To Fix Cyber Mess, The U.S. Postal Service Must Get Its Priorities Straight
December 13, 2018
This article originally appeared in the Daily Caller on November 28, 2018.
When mailing letters and packages to loved ones this holiday season, consumers have to place an awful lot of trust in their mailers.
This trust isn’t just about the safety of the paper-clipped check or expensive new gadget that passes through the hands of U.S. Postal Service (USPS) employees. Often, consumers give phone-numbers, e-mail addresses, and multiple addresses to the Postal Service with the understanding that their information will be protected.
Unfortunately, this has simply not been happening.
According to KrebsonSecurity, broken code in a USPS mail tracker called “Informed Delivery” allowed users to see any other user’s details — exposing the records of roughly 60 million individuals.
Normally, websites require that in order for users to retrieve sensitive information (ie. phone numbers listed on an account), they go through multiple access points (or hurdles) in order to retrieve said information. Due to a lack of multiple access points, malicious individuals were able to gain and change personal user information through merely logging onto the victim’s online portal.
This finding is bad enough in and of itself, but it was further revealed that USPS knew this information for a year and chose to ignore it.
The USPS’ lackluster cybersecurity effort, coupled with ignoring key vulnerabilities, show just how skewed the priorities are at one of the federal government’s most beleaguered agencies.
This is just the latest in a long string of scandals, mismanagement and abysmal finances at USPS. Congress must step in to demand urgent reform and much-needed accountability for the Americans who don’t just use USPS but whose taxes subsidize it by billions of dollars a year.
Just a few weeks ago, USPS reported a staggering $3.9 billion net loss in the 2018 fiscal year (FY), up from $2.7 billion in FY 2017. Worse yet, losses subject to management’s control (“controllable losses”) surged to $2 billion, more than double last year’s total.
This incredible sum, which seems to increase every single year, now comprises the majority of USPS losses and undercuts the carrier union’s claims that retiree health-benefit “pre-funding” beyond its control deserves the lion’s share for twelve straight years of net losses.
Given the magnitude of these losses, it may be difficult for the USPS to pay for a much-needed cybersecurity program. But, the real problem is not money, it’s management.
The Office of the Inspector General (IG) lambasted USPS for not considering cybersecurity items to “be investments per Postal Service policy,” and “the Postal Service has not performed financial long-range planning and administering the cybersecurity program.”
Rather than correcting these and other issues, USPS management seeks to pay for new investments by increasing postage rates beyond inflation. To be sure, this is a risky move considering the increasing amount of e-commerce and e-communication.
Far greater savings can come by implementing reforms already suggested by the IG. The USPS, for instance, is supposed to use a modeling tool to sort out job assignments based on mail processing volume, but regular deviations result in increased overtime and lower employee productivity.
The IG estimates that a more thorough use of its own modeling tools would save the USPS $420 million in labor costs alone.
The USPS can also save itself from gargantuan future expenses by making sensible fleet acquisition decisions. Starting in FY2019, the USPS plans to spend an annual average of $821 million on new vehicles purchases. The USPS is considering two cost-effective foreign-origin bids (from Indian and Turkish manufacturers), but will likely be steered toward domestic bids due to the sway of “Buy America” provisions.
While the USPS isn’t subject to the Buy American Act, it does have an acquisition provision for considering domestic suppliers first. Therefore, the USPS (really, taxpayers) may pay an unnecessarily-high price for its fleet over the next decade. Additional considerations, such as preference for “alternative fuel capabilities,” may further inflate the price of vehicle operation, paving the way for further unnecessary costs for the beleaguered organization.
With an open mind toward foreign vehicle bids and a variety of fuel systems, the Postal Service could save over a billion dollars in the coming decades, a fraction of which should go toward shoring up cybersecurity.
USPS needn’t break the bank to beef up protections for users. International Computer Science Institute researcher Nicholas Weaver explains that recently fixed vulnerabilities “is not even Information Security 101, this is Information Security 1, which is to implement access control.”
With its spending priorities in order, the USPS can have a better-trained cybersecurity staff that maintains the trust between citizen and agency.
Until USPS reduces the risk posed by cyber vulnerabilities, Santa Claus may not be the only one snooping around to find out who’s been naughty or nice.