Monday, June 08, 2015

The Mother Lode

Take a look at this: it's the Standard Form 86, also known as the Questionnaire for National Security Positions.  Anyone who has ever held a security clearance knows it well; it must be completed by anyone seeking a clearance, or updating one that is already active.

At 127 pages (including instructions), the SF 86 is voluminous, asking applicants to describe virtually all aspects of their lives: where they have lived; employment history, friends and associates, military service, schools attended, foreign travel, financial interests, foreign contacts and drug and alcohol abuse (to name a few).  All must be listed on the form, creating a road map for the Office of Personnel Management (OPM).  Not only did the organization create the form, it is responsible for 95% of all federal background investigations, covering 100 different federal agencies.  When someone applying for a clearance completes the SF 86, a copy goes to their current or prospective employer, while another goes to OPM.

And that's why last week's data breach at the agency--reportedly conducted by Chinese hackers--represents such a grave threat to national security.  Never before has a U.S. adversary obtained so much information about so many people in positions with access to classified information.  It's Christmas morning for a spymaster; need to recruit American "insiders" who might be willing to pass on sensitive information?  Just convert the OPM security clearance files into a searchable database; in very short order Chinese intelligence will have the names, addresses and other contact information of potential turncoats who might be willing to betray their country for financial gain, ideology or other reasons.

Looking for someone with family ties to a foreign power, say the PRC?  It's on the SF 86.  Hoping to recruit someone with an existing clearance who is burdened by a mountain of debt?  You can glean that information from the OPM files as well.  Searching for a potential spy who is working on a specific program at a designated federal agency or defense contractor?  You can start identifying potential candidates by comparing their reported information to other data associated with the program.

And this should come as no surprise: the OPM breach was a disaster waiting to happen, according to a recent report in The New York Times:

The inspector general at the Office of Personnel Management (OPM), which keeps the records and security-clearance information for millions of current and retired federal employees, issued a report in November that essentially described the agency’s computer security system as a Chinese hacker’s dream.

By the time the report was published, Chinese hackers had already downloaded tens of thousands of files on sensitive security clearances and were preparing for a much broader attack that obtained detailed personal information on at least 4 million current and former government employees. The agency is still struggling to patch vulnerabilities.

A number of Obama administration officials painted a picture of a government office struggling to catch up, with the Chinese ahead at every step.

OPM did not possess an inventory of all the computer servers and devices with access to its networks. It did not require anyone accessing information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”

The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service — which does background investigations for officials and contractors who are issued security clearances — that the inspector general argued for temporarily shutting them down because the security flaws “could potentially have national security implications.”

Despite these alarm bells, the OPM soldiered on with its vulnerable systems, and the Chinese took full advantage.  The NYT reports that PRC-based hackers first targeted the security clearance information database last summer; when that effort proved successful, they mounted a second, much larger attack in December, but the scope of the penetration was not discovered until April.   

Now in damage control mode, the Office of Personnel Management is promising to implement a two-step encryption system and is offering free credit monitoring to current and former federal employees that may be affected by the breach.  Of course, that's tantamount to fixing the broken barn door after the horse is already gone.  While some of the personal information stolen in the attack will wind up with identity thieves (providing cover for the PRC government), most the the data will remain with China's intelligence services, for use in future recruitment operations.  

Ultimately, the number of spy cases rooted in the OPM breach will be relatively small--in comparison to the amount of information that was compromised.  Not that Beijing is really concerned; given the opportunity to case a wide net, they took it, realizing OPM's security failures were providing a broad view of who has access to the nation's secrets, and who among those individuals might become a potential asset.  

One more prediction: no one at OPM will lose their jobs over this debacle.  The director might be reassigned, but the rank-and-file bureaucrats will remain with the agency, sustaining the same level of unsatisfactory performance.  This follows the example of recent personnel actions at TSA, where the agency director was moved to another post after it was learned that security personnel missed 95% of all weapons and explosives being "smuggled" onto planes in training exercises.  

Until federal incompetents are fired--and stripped of pensions and other benefits--disasters like those at OPM and TSA will continue.  As we've noted before, there is virtually no accountability in the federal system.  Managers and executives engage in behavior that is negligent or criminal and most receive nothing more than early retirement and a fat government pension.  

More disturbingly, the Obama Administration has developed a neat trick to explain away virtually any bureaucratic snafu.  Whatever the problem, whether its an AMTRAK train that crashes at 106 mph (on a curve rated for 50), or a sensitive computer network with less security than, the problem isn't the engineer or the managers in charge; it's a lack of spending on infrastructure.  If we had only allocated more millions--or billions--the accident or security breach would have been prevented.

Rubbish.  At OPM, AMTRAK or any other federal agency, it's up to management to set priorities and fund them.  Apparently, the vulnerability of OPM's personnel databases was an open secret, yet no one was in a hurry to fix the problem.  The agency kept grinding along, and we'll assume that managers kept collecting the bonuses.  After all, it's the federal way.  And when China's Ministry of State Security (MSS) recruits a high-ranking American to give away our crown jewels, no one will bother to connect it to OPM, and the utter ineptitude that opened the door.                      



Neil said...

Think about what might happen to a federal investigator who is on the trail of a Chinese spy. He might find his personal information suddenly used to destroy his credit, empty his bank account, repo his car and house, etc. Distracting, yes?

We may as well dismiss the entire NSA and CIA and start over again.

Mick Kraut said...

"The inspector general at the Office of Personnel Management (OPM), which keeps the records and security-clearance information for millions of current and retired federal employees..."

This is understating it significantly. I keep reading headlines and ledes claiming that this is affecting "Federal employees" as if to say that it is only affecting Federal employees or Federal retirees.

That simply is not true.

OPM handles the background investigations for Federal employees and for government contractors as well. So if you've worked as a government contractor and never as a government employee and either had a periodic re-investigation or an initial clearance performed then most likely your records were part of the haul the Chinese just made off with. I saw someone on "background" say that they think that everyone who has held a clearance since 1982 was included in the records that China extracted.

So the scope of this is far beyond "Four million Federal employees and retirees" you are dealing now with not only cleared Federal personnel but also the contractors that support them. Langley the Pentagon every US Military base worldwide
...Dept of State
...Dept of Energy

This is a massive breach - a debacle on every level...The CI implications are staggering and woefully under-reported...

SwampWoman said...

Hunh. Since SwampMan and I have both worked as Federal contractors in the past (once, before we decided it was too much of a pain in the butt), I suppose our records were in there somewhere, as were those of all of our employees at the time. I also worked for a governmental department for a short period of time as an employee before I decided it was too big of a pain in the butt, too. I wonder if my assessment of the governmental department that I worked for is in there someplace (a CF of incompetence orders of magnitude above any in which I had come across outside the government).