Last week, the Office of Personnel Management announced that the security clearance background information (the dreaded SF-86 form) was compromised. I wrote about it in “Why this security breach is worse than all the others combined” and considered the implications of it.
But this snippet from Arstechnica made me think of something else:
A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root.”
My thinking – and most articles I’ve read – has been what could be taken and mis-used from the hack.
But what if we’ve been thinking of it from the wrong direction?
What if access wasn’t used to leak information but to create and change it?
The implications are terrifying, since this information was compromised:
Any clearances granted may have been based on fabricated information.
Any clearances denied may have been based on fabricated information.
Now foreign governments don’t need to employ time-consuming or expensive signals or human intelligence. It is cheaper, faster, and far more effective to just have their agents apply for the job. If something problematic comes up in the investigation, you simply delete or edit it.
In fact, if they really want to make sure their agent gets the job, they could taint the other candidates to force them to fail.
Other than the OPM investigator(s) directly involved in the case, there would be few people – if anyone – who could notice the changes.
The simplicity is genius.
The FBI agent, Immigrations and Customs Enforcement (ICE) officer, or that janitor at the nuclear power plant may not be the person you believe them to be.
Last time I said “you are screwed,” but now I’ll upgrade that to “we’re all screwed.“