A new report details how serious the OPM hack really was.
Last year, John McCain told National Review that “the most disturbing briefing that I have ever received” had to do with cyberwar, adding: “We better start doing a helluva lot better job” addressing cybersecurity threats.
Given the current presidential prospects, the chances of that are slim. Donald Trump has made noises about “cyber” (it’s “becoming so big”), but has not outlined any plan. Meanwhile, it’s become undeniably clear that Hillary Clinton’s effort to avoid transparency requirements as secretary of state by setting up a private e-mail server endangered national security, including human-intelligence assets abroad, and that, unable to find more-plausible-sounding excuses, Clinton has opted to plead incompetence: She recently explained that she never realized the “(C)” in certain e-mails she forwarded indicated classified material.
This situation is particularly alarming in the wake of a new report. On Wednesday, the House Committee on Oversight and Government Reform released the results of its year-long investigation into the unprecedented hack of the Office of Personnel Management. The 241-page document is unsubtly titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”
In March 2014, the Department of Homeland Security alerted OPM that its security had been breached and data stolen. Over the next two months, OPM monitored the hacker’s activity inside its system, developing with DHS a plan to expel him. So narrowly focused was OPM on its target that it did not notice that a separate hacker had gained access to the system in early May, posing as an employee of an OPM contractor. For almost a year, this second hacker operated at leisure in OPM’s system, stealing security-clearance background-investigation files, personnel records, and fingerprint data.
The two attacks, which the Oversight committee says were almost certainly coordinated, constitute the worst cybersecurity breach in American history: “Attackers exfiltrated personnel files of 4.2 million former and current government employees and security-clearance background-investigation information on 21.5 million individuals,” dating back to the Reagan administration. That background-investigation information, the Standard Form 86 or SF-86, which is required of anyone applying for a security clearance, demands an extraordinary range of personal information, as James Comey explained to the Washington Times last year: “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.” (Comey’s was among the data taken.) The hack has been described as “Cyber Pearl Harbor.” Joel Brenner, senior counsel at the National Security Agency, called the stolen information “crown jewels material . . . a gold mine for a foreign intelligence service.” John Schindler, a former analyst at the National Security Agency, has written: “Whoever now holds OPM’s records possesses something like the Holy Grail from a [counterintelligence] perspective.”
The report does not identify the source of the hacks — the consensus is that it was Chinese intelligence — instead focusing on OPM’s grievous incompetence. “The OPM Inspector General (IG) warned since at least 2005 that the information maintained by OPM was vulnerable to hackers,” the Committee writes. But a 2014 audit found that crucial aspects of OPM’s security infrastructure had not been updated since 2007. Meanwhile, OPM had generally declined to implement protections as basic as multi-factor authentication when logging into its network (a violation of Office of Management and Budget regulations). “Had OPM implemented basic, required security controls and more expeditiously deployed cutting-edge security tools when they first learned hackers were targeting such sensitive data,” the Committee writes, “they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”
It was the worst cybersecurity breach in American history.
And, predictably, the mismanagement did not end even with the elimination of the hack. At committee hearings last year, “then-OPM Chief Information Officer (CIO) Donna Seymour made a series of false and misleading statements under oath regarding the agency’s response to the incidents announced in 2015,” including testifying that certain stolen materials were just “outdated security documents.”
In sum, the committee writes, “the longstanding failure of OPM’s leadership to implement basic cyber hygiene, . . . despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology.”
That failure governs our entire dismal cybersecurity infrastructure. Unfortunately, it’s not likely to be corrected any time soon.