are the horrible performance of the misnamed Transportation Security Administration (TSA) and the poor security measures of the Office of Personnel Management which led to hackers getting access to data of virtually all federal employees.

1. TSA. On June 1, ABC News reported:

An internal investigation of the Transportation Security Administration revealed security failures at dozens of the nation's busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95 percent of trials, ABC News has learned.

The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting out to beat the system.

According to officials briefed on the results of a recent Homeland Security Inspector General's report, TSA agents failed 67 out of 70 tests, with Red Team members repeatedly able to get potential weapons through checkpoints.


The risk of actual weapons getting through was always low, in large part because there are just not that many people with the desire and the ability to get an explosive or a weapon onto an airplane. But now we learn that the TSA would likely not have caught more than a tiny percent of this tiny percent. So we are not made appreciably safer and, on top of that, have had to sacrifice our freedom of travel, our convenience (carrying a bottle of wine on board, for example), our privacy from intrusive searches by radiation or groping hands, billions of dollars in tax money, and, by now, billions of hours of our time.

Yet, the acting head of the TSA, Melvin Carraway, has been "reassigned," not fired). And President Obama's nominee for Administrator of the TSA, Peter Neffenger, announces his solution:

There may be a need to introduce some inefficiencies to address the recent findings of the inspector general.

Oh joy.

Notice what is not talked about: learning the lesson of United Flight #93 on 9/11, of the Richard Reid shoe bomber case, and the Detroit underpants bomber case. The lesson, as I've written earlier here and here, is in his Hayek's article "The Use of Knowledge in Society." It is that we passengers have the "local knowledge" to handle the threats from airline terrorists. Will we always do 100%? No, but so far we have batted 100%.

2. The federal government's Office of Personnel Management has data on virtually every federal employee. And now hackers, who might just be employees of China's government, now have access to those data. Here, writing in Wired, are Kim Zetter and Andy Greenberg:

At first, the government said the breach exposed the personal information of approximately four million people--information such as Social Security numbers, birthdates and addresses of current and former federal workers. Wrong.

It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant's interactions with foreign nationals--information that could be used against those nationals in their own country.


I recently filled out such a form and took about six or so hours to do it. It is important to get all the facts right because the employee signs a statement under threat of perjury that he has. In my case, I can't think of anything a hostile government would learn from my form SF-86 that he or she could use to blackmail me. But that's certainly not the case for every federal employee.

Maybe we can tell ourselves that at least some OPM IT security employee was enough on top of the job to discover this breach. Even if that were so, that would be small comfort. But no. Zetter and Greenberg write:

What's more, in initial media stories about the breach, the Department of Homeland Security had touted the government's EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong.

Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it, which means the EINSTEIN system failed. According to a statement from the OPM, the breach was found after administrators made upgrades to unspecified systems. But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.


Here's the Wall Street Journal story referred to above.

Here's the most shocking line in the Wired article:

The OPM had no IT security staff until 2013

Remember that every time the government has a program that gets data on us--whether it be Medicare, Obamacare, or any other government program--there's a substantial risk that hackers will get it too.


Comments and Sharing






COMMENTS (8 to date)
foosion writes:

It's a mistake to regard the government as an undifferentiated mass.

The bulk of the US government is Social Security, Medicare and the military. These perform at least as well as private alternatives. Social Security and Medicare have much lower cost structures than similar private alternatives (and Medicare would be even lower if it was given the power to bargain for prices).

Internal security, such as the TSA, is largely a mess and is in need of reform.

pascal writes:

if I summarize the reasonning in this paper, I come with:

2 agencies of a given type of institution have made mistakes.
therefore the powe or all the agencies of this type of institution should be limited.

now replaces 2 agencies by enron and arthur andersen, and type of instution by private enterprise and you get the opposite results as above.

i thus infer that this article s conclusions can not be derived from it s premisses by logical operations ( to be polite)

David R. Henderson writes:

@pascal,
now replaces 2 agencies by enron and arthur andersen
Ok. And do you recall, pascal, what happened to these two organizations?

I wonder if it might have been one of the US government's secretive agencies that grabbed data from OPM. The spy agency might otherwise be denied access, denied either by formal security restrictions or by informal bureaucratic inefficiency.

Brad writes:

Government spends vast sums of money on airline security, but virtually none on other forms of public transportation.

The government doesn't robustly protect shopping malls, movie theaters, non-playoff professional sports games (to any degree), college sports, cruise ships, highly important bridges or tunnels, schools, or other large gatherings. And yet we've not seen one incident. But let's molest every single air traveler in the name of security.

Kenneth A. Regas writes:

Slightly OT: When it comes to "cyber security" it seems to me that we live in a world of massive self-delusion. The deluded idea is that enormous, and enormously valuable, data sets can be wired to the international telecommunications network for convenient access by authorized personnel, while reliably protected via software from unauthorized access by any of the billions of people at the other ends of the telephone wires. To speak this proposition is to expose its inanity. And we know that we all know this because NORAD isn't wired to that network, is it? [Please, Lord.] There is only one way to protect electronically-stored information: cut the wires. Everything else is just the emperor's new clothing.

If there were any justice in this world, the 14 million and counting victims of this latest outrage would have strong cause of action against the United States of America for breach of confidentiality. Not because the OPM was "hacked" but because that hacking was physically possible.

Ken

p.s. Yes, of course there are other ways for confidential info to be stolen. But before large data sets were all electronic and on line, breaches were small, out of the sheer impracticality of moving so much paper. Now that the information is stored electronically, delivering it in volume to potential thieves all around the world behind a padlock inscribed "try your bolt cutter here" is beyond unconscionable.

Charley Hooper writes:

@foosion,

The two main reasons Medicare has low costs: Medicare uses private companies for claims processing and Medicare has no--zero--scrutiny for submitted claims. In other words, Medicare accepts every claim that is submitted by hospitals and doctors, no matter how ridiculous, incorrect, or inappropriate. Private insurers, in contrast, check claims before they are paid. Medicare has reviewers who look for fraud and abuse after-the-fact, but I'm not sure how efficacious they are.

So Medicare is penny wise and pound foolish, but if you focus on the claims processing part only, you are missing the bigger picture.

ScottA writes:

In fairness, reassignment is the government-equivalent of firing. It's pretty much impossible to actually fire a federal employee, short of some kind of violent crime.

Comments for this entry have been closed
Return to top