Written byDan Verton
The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.
The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.
“I don’t think there is recovery from what was lost,” said former CIA Director Michael Hayden, in a telephone interview with FedScoop. “It remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it.”
According to Hayden and other former CIA officers, the data breach has created a massive counterintelligence threat that could easily last 40 years — until the youngest members of the federal workforce enter retirement.
“This isn’t about blackmail or bribery. This is knowledge about potential human intelligence targets,” Hayden said.
A former CIA officer, who spoke to FedScoop on background, agreed that the counterintelligence damage stemming from the data breach will last well beyond OPM’s cybersecurity remediation efforts. “You have provided the Chinese with the pool of contractors and employees who have access to classified information. This represents a target pool of possible recruitments with a list of their vulnerabilities,” the officer said. “Over time, the pool will be added to and people will leave thus making the information less valuable. In short, time will take care of some of the problems. But, what a mess.”
House Armed Services Committee Chairman Rep. Mac Thornberry, R-Texas, called the breach “a critical force protection and counterintelligence issue” for the Defense Department. “I am far from convinced that steps taken so far by OPM to mitigate the impact to civilian employees and their families are sufficient, nor am I confident the steps taken to protect information, employees, and their families in the future are adequate,” Thornberry said in a written statement.
What’s in the data?
The background investigation process for granting a federal employee a security clearance begins with a detailed questionnaire known as a Standard Form 86. The 121-page document includes detailed biographical information, residence and employment history, lists of family members, foreign travel and business activities, and detailed summaries of psychological and emotional health counseling the employee may have received.
The form also covers any interactions with police, use of illegal drugs and alcohol, detailed information on financial problems, and information on any unauthorized use of information technology systems. The form requires candidates to provide information for the past seven years. However, top secret security clearance investigations go back 15 years.
The size, scope and sensitivity of the OPM data breach also have major financial implications.
Richard A. Russell is a former senior national intelligence service executive who served in progressively responsible national security positions for more than 36 years before retiring in January 2015. According to Russell, the U.S. government has vastly underestimated the financial cost of providing identity theft monitoring.
At least four to five people will require monitoring for every non-married federal employee in the background investigation database, according to Russell. For those who have been married, or married more than once, the number of affected people is more like 12 to 14, he said.
“With those factors alone, the total number of people whose information is likely to be rolled up in the breaches would be in excess of 50 million,” Russell said. “Just doing the math suggests it could be higher: 19.7 million times four to 14 yields between 78.8 million and 275.8 million whose information is now in untrusted hands,” he said.
“This is about more than getting the numbers right. It’s about taking a true measure of what has happened and what must be done,” Russell said. “For some, the proposed protection would run out before their child enters the first grade in school. If a child is currently 20 years old, their risk will last between 50 and 70 years or longer.”