Under the Obama Administration the American public has come to accept IT snafus and data breaches as a relatively normal occurrence. For the most part we skim the headline, shrug our shoulders, mutter under our breath how terrible the federal government is at IT projects, and then move on to the big story of the day. But let’s just get it out there: The recent hack of the Office of Personnel Management is the big story.
All told, Chinese hackers were able to get their hands on the records of 18 million current, former and prospective federal employees, more than 4 times the 4.2 million that the Office of Personnel Management has publicly acknowledged. For reference, that is six percent of the entire population. And this is not just your garden variety information like name, phone number and Social Security number. No, there is a much bigger problem at hand than the risk of mass identity theft. What the hackers stole includes things like form SF-86. Don’t know what that is? Ryan Evans explains in the Washington Post:
My SF-86 contains my Social Security number, information about my credit history, my job history (including a dispute with a past employer), contact information for my closest friends and family in the United States and abroad, all non-Americans with whom I am close, a list of every foreign official I ever met, every place I lived and people who could verify that I lived there, and much more. If I had ever been arrested or had any history of drug abuse, I would have had to report that, too.
This form provides all sorts of information that could be used to recruit an individual as a spy. In fact, collecting such information is the whole point of the form. The U.S. government wants to assess the vulnerability to recruitment or blackmail of every person given access to classified information. Beijing may now have in its hands the most intimate details of the lives of the human beings responsible for generating and keeping our nation’s most sensitive secrets.
“If the SF-86’s associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people,” one U.S. official told ABC News on Sunday.
That’s an utter disaster with enormous national security implications. But it also reveals the disastrous state of our IT defense measures under the Obama Administration. According to reports, American intelligence agencies have been following several groups of Chinese hackers for more than five years, but lost the trail and failed to detect the hack into the Office of Personnel Management, which began more than one year ago.
“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.”
In fact, they did see it coming. A 2009 report from the Office of Personnel Management noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.”
Indeed, the New York Times reports that sensitive personnel data “had been stores in the lightly protected systems of the Department of the Interior, because it had cheap, available space. . .” Unfortunately, the systems are not better in other agencies. The Times goes on to report that an audit found similarly lax security at the IRS, the Securities and Exchange Commission, the Energy Department, the Nuclear Regulatory Commission, and even the Department of Homeland Security.
Despite all of the glaring errors, highlighted through numerous reports and audits in recent years, the Obama Administration continues to be asleep at the switch.
Standing before Congress this week, Katherine Archuleta, the director of the Office of Personnel Management, said that she does not believe “anyone is personally responsible” for the massive breach. Instead, she blamed the hackers themselves.
“We have legacy systems that are very old,” Archuleta told Senate. “It’s an enterprise-wide problem. I don’t believe anyone is personally responsible.”
“If there’s anyone to blame, it’s the perpetrators,” she continued.
Sigh. If the best strategy the Obama Administration has it to blame hackers for wanting to hack then we’re in deep trouble. After all, if that’s really the mindset let’s just take all the money we’re using for network and data security and use it on campaigns to convince bad people to not be bad anymore. It doesn’t take a genius to figure out that would be a disaster. Then again, it appears we don’t have a genius at the helm of the Office of Personnel Management. Instead, we’ve got the former political director of Obama For America.