Future Tense

The OPM Breach Is a Catastrophe

First the government must own up to its failure. Then the feds should follow this plan to fix it.

The government didn’t merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence.

Photo illustration by Slate. Photos by Gary Cameron/Reuters iStock/Thinkstock.

Did we learn nothing from Edward Snowden? Or healthcare.gov? The federal government appears not to have. Last week it disclosed its discovery of a long-running and catastrophic breach of the Office of Personnel Management, one which resulted in the theft of 30 years’ worth of sensitive security-clearance, background-check, and personal data from at least 10 million current, past, and prospective federal employees and veterans. The government didn’t merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence, because OPM and the government had known about these security problems for two years, already suffered multiple breaches, and done little to nothing about them. While it’s premature to blame China, which may have perpetrated the hack, it’s rather too late to point the finger at the government and its disastrous contracting system. With healthcare.gov it merely wasted huge amounts of money on garbage; with the OPM hack it compromised national security simply out of bureaucratic inertia and laziness. No one ever accused Edward Snowden of releasing personnel data en masse, as happened here. In terms of sheer volume, Snowden’s National Security Agency leak appears to have nothing on the OPM breach.

Even OPM isn’t certain of the breadth of the hack, and the multiple intrusions that occurred beginning at least as early as March 2014 make it difficult to even pin down how many hacks and hackers there were. OPM has confirmed that millions of employees’ personal data were stolen but has not been more specific. In a letter sent June 11 complaining about lack of information, American Federation of Government Employees National President J. David Cox called one breach an “abysmal failure,” saying he has concluded the hackers obtained “every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more” from Central Personnel Data. It gets worse: OPM is tasked, among other things, with conducting background investigations for security clearances, so this isn’t merely a violation of the employees’ privacy but also a national security threat. Yet another breach was made against the SF-86 database, which stores the results of background checks, including information on drug use, mental health, and applicants’ friends. All undercover employees whose information touched the OPM may have just had their cover blown. Former NSA senior counsel Joel Brenner called the material “a gold mine for a foreign intelligence service,” declaring, “This is not the end of American human intelligence, but it’s a significant blow.” (Points to the CIA, which refused to have anything to do with the OPM and thus kept its own employees’ information safe.) Calling this a “breach” is too modest. It’s a systemic failure of security. Worst of all, people inside and outside the OPM already knew that before the breach happened.

We don’t know quite yet exactly how it happened or who did it, despite some eager gestures at China. The government is currently saying we may never know, since it took so long to notice the hack that the access logs have already been deleted. Oops. We do know that the security failings of OPM were no secret. An audit report from last November upgraded OPM’s security troubles from “material weakness” to “significant deficiencies”; a more recent report details the discovery in 2013 of “persistent deficiencies in OPM’s information system security program,” including “incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones.” Those watered-down words have damning implications: They respectively mean that (1) sensitive data was not secured, (2) security measures were not even tested to make sure they worked, and (3) OPM was unsure even of how to fix these problems. Those deficiencies had not been fixed as of April, and it’s unlikely they’ve been fixed in the two months since.

As Sean Gallagher has reported in Ars Technica, the security situation at OPM was a disaster. The dynamic at play is similar to the early failures of healthcare.gov, with incompetent contractors overcharging for poor work that the government was unwilling or unable to object to. One contractor, USIS, was terminated last year due to a large security breach affecting 27,000 Department of Homeland Security employees, as well as its alleged defrauding of the government by “dumping” more than a half- million background checks without actually conducting them (possibly including Edward Snowden’s and Navy Yard shooter Aaron Alexis). Only four months passed before USIS’s replacement, KeyPoint, was also hacked, with 50,000 workers’ data stolen last December. I don’t even have space here to cover all the known breaches. Krebs on Security has chronicled the rough timeline of vulnerabilities and hacks, which is enough to convince anyone that a breach of this magnitude was inevitable unless the government had taken aggressive countermeasures. It evidently didn’t.

The government left the keys in the ignition with the engine running and the door unlocked. Snowden at least exerted some discretion in what he leaked, unlike the OPM hack, in which everything must be assumed to have been compromised. As usual, to the government it’s anyone’s fault but its own: China, KeyPoint, the heavy background-check workload. The FBI is constantly asking for back doors into other people’s encryption, while it can’t keep its own front doors locked. It’s as if Apple had turned around after the nude-photo breaches and increased its iPhone fees for new, unspecified “security features.”

It doesn’t have to be this way. When Google was hacked by China, the incident spurred an immediate and forceful push to lock down access to make sure that sort of thing could not happen again. (Disclosure: I used to work for Google and my wife still does.) Fast Company’s badly timed puff piece about the Obama administration’s “stealth startup”—“They are screened not only for IQ, but for EQ” went one actual sentence—focused primarily on the group’s work on improving government Web forms, suggesting that the administration’s IT reform priorities might have been slightly askew. And the “cybersecurity sprint” currently in progress is insufficient. Instead of one that merely appropriates the argot of Silicon Valley, we need a government security “surge” much in the way the healthcare.gov surge managed to get the site into relatively working order in a month’s time. Outsiders must be deputized to audit the systems, brutally assess their failings, and put together an aggressive plan to both find existing breaches (who knows what’s still lurking in OPM’s systems right now?) and prevent further ones. Every government agency should be subject to an outside cybersecurity audit, and I include the NSA in that. Contractors like KeyPoint should be cut off at the knees. And Republicans deserve no benefit of the doubt; they abandoned any call for reform as soon as the short-term point-scoring opportunity of healthcare.gov evaporated. This is a systemic problem. And unless drastic changes are made, breaches will keep happening.

This article is part of Future Tense, a collaboration among Arizona State UniversityNew America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.