The warning system makes that blaring “Uhhnk! Uhhnk!” noise, a robotic voice declares over and over that the hull is being breached, and the captain shouts orders while one or two passengers scream or cry. It’s a standard scene in science fiction movies, revving up the excitement because if the air gets out and space gets in, everyone dies.

Here on earth, we still get warnings from the media about all the threats to our computers from increasingly sneaky viruses and malware, and are told to get the best security software and make sure it’s up to date. We’re constantly being warned about identity theft and urged to monitor our credit.

When some big company gets hacked and the hackers till personal information, everyone yells at the company for being careless and incompetent. If they use credit cards, they should make sure bad guys don’t get the information. There’s no excuse for screwing up.

Everyone in the country knows you have to protect your data, because if you don’t REALLY BAD THINGS HAPPEN.

Everyone, that is, except the Office of Personnel Management. They apparently didn’t know. But they do now, they say: Roger. Got that, we’re on it! Don’t need to tell us twice! Watch out spies, here we come!

But here’s the thing. They should have known this as long as they’ve been connected to the internet. Because as long as they’ve been connected, criminals and spies and hostile powers have been connected. We’re the United States. People don’t like us. We have things people want, things people will work really hard to steal. We have to stay one step ahead of them. Eternal vigilance is the price of liberty. This isn’t, as the expression goes, rocket science.

They’ve Known a Long Time

And, as it turns out, they did know. They knew it at least as far back as 2009, from the OPM’s own inspector general. From arstechnica’s report:

During his opening statement, Chaffetz [Congressman Jason Chaffetz] read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency’s security posture in its fiscal year 2014 report — filed just before news of a breach at a second OPM background investigation contractor surfaced.

Eleven out of the 47 major systems in the OPM “had not been properly certified as secure” and “65 percent of OPM’s data was stored on those uncertified systems.” Two-thirds of the agency’s data was kept on systems that were, in 2015, vulnerable to hackers. Thos hackers include criminal syndicates and foreign spy agencies. You’d expect that when the heads of the agency read the report they would freak out. But apparently not.

And those contractors? It gets better. By which I mean worse. The OPM outsourced investigations to one “shoestring” contractor — thanks to Congress cutting funds for federal investigators — who got hacked and was then replaced with another shoestring contractor, who got hacked. And then … let arstechnica explain:

Some of the contractors that have helped OPM with managing internal data have had security issues of their own — including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC [People’s Republic of China] passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

One of the OPM’s excuses is that the system is just too old to make secure. Congressman Will Hurd asked OPM Chief Information Officer Donna Seymour “about the legacy systems that had not been adequately protected or upgraded.” According to arstechnica, she explained that some of the systems were more than 20 years old, coded in COBOL and could be neither upgraded nor replaced with ease. Instead, a full rewrite would be required,

Before you say, “Oh, well, that’s a  hard one, what were they supposed to do?” imagine that you ran an American corporation of about the same size as the OPM. You developed and made widgets and sold them to the public. You would want to keep safe your lab’s latest advancements in widgetry and you would want to protect your customer’s credit card information. You would include as part of every year’s expense budget the constant upgrading of your computer system. You’d know you had no choice. You’d have been doing this since you started the company, making sure your system was always up to date. If, as could happen, you found that your IT people were slacking off, you’d fire them.

You wouldn’t leave valuable information free for the taking because your systems were 20-years-old and written in COBOL. You’d never let them get to be 20-years-old in the first place, because that would be really bad for your business, and bad for you.

Diamond merchants have safes. Banks have vaults. Front doors  have locks. Ipads and cellphones have passwords. The OPM had outdated, un-securable software they were in no hurry to fix. And the United States suffered a huge and hugely dangerous security breach.

An Object Lesson in Government

I can’t exaggerate how insane this is. The OPM failed to do what the average guy with a computer does. You, for example. It failed to do what every large business does. It failed to do what its own guy in charge of warning the agency warned the agency to do.

And not because it’s employees are insane, or malicious or even lazy, though some probably are one or the other. It fails in this because it is a bureaucracy, a giant federal agency, and bureaucracies operate by the wrong rules for security. The work becomes routine, 9 to 5, it’ll wait till Monday. The employees are there till they retire, hard to fire or even discipline, usually without much chance to move very far up. The employees and the agency as a whole are largely protected from the consequences of their work.

You can imagine how the failure developed. Money was tight and the software would last another year, and besides, switching to another system would be a royal pain with months of late nights, and who’s going to authorize that much over-time? And besides, we’ve got vacations to take. Some of the guys were worried about security problems, but they’re always worried, and we haven’t had any problems so far. The next year, the software’s still working and if you thought changing the system would be a pain then, well, it’s going to be twice the pain now. No one upstairs is pushing the issue. Why invite trouble? We moved the guys who kept yapping about it to another department. And so on, year after year.

So everyone means well, and the Chinese or some other malign power steals 21 million highly sensitive personnel records.

It is a history to remember when someone declares that the government can solve the problem of the moment. One can believe in the importance of government — and even in a thick social safety net, for that matter — while seeing how imperfect a tool it is. Look at the OPM, which couldn’t even protect its most sensitive data.