Forget what the Obama administration has been telling us about the hack of personal records of government employees. They told us that 4 million people had their records accessed and that military and intelligence employees were not at risk.
It turns out that there were 14 million current, retired, and former US government employees going back to the 1980’s who had their personal lives exposed to the hackers. And most incredibly damaging of all, government employees who applied for a security clearance had those secrets exposed as well. The Chinese government now has information on some of our intelligence agents who have been treated for drug abuse, seen a psychiatrist, charged with a crime, or any other sensitive personal information that could be used to recruit them as spies.
Deeply personal information submitted by U.S. intelligence and military personnel for security clearances – mental illnesses, drug and alcohol use, past arrests, bankruptcies and more – is in the hands of hackers linked to China, officials say.
In describing a cyberbreach of federal records dramatically worse than first acknowledged, authorities point to Standard Form 86, which applicants are required to complete. Applicants also must list contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant are required.
In a statement, the White House said that on June 8, investigators concluded there was “a high degree of confidence that … systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”
“This tells the Chinese the identities of almost everybody who has got a United States security clearance,” said Joel Brenner, a former top U.S. counterintelligence official. “That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”
The Office of Personnel Management, which was the target of the hack, did not respond to requests for comment. OPM spokesman Samuel Schumach and Jackie Koszczuk, the director of communications, have consistently said there was no evidence that security clearance information had been compromised.
The White House statement said the hack into the security clearance database was separate from the breach of federal personnel data announced last week – a breach that is itself appearing far worse than first believed. It could not be learned whether the security database breach happened when an OPM contractor was hacked in 2013, an attack that was discovered last year. Members of Congress received classified briefings about that breach in September, but there was no public mention of security clearance information being exposed.
Nearly all of the millions of security clearance holders, including some CIA, National Security Agency and military special operations personnel, are potentially exposed in the security clearance breach, the officials said. More than 4 million people had been investigated for a security clearance as of October 2014, according to government records.
The hack of government employees data is certainly bad enough. But as this Wired article points out, the real catastrophe is in the hacking of the form used in obtaining security clearances for the most sensitive jobs in government:
The 127-page SF-86 forms believed to have been accessed by the hackers also includes financial information, detailed employment histories—with reasons for past terminations included—as well as criminal history, psychological records and information about past drug use.
Federal background checks, after all, are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information. And that stolen information could be used for exactly that extortion purpose, says Chris Eng, a former NSA staffer and now VP of research at the security firm Veracode. If the breached background check information goes beyond the SF-86 form, it could even include detailed personal profiles obtained through polygraph tests, in which employees are asked to confess law breaking and sexual history. ”They write it all down and it goes into your file. If OPM had any of that stuff, it could be super damaging. You’d know exactly who to go after, who to blackmail,” Eng says. “It could be very damaging from a counterintelligence and national security standpoint.”
It turns out that the Office of Personnel Management didn’t even have a cyber security staff to speak of until 2013:
The OPM had no IT security staff until 2013, and it showed. The agency was harshly criticized for its lax security in an inspector general’s report released last November that cited its lack of encryption and the agency’s failure to track its equipment. Investigators found that the OPM failed to maintain an inventory list of all of its servers and databases and didn’t even know all the systems that were connected to its networks. The agency also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road.
This is nearly criminal negligence, given what’s at stake and the numbers of lives that would be affected by a breach.
Allahpundit quips “Who would have guessed that Healthcare.gov wouldn’t turn out to be the biggest tech disaster of the Obama presidency?” Interestingly, both the hack and the website disaster were the result of incompetence and stupidity.