In mid-2015 someone—all indicators point to the Chinese government—stole the security clearance dossiers of more than 22 million Americans. It was the most catastrophic cyber data breach in U.S. history, with the potential to inflict incalculable damage to our national security. Yet the response from the Office of Personnel Management (OPM)—the agency that failed to protect the files in the first place—has been curiously and dangerously lackadaisical.
The laid-back tone was set early on. The administration released news of the theft in dribs and drabs. To date, the full story of what was compromised remains veiled.
What we do know is this: our adversaries now possess a massive amount of highly sensitive information—personal and professional—about past and current U.S. government personnel. Many of those workers have been entrusted to guard America’s most sensitive secrets.
Our enemies are always looking for leverage to advance their nefarious goals. Now they possess tens of millions of files packed with highly leverage-able information.
The OPM breach is stunning in many ways. For one thing, it was absolutely predictable. For years, the Inspector General had reported security shortfalls in OPM’s information technology infrastructure. Yet OPM ignored these problems. For example, it failed to patch its vulnerable software, failed to install antivirus software and failed to implement the required authentication certification. OPM has yet to address all the IG recommendations for a more secure IT system.
While OPM paid scant attention to the Inspector General’s reports, the Chinese appear to have read them closely and moved to exploit the uncorrected vulnerabilities.
Also stunning was the administration’s slow and anemic response to the breach, which continues to compound the problem. Few believe the OPM’s security alerts to affected personnel have been of much value. And while the agency has spent millions of dollars to ostensibly mitigate the impact of the breach, the focus of these efforts demonstrates that OPM still fails to comprehend the magnitude of the threat posed to individuals in the defense and national security communities.
Since September OPM has doled out over $133 million dollars to provide “Identity Theft Protection and Credit Monitoring” for three years. When announcing the contract, OPM Acting Director Beth Cobert averred that the agency remains committed to “assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.”
Yet what long-term security guarantee does OPM provide to those whose identities have been compromised? How can the victims be certain that their sensitive data—current and future—does not remain vulnerable to exploitation? Even with a congressional extension to ten years (up from OPM’s three-year contract for protection service), the response seems inadequate.
Worse, it seems largely misdirected. OPM continues to focus its remediation effort as though it’s dealing with a “Nigerian prince” cybercrime rather than a national security breach.
A cybercrime? The OPM attack was almost certainly undertaken by another nation for espionage purposes, not to rip off credit card numbers. The agency’s multi-million-dollar expenditure addresses only a small part of the damage.
China isn’t interested in stealing money from U.S. government workers. For Beijing, the high-value information is the personal and professional data on federal workers and contractors—past and present—with a security clearance handling our country’s most sensitive information.
The attack was conducted to gather sensitive, actionable information and, by extension, achieve a deeper understanding of U.S. national security programs. The adversary will continue its attempts to gain additional information on vulnerable victims. “Identity Theft Protection and Credit Monitoring” offers no protection from what a national security adversary would do with this treasure trove of data.
OPM needs to work with the Social Security Administration to address the vulnerability of the wholesale loss of social security numbers. It must also intensify its engagement with the American intelligence and defense communities to identify the counterintelligence vulnerabilities related to the victims.
And OPM needs to work with the individual victims to extend the security perimeters to their personal electronic media and their home computers. It is highly probable that the Chinese will attempt to collect more information on the victims in order to fine tune their knowledge of their intelligence collection targets.
But expectations that OPM will take any meaningful action in treating this attack as a national security threat are fading. No one has been fired, and only one official has resigned. Meanwhile, the agency is spending hundreds of millions of dollars on a solution that addresses only a small part of the problem for a short period of time. The larger national security implications remain unaddressed.
It is time for the administration to treat the compromise of this sensitive data as the national security threat it is and to implement a much more comprehensive response to assist all personnel affected by this breach. Accountability starts at the top.
David R. Shedd, a former acting director of the Defense Intelligence Agency, is a visiting distinguished fellow in The Heritage Foundation’s Davis Institute for National Security and Foreign Policy.
Image: Flickr/Yuri Samoilov.