The OPM Intrusion

image_pdfimage_print

Update June 18 2015 6:00 pm GMT -8: Candice Lanier has an excellent article that goes into some detail about what changes are needed in government security.  Highly recommended.

For those of you who have been vacationing on Mars (or get your news from the main-stream media), OPM is the Office of Personnel Management, an independent agency that handles human resources for much of the federal government. As far as I can tell, OPM reports directly to the President. And the agency experienced a major intrusion to their IT systems in the last week.

Data Breaches The OPM Intrusion

A chart of data breaches is shown on Capitol Hill on Tuesday as witnesses testify before the House Oversight and Government Reform Committee’s hearing on the Office of Personnel Management data breach. (Photo: Cliff Owen/AP) (click for larger image)

Jonah Goldberg describes this as a “cyber Pearl Harbor.” And he’s right. What’s truly awful, however, is that OPM was warned repeatedly and did nothing. And the reason can be traced directly to the White House. It looks like the main criterion for appointment to high-level OPM positions was to have worked for President Obama in the past. I’ll postpone the rest of that story until we get through the grim details.

It Wasn’t a Hack

Calling this intrusion a “hack” is an insult to hard-working hackers everywhere.

Calling this intrusion a “hack” is an insult to hard-working hackers everywhere. Do you call it a burglary if you leave your front door wide open with a sign saying, “We won’t be back for three days?” That’s pretty much what happened at OPM. An OPM contractor granted root access to OPM servers. ArsTechnica broke the story:

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

How Bad Is It?

How bad is the breach? “Why Are We Ignoring a Cyber Pearl Harbor?” asked Jonah Goldberg at the National Review.

Countless current and past federal employees are now extremely vulnerable to blackmail and even recruitment by Chinese intelligence operatives. Millions are open to identity theft (the files included all of their personal information, including Social Security numbers, and in many cases medical, family, romantic, and substance-abuse histories). My wife, who previously worked for the Justice Department, may have lived a fine and upstanding life, but I don’t relish the fact that some chain-smoking Chinese bureaucrat is going over her personal information.

The Navy Times, among others, points to the Standard Form 86 as a real goldmine of information. This is a 127 page questionnaire that asks prospective government employees to “disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.”

“They got everyone’s SF-86,” one Pentagon official familiar with the investigation told Military Times.

They got everyone’s SF-86

What makes the SF-86 even more valuable is the content beyond what the applicant supplies. Investigators sometimes interview neighbors, former spouses, and anyone else listed. These interviews become part of the SF-86 record. In other words, if someone you knew in the distant past doesn’t like you any more, they become a target for potentially learning more about you.

Pearl Harbor? Mr. Goldberg was optimistic.

Who Is At Risk?

“It is going to keep many folks at Langley busy for years, and it’s not like they weren’t busy already… When you add this to Snowden, it’s really not a good time to be posted abroad anywhere less safe than maybe Canada or Australia.”

Writing in The Daily Beast, John Schindler (whose Twitter profile says he is a “recovering spook”) says, “China’s Hack Just Wrecked American Espionage.” He added →

“But wait,” you’re thinking. “OPM doesn’t handle records for the CIA, NSA, or Defense Department.”

That may not help much. Intelligence officers serving in other countries often use covers, false identities. To be credible the identity must have a “credible narrative” and be “backstopped.” The cover must look real and check out if tested. If someone says they work for the Census Bureau doing survey work there better be an employment record at Census. Which necessitates a record at OPM. Which gives the Chinese a great place to start hunting. Does the purported Census employee actually seem to be doing work for which they are qualified? It’s a bit of work to track this down, but the workload is reduced considerably when you have a list of employees and their employment status.

Schindler points out that this can be a matter of life and death. Agents posted to a country where they could be killed or captured are very nervous right now. Even more depressing: the list of those countries today in the age of the Islamic State is depressingly long. Joel Brenner, a top counterintelligence officer from 2006-2009 says this hack is the “crown jewels material, a goldmine” and goes on to note, “This is not the end of American human intelligence, but it’s a significant blow.”

Near the end of his article, Schindler makes this telling point:

Espionage covers were already under threat on many fronts. In the Internet age, such cover stories are easier than ever to check out – and perhaps expose as fraudulent. The OPM hack makes this already dicey situation much worse. Biometrics only further complicates matters. With computerized fingerprint checks at frontiers and biometric passports becoming commonplace, and a person’s true identity being established with database checks in just seconds, James Bond’s cover will be blown long before he gets to the baccarat table to order a martini. These two broad technological shifts could make traditional covers may soon be a thing of the past, a development that will significantly change how the spy business is conducted around the world.

Why Did It Happen?

Returning to the Navy Times article for a few paragraphs,

Signs are mounting that OPM officials were aware their security clearance data was vulnerable. In November, the OPM inspector general issued a report concluding that the data was at risk, a “Chinese hacker’s dream,” according to a New York Times report.

Elizabeth Newman, an attorney and security clearance expert, said the hack was a clear OPM failure.

“It means that OPM was pretty incompetent,” she said. “They knew that their systems were vulnerable and were warned but did nothing to secure them.”

How was that possible? To answer that question, let’s go back to December 19, 2013. An interesting article appeared on the FederalNewsRadio website. With the innocuous title, “OPM staffs up, reshuffles senior leadership,” you wouldn’t expect this blockbuster content:

A little more than a month into Katherine Archuleta’s tenure at the Office of Personnel Management, the agency is staffing up and reshuffling a handful of leadership positions.

Archuleta, who most recently worked as the national political director for President Barack Obama’s 2012 reelection effort, is bringing on board two fellow campaign staffers to serve as top advisers.

Ann Marie Habershaw, the former chief operating officer of Obama’s reelection effort, has been hired to serve as Archuleta’s chief of staff. Chris Canning, also a 2012 campaign veteran, will serve as a senior adviser to Archuleta.

In addition, OPM has hired Donna Seymour, former deputy chief human capital officer for the Defense Department, to serve as the agency’s chief information officer. Seymour’s prior tech experience includes a stint as associate chief information officer for information technology policy oversight at the Transportation Department and as the CIO of Transportation’s Maritime Administration. Chuck Simpson had served as acting OPM CIO beginning in February.

OK, the three top positions were handed to political hacks (the real “hack” in this case). Understanding Ms. Seymour’s background takes a bit of parsing. “… deputy chief human capital officer” means HR. “… associate chief information officer for information technology policy oversight” most likely means either a purchasing officer or an auditor. “CIO of Transportation’s Maritime Administration” means processing routine paperwork.

And there you have it. President Obama’s pattern of staffing the top three or four levels of every single federal agency with people whose only qualification is loyalty to him personally has just put American lives and security at risk. A lot of risk.

I once believed the next president would only have some significant messes to clean up. I now believe it will be at least a decade before the U.S. recovers from this administration’s sheer incompetence.