US Intelligence Community's Cavalier Attitude Towards OPM Hack
from the that-old-thing... dept
We've obviously written a few times now about the big OPM hack that was revealed a few months ago, in which it appears that hackers (everyone's blaming China for this) were able to get in and access tons of very, very private records of current and former government employees -- apparently including tons of SF-86 forms. Those forms are required to be filled out for anyone in a national security job in the government, and it basically requires you to 'fess up to anything you've ever done that might, at some point, reflect badly on you. The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you into revealing US national security secrets. But, of course, that also makes those documents pretty damn sensitive. And, by now of course you've heard that the Office of Personnel Management was woefully unprepared to properly protect such sensitive data.Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no:
After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize until after the hack that this might be a relevant target.
NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.
Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them. At least that's the implication of his "wink wink, nod nod" statement to the Senators:
Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”Now, he's actually making a totally valid point concerning what the US's response should be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.
And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”
But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: admiral mike rogers, china, cybersecurity, james clapper, nsa, opm, opm hack, surveillance, us cyber command
Reader Comments
Subscribe: RSS
View by: Time | Thread
Providing protection is boring and often requires interacting with people who aren't in the intelligence community. It doesn't win anybody commendations when they note that the "outsiders" (anybody who isn't in the intelligence community) went another month without getting hacked. Worse, if they actually tried to provide protection and failed, they'd look bad. Better not to try at all.
[ link to this | view in chronology ]
Does it have to be updated? Clapper should add "lied to Congress under oath" and possibly "incompetent at job" (this last one seems to apply to Rogers too). But hey, wait, it already reflected badly on them and they are still employed! Never mind then.
[ link to this | view in chronology ]
if only the intelligence community could hold itself to the same standards it holds its staff to
[ link to this | view in chronology ]
Now that the secrets are in the hands of the Chinese...
Now that the database of secrets are in the hands of the Chinese, they could blackmail each and everyone with threats to leak their dirty laundry to the american press: "We know what you did last summer".
The only way to take this weapon out of the chinese hands is to come clean on national television. Start with the highest ranks. Mr Clapper, you first please.
[ link to this | view in chronology ]
Re: Now that the secrets are in the hands of the Chinese...
The problem isn't just what each person provided on their SF-86, but what other people who were interviewed said that were recorded. All the data from interviews and other sources other than the SF-86 go into their database.
OPM actually had a database that included more information than the individual being investigated knew or could have known. It is entirely possible that the OPM had information that could be damaging to the individual and their relationships with their family and friends than to the population as a whole. Unlike your credit report, there is a lot of information in the OPM database that you may not be aware of, which will be as much of a pressure than stuff in your record that you are aware of and freely gave over to the investigator (stuff that may not have enough evidence to prove, may be misinformed or wrong, etc.) Remember that neighbors are also interviewed, and unless you are very transparent with your neighbors and friends, there are likely assumptions they have made about you which aren't necessarily true or that you are aware of, and that may be just as much of a goldmine.
Such is the problem when you create a snitch society...especially when the snitches become public.
[ link to this | view in chronology ]
Re: Re: Now that the secrets are in the hands of the Chinese...
Everyone in the data base lied about themselves to get the job and the vetting agency that was supposed to background check them all, just pretended that they did.
The whole data base is a crock of shit, and the fed knows it.
Welcome to America. The land that Hollywood manufactured.
[ link to this | view in chronology ]
Once again, a weapon that's really a target
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The Intelligence community are very good at protecting .....
That's all they really care about at the upper levels of the NSA/FBI/CIA, etc..
[ link to this | view in chronology ]
RESIGNATION
[ link to this | view in chronology ]
Re: RESIGNATION
[ link to this | view in chronology ]
We need more hay
[ link to this | view in chronology ]
here's unka sam's confession...
[ link to this | view in chronology ]
I wonder why Snowden and Manning didn't merit the same response.
[ link to this | view in chronology ]
Yet OPM still got hacked and completely compromised. What hope do private businesses have for CISPA saving their bacon from a similar fate?
I estimate somewhere between 0.01% and not a snowball's chance in hell.
[ link to this | view in chronology ]
Asshats in Wonderland
News flash the US intelligence community is not very intelligent.
[ link to this | view in chronology ]
In short, "Not my yob"
OPM doesn't fall under the intelligence community.
The OPM website is in the .gov TLD, which is not defended by USCYBERCOM, which defends .mil. NSA and USCYBERCOM have the talent to help secure .gov, when requested, but it is not their responsibility. The responsible agency for securing .gov is the Department of Homeland Security.
ADM Rogers and Director Clapper have a limited stake in this event, and would be wrong to fire shots at their counterparts in other agencies, in public.
[ link to this | view in chronology ]
Re: In short, "Not my yob"
[ link to this | view in chronology ]
All the Lonely People
https://www.opm.gov/news/releases/2015/07/opm-announces-steps-to-protect-federal-workers-and-others- from-cyber-threats/
"...Analysis of background investigation incident. Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected. The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM's systems..."
Note of personal bias: My information is in that pot, but I have a spouse, as do most of my co-workers.
Where do all of these lonely people live?
[ link to this | view in chronology ]