Why this security breach is worse than all the others combined

During the week of June 8th, the Office of Personnel Management (OPM) announced that the records of all current and past US federal employees had been compromised. That includes standard employment information – address, social security numbers, etc – of over 4 million people ranging from a random forest ranger to US Cabinet members. (According to OPM, the President, Vice President, and Congress are not in these records but their staffs are.)

But it wasn’t until June 12th that OPM dropped the biggest bomb:

“The second OPM database that was breached contains sensitive background check information — called SF-86 data — that includes applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences and names of neighbors and close friends.” – source: Washington Post, June 12, 2015 [archive]

If you’re not familiar with the clearance process, congrats.

But as a person who is, it is not hyperbole to say that this is catastrophic.

women-children-wide

When most hacks occur – like Target or TJ Max – hackers get credit card numbers and can drain bank accounts, make fraudulent charges, and generally make someone’s life miserable.

Getting the SF-86 data is a whole other story.

When you’re applying for a job that involves any sort of security clearance, you have to fill out the SF-86 [download a pdf copy here]. In it, you have to give standard job-related information and then – to show that you’re not a security risk – provide information on the jobs you’ve had and the places you’ve lived for the past 10 years. This may include college information, legal issues, past drug use, relationships, and a variety of other things. Then you need to provide references for each of those places, jobs, schools, etc.

The goal is to determine if you are “reliable, trustworthy, of good conduct and character, and loyal to the U.S.” (That quote is from the top right column on the first page.)

So OPM (and sometimes your agency’s investigators) will use this information to learn everything about you and interview your references and research them to make sure they’re trustworthy enough to use as references. Then they ask the question:

Is there anyone else I should talk to?

Then they do the same one step further out and ask the same question. Their whole job is to find your dirty secrets, your problems, your issues, and then document the whole thing to assess you as a security risk.

And this is before the polygraph (if needed).

Now do you see the implications?

If someone just steals your identity, consider yourself lucky.

Stop and think about law enforcement and the intelligence agencies. There are the obvious ones that everyone thinks of – FBI, CIA, NSA – but there are literally dozens of others including but not limited to the Office of the Attorney General, Defense Intelligence Agency (DIA), Bureau of Alcohol, Tobacco and Firearms (ATF), Immigrations and Customs Enforcement (ICE), Drug Enforcement Agency (DEA), and even things like the Nuclear Regulatory Commission (NRC). Admittedly, that last one isn’t an intelligence service exactly but they still deal with sensitive information.

Whoever took this data has all the relevant information on anyone (and their families and their friends) who has received a security clearance. Not some. Not parts. ALL.

If you’ve ever pissed off a criminal, annoyed a foreign government, put yourself in a dangerous situation (like undercover), or are in a position to be pressured or threatened, you are screwed. And yes, that does include me.

Oh.. and the kicker. OPM says this happened in December 2014.

UPDATE: On June 17th, I wrote a follow on blog post to this called “OPM Background Check Hack – A Different Angle” that you should read too.

21 thoughts on “Why this security breach is worse than all the others combined

  1. Further to the point, the Obama administration lost control of this information. It lost control by failure to secure and encrypt the information, the kind of error that would get a private sector company sued for negligence. There is no longer any credible way to distinguish your legitimate identity from a fraud, except by physical personal recognizance. The IRS can never again trust an income tax return. The Social Security (and related entitlement programs) can never know who they are paying. The banking system can never know whether it’s dealing with legitimate funds-transfer requests. The damage is wide-spread, long-term and incalculable.

    1. Let’s not politicize this, Ray. The security was no better in any previous administration; it was never top-drawer, heck it never rose to the level of adequate. For every person working within whatever guidelines/rules/procedures are put in place there are three who are sure it’s perfectly OK to go around them, “just this once.”

      So no one, Republican or Democrat, ever “lost control” of the information. The sad truth is no one, Republican or Democrat, ever *had* control of it in the first place.

      And so long as agencies like the FBI are allowed to rear up on their hind legs and demand methods to easily decrypt any data (as if there was a magic decryption key that could only be used by those whose motives were pure) no one ever will have control of it. Anything the Good Guys can do, the Bad Guys can do, too. Only minus the judicial review. Why is that so difficult for these people to understand?

      Solid data encryption is where it starts. No back doors, no side doors, no magic windows. And when we don’t have it, we’ll get things like this.

      Don’t know if I’m in that database. I’m ex-military, not civilian, and it’s been so long ago I don’t remember the form name. I do, however, remember I had to fill it out three times; the first two copies mysteriously disappeared. So this data theft business is probably not as recent a phenomenon as we’d like to think.

      1. This Administration has positioned themselves as the “most tech savvy” and forward thinking ever. Remember, Obama has a Blackberry!

        For them to claim that position and allow these issues to persist is criminal negligence.

        Or at least it would be for any private organization.

        1. Again…many “private” organizations, which aren’t private because they are on the stock market have gotten away with this time and again with little to no penalty.
          Take your silly anti-obamas diatribes to Faux news.

    2. Oh please, I actually work in IT security and one company after another has failed to do this in the most public ways and nothing has happened including nobody getting fired.
      You think this was done better under Bush? Are you really going to politics this in such an obvious and ignorant way?

      1. The Bush Administration never portrayed themselves and technically savvy, knowledgable, or connected.

        Then again, Obama did run on transparency.. I don’t know anything more transparent than this.

        1. Well, I have to give you that: particularly after the first year or so nobody expected competence from the Bush administration.

  2. Sorry, Arlen, it is political. A government entity coughed up the data. And government entities have demanded weaker encryption, while other government entities have not implemented stronger encryption (if any at all).

    All of this is the result of a lack of ability (doubtful) or lack of will (likely). And given the context, it is a lack of political will.

    Justice? There is just us.

  3. Mike; until each and every political leader can effectively “reboot”or rewrite the policies, standards, and methods used in its administration, it is not a political issue as much as it is a governmental issue. Each new administrator, if you will, can not reinvent the wheel and start from scratch. Part of the very nature of government is that it is an ongoing work in progress; sometimes there are aspects of the system that need change and updating, but given the immense number of what are at times very narrow and focused concerns, it is hardly possible to oversee government in its entirety to the degree that it is entirely foolproof. It is not a product but a process.

    1. Art,

      Yes, government (governing/governance) is a process. Each new administration does not have to re-invent the wheel. Laws and processes are in place when they arrive, and they are obligated to maintain those laws and processes.

      Part of that maintanance takes the form of evolutionary change, as circumstances may require. That the citizenry & their environs can ultimately compell change is something we get from English Common Law, etc.

      That the administration failed to meet its evolutinary obligations is a political one, not a governmental one. Party/partisan politics is the thing that has increasingly crowded out getting any real work done.

      Don’t confuse the people who abuse the system with the system itself.

  4. How do we know for sure that this actually happened? After all the lies and subterfuge we have been subjected to for the past several years, can we really believe this to be true? Might there be an ulterior motive in this? Just sayin’.

  5. perhaps now the government will be a bit more receptive to regular American’s concerns about all of their info and phone calls and emails being bulk stored and scanned by the government’s various security organizations. hopefully they can emphasize and see how as concerned as they are about this hack, many americans are about having their information sifted through as if they were criminals by the NSA, NRO, et all.

  6. The comments on the article have devolved into a pro and anti Obama political diatribe. “Obama is no worse than Bush who is no worse than Clinton… So don’t blame Obama”. Let me ask this simple question: with all of the high level hacking in governmental agencies and large corporations, wouldn’t it behoove any administration to verify that they are as secure with this information as is technically possible? I don’t care, one whit, under which administration this happened. I don’t care that “we are no worse than they were”. This, if true, is egregious and a disaster. Responsible leaders will take responsibility, apologize, fix the problem, and ensure that it is not likely to happen again.

    1. The thing you’re overlooking is that the vast majority of the government as a whole is run by people who are at best only barely able to check their email, let alone understand the full requirement of information security.

      I know, it sounds hard to believe, but I’ve seen execs in companies exhibit the same behavior, too (and it astounds me every single time I hear it, because I’m in full agreement with you — it doesn’t make sense to me that they’d willingly let something like this go, it seems completely counter to the organization’s best interest). It’s this idea that we don’t really need technology (because we ran just fine without it for decades or centuries, so we can go back to that if something happened), so it’s not a non-issue and a boogeyman excuse to get more money for something. Also, it’s a money sink for no provable value (because the nature of infosec requires you to think in terms of what’s saved, which isn’t “real” to these types of people).

      The fact that it’s a faceless threat makes it even more nebulous to them. Bin Laden was the perfect villain in that regard — he gave Al Qeada, and terrorism in general, a face. It makes garnering support and funding a lot easier, because it’s a lot more visible. It’s a “bad guy” that we can hunt down and put on trial in one form or another. It’s a fight with a definite ending and clear “winner.”

      I’m willing to bet that there were a number of engineers who have gone through the doors of the government’s IT offices and datacenters who have said repeatedly that this was a problem, and were stonewalled by management (and probably red tape) for the time and funding in order to get it properly audited and fixed before something like this happened. Most of these types of systems were built quite some time ago, when the attack vectors weren’t quite as sophisticated, and people didn’t yet know to think about certain parts of it. Technical debt was left to build up and no one ever wanted to repay it.

  7. *IF* the database was compromised by using a valid username and password and no amount of encryption would help. It’s really easy to break into a place when you have the keys.

Comments are closed.