US Intelligence Community's Cavalier Attitude Towards OPM Hack

from the that-old-thing... dept

We've obviously written a few times now about the big OPM hack that was revealed a few months ago, in which it appears that hackers (everyone's blaming China for this) were able to get in and access tons of very, very private records of current and former government employees -- apparently including tons of SF-86 forms. Those forms are required to be filled out for anyone in a national security job in the government, and it basically requires you to 'fess up to anything you've ever done that might, at some point, reflect badly on you. The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you into revealing US national security secrets. But, of course, that also makes those documents pretty damn sensitive. And, by now of course you've heard that the Office of Personnel Management was woefully unprepared to properly protect such sensitive data.

Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no:
After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.

NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.
In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize until after the hack that this might be a relevant target.

Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them. At least that's the implication of his "wink wink, nod nod" statement to the Senators:
Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”
Now, he's actually making a totally valid point concerning what the US's response should be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.

But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Oct 2015 @ 9:43am

    I think it's pretty clear that the U.S. intelligence community does not handle protecting these sorts of things. Providing protection might be on a mission statement somewhere, but I bet they read mission statements about as often as they read the Constitution.

    Providing protection is boring and often requires interacting with people who aren't in the intelligence community. It doesn't win anybody commendations when they note that the "outsiders" (anybody who isn't in the intelligence community) went another month without getting hacked. Worse, if they actually tried to provide protection and failed, they'd look bad. Better not to try at all.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Oct 2015 @ 9:48am

    and it basically requires you to 'fess up to anything you've ever done that might, at some point, reflect badly on you

    Does it have to be updated? Clapper should add "lied to Congress under oath" and possibly "incompetent at job" (this last one seems to apply to Rogers too). But hey, wait, it already reflected badly on them and they are still employed! Never mind then.

    reply to this | link to this | view in chronology ]

  • identicon
    aerilus, 5 Oct 2015 @ 10:29am

    "The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you"

    if only the intelligence community could hold itself to the same standards it holds its staff to

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2015 @ 11:41am

    Now that the secrets are in the hands of the Chinese...

    Without a big database of secrets the Chinese would have to investigate each and every individual to find blackmail material.

    Now that the database of secrets are in the hands of the Chinese, they could blackmail each and everyone with threats to leak their dirty laundry to the american press: "We know what you did last summer".

    The only way to take this weapon out of the chinese hands is to come clean on national television. Start with the highest ranks. Mr Clapper, you first please.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2015 @ 9:56am

      Re: Now that the secrets are in the hands of the Chinese...

      Now that the database of secrets are in the hands of the Chinese, they could blackmail each and everyone with threats to leak their dirty laundry to the american press: "We know what you did last summer".

      The problem isn't just what each person provided on their SF-86, but what other people who were interviewed said that were recorded. All the data from interviews and other sources other than the SF-86 go into their database.

      OPM actually had a database that included more information than the individual being investigated knew or could have known. It is entirely possible that the OPM had information that could be damaging to the individual and their relationships with their family and friends than to the population as a whole. Unlike your credit report, there is a lot of information in the OPM database that you may not be aware of, which will be as much of a pressure than stuff in your record that you are aware of and freely gave over to the investigator (stuff that may not have enough evidence to prove, may be misinformed or wrong, etc.) Remember that neighbors are also interviewed, and unless you are very transparent with your neighbors and friends, there are likely assumptions they have made about you which aren't necessarily true or that you are aware of, and that may be just as much of a goldmine.

      Such is the problem when you create a snitch society...especially when the snitches become public.

      reply to this | link to this | view in chronology ]

      • identicon
        GEMont, 9 Oct 2015 @ 12:28am

        Re: Re: Now that the secrets are in the hands of the Chinese...

        Not to worry.

        Everyone in the data base lied about themselves to get the job and the vetting agency that was supposed to background check them all, just pretended that they did.

        The whole data base is a crock of shit, and the fed knows it.

        Welcome to America. The land that Hollywood manufactured.

        reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 5 Oct 2015 @ 11:43am

    Once again, a weapon that's really a target

    It never seems to occur to the folks who build such massively-useful databases that they're going to be just as massively-useful to adversaries when (not if) they're hacked. Whoever has a copy of this data is sitting on a how-to manual for exploiting US intelligence/military/diplomatic/etc. assets for the next several decades.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2015 @ 12:01pm

    If they provided adequate protection they would never have anything to exploit. Save for self created attacks which run the risk of being discovered as fake attacks.

    reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 5 Oct 2015 @ 12:48pm

    The Intelligence community are very good at protecting .....

    ... themselves.

    That's all they really care about at the upper levels of the NSA/FBI/CIA, etc..

    reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 5 Oct 2015 @ 1:15pm

    RESIGNATION

    I now offer my resignation foe complete failure of doing my job and wasting government funds. Hopefully the nation will forgive me for my lies and corruption. Oh shit, I just realized I am not James Clapper.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2015 @ 7:20am

      Re: RESIGNATION

      I just realized I am not James Clapper.
      No, but the first step to imitating an admitted liar and perjurer is to begin lying more routinely. Practice lying with a straight face to a mirror, then to friends and family. Once you can lie openly to Congress, you will be James Clapper in all but name. Then you can resign as him.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2015 @ 2:25pm

    We need more hay

    to hid our OPM needles in...

    reply to this | link to this | view in chronology ]

  • icon
    art guerrilla (profile), 5 Oct 2015 @ 3:27pm

    here's unka sam's confession...

    we bomb hospitals...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2015 @ 3:39pm

    people who live in glass houses shouldn’t throw rocks.

    I wonder why Snowden and Manning didn't merit the same response.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Oct 2015 @ 10:42pm

    This is why the CISPA bill is bullshit. There was nothing preventing OPM (which is a government agency) from "sharing" information with... another government agency.

    Yet OPM still got hacked and completely compromised. What hope do private businesses have for CISPA saving their bacon from a similar fate?

    I estimate somewhere between 0.01% and not a snowball's chance in hell.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 6 Oct 2015 @ 12:31pm

    Asshats in Wonderland

    The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.

    News flash the US intelligence community is not very intelligent.

    reply to this | link to this | view in chronology ]

  • icon
    ralewi1 (profile), 6 Oct 2015 @ 1:00pm

    In short, "Not my yob"

    Here's why the intelligence community appears "cavalier" regarding the OPM data theft:
    OPM doesn't fall under the intelligence community.
    The OPM website is in the .gov TLD, which is not defended by USCYBERCOM, which defends .mil. NSA and USCYBERCOM have the talent to help secure .gov, when requested, but it is not their responsibility. The responsible agency for securing .gov is the Department of Homeland Security.
    ADM Rogers and Director Clapper have a limited stake in this event, and would be wrong to fire shots at their counterparts in other agencies, in public.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 7 Oct 2015 @ 7:22am

      Re: In short, "Not my yob"

      This argument might have some weight if those very agencies weren't constantly talking about how they should be the ones to "defend" the entire internet in the US.

      reply to this | link to this | view in chronology ]

  • identicon
    Jon M.Kelley, 10 Oct 2015 @ 4:29pm

    All the Lonely People

    On Thursday 09Jul2015, OPM posted a news release: "OPM Announces Steps to Protect Federal Workers and Others From Cyber Threats". One of the paragraphs in Director Archuleta release states that fewer than 1.8 million of the 19.7 million applicants had or have a spouse or co-habitant. To put it another way, over 91% or 17.9 million of the applicants were single (not married or co-habitating) during the past 15 years (2000 to 2015). What a lonely life most of these people lead.



    https://www.opm.gov/news/releases/2015/07/opm-announces-steps-to-protect-federal-workers-and-others- from-cyber-threats/

    "...Analysis of background investigation incident. Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected. The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM's systems..."

    Note of personal bias: My information is in that pot, but I have a spouse, as do most of my co-workers.

    Where do all of these lonely people live?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.