Revelations of the Office of Personnel Management’s (OPM) massive data breach seems to get worse by the day.
Thursday we discussed that per the FBI, the number of people who’s personal data was compromised is upwards of 18 million. OPM’s estimates were around 4 million. In a hearing Thursday, it was revealed that OPM Director Katherine Archuleta hadn’t bothered to speak with the FBI about their numeric discrepancy. Archuleta was also unwilling to answer whether or not prescription and other sensitive health-related data was accessed by hackers.
The White House has also been implicated in this bottomless pit of fail. Wednesday it was disclosed the White House intentionally hid the extent of the OPM hack.
Friday, Fox News reported that according to a senior U.S. official, the data breach included access to “adjudication information;” information used to determine security clearances.
…The Daily Beast, citing a senior U.S. official, reported that the hackers, believed to be based in China, gained access to so-called “adjudication information,” sensitive facts compiled by U.S. investigators about government employees and contractors who apply for a security clearance. The “adjudication information” goes beyond what is required of employees filling out a routine clearance questionnaire, known as Standard Form (SF) 86. The Obama administration admitted earlier this month that information in those forms had been compromised by the hackers.
If the theft of “adjudication information” is confirmed, whoever carried out the hack would have access to a list of federal employees and contractors who are likely targets for blackmail or engagement in espionage against the United States.
“This is worse than [NSA leaker Edward] Snowden, because at least programs that were running before the leaks could be replaced or rebuilt,” a former U.S. intelligence official told The Daily Beast. “But OPM, that’s the gift that keeps on giving. You can’t rebuild people.”
The Daily Beast reports that the “adjudication information” includes the results of lie-detector tests, in which investigators press applicants to reveal deeply personal information. The topics for interrogation can and do include marital problems, drug and alcohol abuse, or an addiction to gambling.
For example, the report mentions one applicant who was reprimanded by his boss for accessing pornography on his work computer. Another, who had a clearance for over 25 years, had been engaging in an off-and-on affair with his college roommate’s wife.
…Generally, any adjudication reports about individual government employees that are made public keep the subject anonymous. However, the unredacted files are kept in the OPM’s adjudication records, which were compromised by the cyberattack. That, in turn, would give foreign spies the easy ability to put names to reports and use the information to their advantage.
Thursday, Rep. Will Hurd (R-Texas) penned an op-ed in the Wall Street Journal branding the federal government’s handling of data breaches hypocritical saying, “prevarication and hypocrisy are the federal government’s modus operandi when it comes to data breaches.”
Rep. Hurd’s experience as a CIA agent gives him unique insight on the OPM debacle:
If federal agencies wish to provide effective oversight of the private sector, then they should start by looking in the mirror. Despite clear warnings provided to the OPM, and its failure to heed them, no one has been held accountable.
This needs to be a watershed moment for cybersecurity in the federal government. Other agencies have the same problems as the OPM, deploying outdated legacy systems and exercising poor cyberhygiene. In the wake of this data breach, the heads of other agencies should pull out their own inspector-general reports and begin to address their vulnerabilities.
A strong message must be sent to the public and the employees of the federal government that we take cybersecurity seriously.
Earlier this year, I asked Gene Dodaro, the long-tenured head of the Government Accountability Office, if he could recall ever seeing any federal government employee fired for delays or cost overruns on IT projects. After a long pause, he could not name a single instance. This “do as I say, not as I do” culture runs rampant in Washington. Our government demands accountability from others but offers little itself.
Until the leaders of our federal agencies implement solid cybersecurity measures—such as strong authentication, network monitoring, state-of-the-art data encryption and robust system hygiene—we will continue to play catch-up to our highly sophisticated and well-funded adversaries. The refusal at the Office of Personnel Management to take responsibility and move swiftly to address significant deficiencies leads to only one conclusion. Accountability starts at the top. It’s time for a change in leadership at the OPM.
We couldn’t agree more.
Follow Kemberlee Kaye on TwitterDONATE
Donations tax deductible
to the full extent allowed by law.