Chinese Hack was Catastrophic, Government Won’t Admit

From David Auerbach writing at Slate:

Did we learn nothing from Edward Snowden? Or healthcare.gov? The federal government appears not to have. Last week it disclosed its discovery of a long-running and catastrophic breach of the Office of Personnel Management, one which resulted in the theft of 30 years’ worth of sensitive security-clearance, background-check, and personal data from at least 10 million current, past, and prospective federal employees and veterans.

The government didn’t merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence, because OPM and the government had known about these security problems for two years, already suffered multiple breaches, and done little to nothing about them. While it’s premature to blame China, which may have perpetrated the hack, it’s rather too late to point the finger at the government and its disastrous contracting system. With healthcare.gov it merely wasted huge amounts of money on garbage; with the OPM hack it compromised national security simply out of bureaucratic inertia and laziness. No one ever accused Edward Snowden of releasing personnel data en masse, as happened here. In terms of sheer volume, Snowden’s National Security Agency leak appears to have nothing on the OPM breach.

Even OPM isn’t certain of the breadth of the hack, and the multiple intrusionsthat occurred beginning at least as early as March 2014 make it difficult to even pin down how many hacks and hackers there were. OPM has confirmed that millions of employees’ personal data were stolen but has not been more specific. In a letter sent June 11 complaining about lack of information, American Federation of Government Employees National President J. David Cox called one breach an “abysmal failure,” saying he has concluded the hackers obtained “every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more” from Central Personnel Data. It gets worse: OPM is tasked, among other things, with conducting background investigations for security clearances, so this isn’t merely a violation of the employees’ privacy but also a national security threat. Yet another breach was made against the SF-86 database, which stores the results of background checks, includinginformation on drug use, mental health, and applicants’ friends. All undercover employees whose information touched the OPM may have just had their cover blown. Former NSA senior counsel Joel Brenner called the material “a gold mine for a foreign intelligence service,” declaring, “This is not the end of American human intelligence, but it’s a significant blow.” (Points to the CIA, which refused to have anything to do with the OPM and thus kept its own employees’ information safe.) Calling this a “breach” is too modest. It’s a systemic failure of security. Worst of all, people inside and outside the OPM already knew that before the breach happened.

Read the rest of the story at Slate.