Commentary: OPM breach leaves threats hidden in plain sight
The data breach of the Office of Personnel Management could affect more than 20 million Americans. Yet the true magnitude of this breach lies not in the number of individuals affected, but in the seemingly infinite ways it has compromised our national security.
The risk of widespread identity theft or other uses of personally identifiable information for financial gain is not to be taken lightly. But, in my view, it pales in comparison to how it has jeopardized our national security workforce, both in government and the private sector, and degraded the integrity of our security clearance system. Quite simply, it is a national security risk unlike any I’ve seen in my 50 years in the intelligence community.
To those familiar with the tradecraft, the breach has all the hallmarks of a counterintelligence operation, targeting the background investigations of current, former and prospective security clearance holders. The Standard Form 86 (SF-86) — submitted by all applicants seeking a national security clearance — is about the most comprehensive and invasive collection of information on a person’s life, including criminal, financial and health records and relationships with family members, neighbors, co-workers and foreign contacts.
Given the exploits available to an adversary with security clearance data, it is no wonder OPM’s networks were a prime target of foreign intelligence services. It is commensurate with years, even decades, of operational research by our adversaries to identify individuals with access to classified information who could be susceptible to coercion or leveraged by other means to perform their duties in less than full faith.
And we should be just as worried about what the perpetrators likely put on OPM’s networks as the data they extracted.
By gaining administrative access to OPM’s networks, the perpetrators had the ability to not only steal data as it existed, but even alter, delete and replicate records of current security clearance holders. With 20 million SF-86s as a template, they could emulate authentic security clearance credentials for clandestine operations with unparalleled precision. The possibility such actions were taken casts doubt on the integrity of our entire security clearance system.
The only sound practice is the sequestration of data until … the entirety of these records can be revalidated.
Federal government employment and security clearance practices are dependent upon trust in data integrity. Our nearly universal practice is to validate one source of information (such as an application) against stored information (the Social Security Administration). An adversary with access to source data, as was the case with this breach, would be able to withstand a great deal of digital scrutiny and more easily penetrate our systems for access, employment or virtually any purpose they choose. A foreign agent may have surreptitiously obtained security clearance bona fides, and we cannot, at this point in time, prove otherwise.
While the implications are dire, I am optimistic that a multifaceted response to the breach and its fallout, with participation by government in partnership with the private sector, is achievable. This is not the government’s problem alone to solve, and these are steps they can take together.
- Restore data integrity to the background investigations database. The manipulation of this database could include the alteration of clearances or the deletion of records as a means of disrupting our workforce and obfuscating the insertion of falsified records. Today, the only sound practice is the sequestration of data until confidence can be restored and the entirety of these records can be revalidated and verified. Anything less falls short of the data integrity our security clearance system relies upon.
- Ensure security of the OPM networks. Until we can be certain that false records or “back doors” — sophisticated programming to maintain monitoring or disruption capabilities — were not left on the network, damage remains to be done.
- Enhance continuous monitoring and evaluation of cleared personnel. Our national security workforce has never been more vulnerable to blackmail or coercion, which puts government employees, as well as their family members and close associates, in harm’s way. In response we should provide training to identify and report apparent overtures by foreign agents, offer support to those who feel their personal histories place them at higher risk of being targeted, and be vigilant to identify suspicious insider behavior immediately.
- Incorporate private sector and intelligence community information architectures into OPM’s network security plans and records governance. One reaction to this breach is to call for returning the personnel records of intelligence officers to their own agencies. As chairman of the INSA Security Policy Reform Council, which has worked for more than five years on how to make our security clearance process more integrated and efficient, I believe this could be a step back from the reciprocity of clearances that we need across government. However, there is clearly room for OPM or another organization to more effectively replicate the cybersecurity architecture and information protection policies implemented on classified networks in government and the private sector to protect personnel data.
- Assume a stronger cyber deterrence posture. This breach changes the game completely, and has officials acknowledging that we must do more to deter such attacks. Left unsaid is that the best defense must at least include robust offensive capabilities. We should not be shy to say so, and provide the clear direction, authorities and resources to our intelligence agencies to enhance human and technical collection against our adversaries in cyberspace.
Let this breach be a touchstone for lasting and significant public-private collaboration to bolster our nation’s cybersecurity resiliency. Possibly the worst thing we can do is follow routine breach protocols and continue with business as usual. At a minimum, an independent review needs to be done as soon as possible to fully assess the damage and make recommendations.
Beyond OPM, there are other agencies who are stewards of sensitive data that must remain beyond the reach of those who would do us harm. The Food and Drug Administration and Centers for Disease Control and Prevention are but just two civilian agencies whose data, in the wrong hands, could endanger thousands, even millions of Americans. Can we afford to wait until it’s too late again?
We must candidly acknowledge the severity of these attacks, the sophisticated targeting risks it presents – now and into the foreseeable future – and accept the responsibility to mitigate the consequences today.
Charles Allen is chairman of the Security Policy Reform Council at the Intelligence and National Security Alliance, and principal at The Chertoff Group. He is a former undersecretary for intelligence & analysis at the Department of Homeland Security and served in the CIA for more than four decades.