As most everyone has heard by now, the Office of Personnel Management (OPM) data systems were hacked sometime during the last 18 months, and a whole lot of people’s personal information was copied out. The estimates on how many “a whole lot” is have changed, and frankly I don’t trust any government numbers, but OPM now says that it was “as many as” 14 million people.
When I say “personal information,” by the way, I’m not just talking about Social Security numbers and names.
Some of the data exposed was from the background investigations of people with security clearances, collected with Standard Form 86. This form is nearly 150 pages long, and it collects everything — where you’ve lived, where you’ve worked, who you know. For high-level clearances, it is then supplemented with a background investigation that looks at your credit, your potential police record, and interviews with people whom you identified on the form, and other people who show up by being connected to those people.
The investigation is a beast. I had one in the early ’80s, and I got phone calls for months asking if I knew the “FBI” was asking questions about me.
Usually when someone in the press has their hair on fire, I write about how the excitement is being exaggerated. But this time I can’t: this hack is a real problem.
There are a number of articles out there about how serious it is; I’ll let them explain it if you’re interested, as I find it too depressing. Basically, the Chinese — if it was the Chinese — now have the name, address, phone number, Social Security number, bank account information, and personal history of everyone who has a current security clearance, and everyone who had such a clearance for a good long while into the past.
The real question to ask is how this happened. Reduced to its simplest terms, the issue with security — computer or otherwise — is simply this: make sure no one who isn’t authorized to see some data is able to see the data.
Back in the days B.C. — Before Computers — this was managed in fairly simple ways. The information, on paper, was stored in safes and vaults, and people were cleared to see it. It always comes down to a question of trust: can a person who is responsible for keeping the secret reasonably believe they can safely allow someone else to see that information?
When computers got involved, the question of trust stayed almost the same. With computers, the question is: can the responsible person trust the computer system enough to delegate the authority to disclose the information and be confident no one is going to access that information who isn’t authorized to see it?
I wrote about this quite a lot back when Ed Snowden was at the top of the news, so I’m going to resist the urge to repeat myself — I’m not getting paid by the word here — and instead urge you to read “L’affaire Snowden and (Computer) Security,” where I go at some length into the whole structure of security classification. The point is that there is a very well-defined structure to how information is to be protected.
What you should do to build a system handling confidential data is to think out what the possible attacks are and build safeguards against them. What we got is something else, and even from public data, I can tell you why that is: because good computer security is an expensive pain in the ass.
Every one of the safeguards you might want has a cost. Using cleared people to manage data is expensive, storing data in encrypted form is expensive, using something stronger than simple passwords to make sure you have identified your users correctly is expensive, and annoying.
Someone, somewhere, decided that they didn’t want to spend the money: undoubtedly they had budget constraints.
So the sensitivity of the data wasn’t properly identified, passwords were used instead of a stronger scheme, the systems involved had “superuser” or “root” accounts that by definition have access to everything, and the users who had access to those root accounts were Chinese nationals in China, who — I think we can fairly say — didn’t meet the U.S. government’s standards for computer security.
Perhaps the biggest issue of all is that the government had centralized the collection of that data into a single web-based system, e-QIP, which means that all this data was collected in one place.
I would bet money that each of these decisions came down to someone saying: “Oh, that’s too hard,” “Hiring offshore workers is cheaper,” “That’s too inconvenient.”
At each of those steps, some security was lost because someone decided it was easier to relax the requirements than to get the more expensive and annoying solution. And while the inspector general was calling out the hazards, no one was willing to rock the boat.
We ended up with a situation that everyone understands is really dangerous, but where no one decision can be blamed.