In recent weeks, reports have emerged that the Office of Personnel Management (OPM) has been hacked several times over the past year. Nearly four million personnel records of government employees and civilian contractors were stolen in one of the breaches but it is now likely that the actual number is significantly higher. The data breach goes far beyond the acquisition of social security numbers and other information such as addresses and dates of birth. It is believed that the hackers who are strongly suspected to be from China also gained access to millions of security clearance forms. With this in mind, whoever stole the information now has critical information concerning government employees ranging from diplomats overseas, to analysts in the intelligence community; information that can be used to recruit or turn government employees in sensitive positions against the U.S. This data breach is not to be taken lightly by any means and might in fact represent the greatest intelligence disaster to happen to the U.S. in decades.
OPM Data Breach
The U.S. Office of Personnel Management manages the civil service of the federal government. OPM is essentially the human resources department of the federal government; it manages pensions, administers benefits such as insurance programs, provides training and manages staffing through USAJOBS.gov, the primary conduit for job seekers to obtain employment with various federal agencies. From a security perspective, the OPM also manages security clearances for the government and conducts over 90% of all background investigations for those who need Secret and Top Secret clearances.
Last March Chinese hackers broke into OPM files, an incident that was reported later in July. This breach was detected early and Homeland Security claimed the hackers were successfully blocked or so it was thought at the time. Apparently, the hackers were able to stay in the system and extract information for more than a year undetected. Four “segments” of data were compromised including the “segment” consisting of security clearance forms.
On June 4th the OPM admitted that there was a breach in April and that the personal records of 4.2 million current and former government employees may have been compromised. This breach was linked by officials in the government to Chinese hackers though the Chinese government has vehemently denied this. The hackers it is believed entered OPM records after gaining access to the systems of KeyPoint Government Solutions sometime last year. KeyPoint is a primary provider of background checks for the U.S. government.
It has been reported that OPM only found out about the intrusion when it came up in a product demonstration by CyTech Services, a network security company. While demonstrating a new product, the malware that allowed for the breach was discovered by CyTech; this though is denied by the OPM who claim that their in-house cybersecurity team discovered the breach itself.
It wasn’t until early June though that news broke of a second breach which compromised highly sensitive data, a breach which OPM knew about as of May 27th. This latter breach may involve as many as 14 million current and former government workers as well as those who applied for government positions but were not hired. The data obtained in this second breach includes security clearance forms for both military and intelligence agencies. The White House admitted that there was “a high degree of confidence that…systems containing information related to the background investigations…may have been exfiltrated.”
The Security Threat
The true depth of the OPM breach may not be made known to the public for some time. The OPM has repeatedly changed its story from being one where no information was stolen, to limited information was stolen, to highly sensitive information has been exposed; this doesn’t exactly inspire confidence. While the scope of the breach is itself disconcerting, the compromise of sensitive security information represents a real blow to U.S. national security.
Federal employees and contractors seeking to obtain or upgrade their security clearances are required to fill out a 127-page form, Standard Form 86 (SF 86). These forms require applicants to provide information about their past employment, education, relationships, interactions, and information about certain liabilities such as financial issues or drug use. It is that information which makes this breach so dangerous as it can be used against government employees as blackmail in an attempt to get them to work against the interests of the U.S. Now personnel security records from State Department, Defense Department, and others are available to those who have the power or desire to do harm. While some solace can be had in the fact that the Central Intelligence Agency doesn’t use OPM for background investigations, it does routinely use other federal agencies as cover for many employees including those in covert positions.
Former head of both the Central Intelligence Agency and National Security Agency, retired General Michael Hayden has said that the data breach is a “tremendously big deal” and “The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target.” Believing the breach to have originated from China, he fears that the stolen information will be used to help recruit spies in the U.S. and abroad while outing intelligence agents around the world. Meanwhile, the former top counterintelligence official for the Intelligence Community, Joel Brenner said of the information obtained in the breach, “crown jewels material, a goldmine” for China.
With the security clearance information alone, the true identities of intelligence officers serving abroad can be blown. In 1975, former CIA officer Phil Agee published information that exposed the true identities of 250 CIA officers serving abroad, as well as front companies, and foreign agents. The result saw at the least numerous CIA operations blown, agents outed, and careers ended. If this breach is as serious and real as it is now believed to be and if such data is in the hands of the Chinese, there is the potential for great damage to be done to overseas intelligence operations.
While the Obama Administration has failed so far to place the blame for the OPM breach on any particular country, group or entity, many have pointed at China as the culprit. Also, the White House has not been quiet about the possibility of placing sanctions on a foreign government that engages in cyberattacks against the U.S. China has repeatedly denied its role in the attacks though saying that such accusations are “not responsible and counterproductive.” If this breach was the result of a Chinese cyberattack, it would not be the first.
After years of denying the existence of specialized cyber units, only recently has the Chinese government formally acknowledged there existence. The Chinese operate several units solely dedicated to cyber espionage including Peoples Liberation Army (PLA) Unit 61398 and Unit 61486. Last June, five members of Unit 61398 were indicted by the Justice Department last June for stealing corporate secrets. Many other incidents have been publicized and who know how many are kept out of the public domain. OPM has claimed that it thwarts around 10 million hack attempts a month and while those cannot all be attributed to China, it is an incredibly high number. That figure is an indication of the growing cybersecurity threat that is facing the U.S.
Already the blame game is occurring in Washington over the breach. While ultimate blame should be placed on the culprits, the failure of the U.S. government to prevent the breach also requires blame to be placed on those within the government. The U.S. has been remarkably slow moving to counter the very real threat of cyberattacks and cyberespionage. To think that all security clearance forms can be stolen with the government only realizing it after the fact is embarrassing and catastrophic. There is no telling just how bad the fallout of this breach will be but with almost absolute certainty it can be said that various federal agencies are already operating in damage control mode. This breach is an absolute disaster and should serve as the final wake up call for the U.S. government to acknowledge that cyberwarfare is a real threat and to take action to ensure that U.S. assets are protected in the future.