The Office of Personnel Management, or OPIE as I like to call them, has a leak problem. Why OPIE? Because, just like Opie from Andy Griffith Show days, they seem to be a naïve child trying to learn about the world rather than a professional organization highly capable of delivering effective and efficient services.
The “Office of Precious Information Exposure” has created the greatest personally identifiable information (PII) data breach in U.S. history, and that breach could have devastating impacts on our economy and the confidence of people in the U.S. when it comes to using online communications.
The difference between an incident and a disaster is the time it takes us to recognize what is happening and to take appropriate action. While our government leaders in the executive and legislative branches discuss and posture, the magnitude and scope of the brewing disaster is growing exponentially.
We have a crisis on our hands from several perspectives. If we do not act quickly, decisively and with the appropriate actions, we will perpetrate more harm than the originators imagined. We are watching an incident turn into a disaster right before our eyes — with a government incapable of taking the steps necessary to protect the citizens while everyone postures to protect themselves from blame.
“If we do not act quickly, decisively, and with the appropriate actions, we will perpetrate more harm than the originators imagined.”
Millions of Americans are shaken to their core because their most personal and closely held PII has been lost in a single event affecting possibly 40-to-50 million people. This while the government insists that only 4.2 million people are affected, trying perhaps to hold down the alarm?
The attack is both a cyber tsunami and, according to some descriptions, an act of war. But how did the adversary gain the advantage? Is it just an especially cunning plot? Or did we make decisions, in the name of saving a few bucks, over very strong objections of our professionals in the field, and lay the course for this disaster by our own hand?
Efficiency wins over security
From 1998 through 2000, a policy debate raged over streamlining personnel security across government. Previously, individual agencies held the information on those to whom they granted clearances. And the Defense Security Service, as well as individual agencies, had government employees — personnel security specialists — who conducted background investigations and adjudicators who reviewed background investigations with the concerns of those agencies taken into account.
“We need to reduce costs and consolidate these efforts” pronouncements rang through the halls of government, led by well-meaning but ill-informed political appointees.
The counter arguments still ring in my ears: “Our government personnel who conduct the investigations have two priorities: protecting national security, and protecting the employees’ personal information and careers.” So does the argument, “If you have contractors do this, their only concern will be making a dollar and they will take shortcuts, resulting in poorly done investigations and missing information which would alert adjudicators to problems.”
There were also arguments against moving everything to OPM. Because OPM was not a national security/intelligence agency, many doubted it would not take the same care to protect the highly critical and sensitive information about who held clearances and for what purpose. In addition, consolidating the security records of all government in one place was seen as “an invitation to adversaries” to exfiltrate the information through insider threat and actual theft.
So here we are today with the prophetic words from those security professionals whose contrary arguments were marginalized as we marched along the trail under the Clinton administration. It is ironic after an entire lifetime of working to protect the information the government said would make us vulnerable to adversaries, the government has “given the information away” through the very outcomes that were predicted — together with a general failure to adequately upgrade and protect information systems.
Whether it was an outsider who gained access through an insider (in this case a hacker) or even an insider threat does not really matter. The cyber hack of OPM is far more damaging to national security and the long-term health and well being of our national security apparatus than Aims, Hansen, Manning or Snowden. While each of those caused damage — and in Snowden’s case, more damage than the average American can either calculate or know about, due to the sensitivity of the intelligence sources, methods and critical program information disclosed — the OPM hack may prove to have longer lasting effects.
This is more than a bad policy decision to save a few bucks. Now those who sacrificed to serve the nation for a lifetime have one more burden to bear for the balance of their lives. The impact of the OPM cyber tsunami will unfold over the next weeks, months, and years. But what is clear is that the leadership of OPM may very well not yet understand what they have done to our nation and our future leaders.
Why OPM leadership doesn’t get it.
I received an electronic notice from the chief information officer of OPM telling me to sign up for 18 months of identity protection. The email was long, filled with legal and government jargon to let me know the government does not think it has liability for the damages done, and best of all, limits the identity protection to me alone — none of my family.
The CIO of OPM obviously does not know enough about the contents of the records in the agency’s e-QIP (Electronic Questionnaires for Investigations Processing) system. The names, dates and places of birth, and other very sensitive PII on literally everyone related to me are contained in those records. Those people are just as harmed as I am. The records include their parents’ dates and places of birth and other highly sensitive information, so the identity integrity of all of those family members has been breached. They all deserve identity protection at government expense.
The single most relied upon security “card” in online account access and change world is “your mother’s maiden name.” That information is in those stolen records, along with that person’s date and place of birth just in case some wary online security protector asks more questions.
What the OPM hack means to public employees
If you have ever held a “position of public trust,” your information has been compromised. Not just the information of intelligence officials or military personnel, but law enforcement — and anyone who has held a significant position in government in their life. That includes members of Congress, congressional staffers (past and present) and political appointees who often get to slide past barriers that would normally prevent a clearance in the name of expediency. It also includes anyone in state, tribal and local government who has been granted necessary access to conduct investigations or homeland security operations and support processes. And the list goes on and on.
The threats are three fold. First, there is the obvious financial insecurity and threat of identity theft.
Second, there is a physical threat to the health, life, safety and well being of those you love if you are involved in certain activities for our government. A case in point was the recent heightened security posture at U.S. military installations due to the “chatter” about attacks by extremists. Imagine how much those same extremists would pay to get information on the family members of our military and intelligence professionals — and they really will not care what role you play.
And third, there is the large scale economic impact of massive distrust of online purchasing and information exchange which will affect not only the U.S., but as the main driver of the world economy, the world in general. Some estimate that this is a crisis of catastrophic proportion if only because of the crisis of confidence in our government’s ability to respond effectively.
OPM states in its email to affected people that they will only protect those whose direct information was compromised, as their email put it, but they are dismissing the millions of people who also face potential harm, in a move that appears to limit the liability and blame to only 4.2 million people.
Why tens of millions and the U.S. economy will be affected
If you ever held a security clearance (with some exceptions), then all of your PII, along with the PII of all of your family — your spouse, brothers, sisters, parents, parents-in-law, children, step children, people with whom you have co-habitated even though unmarried, etc., — have been compromised. OPM hired a contractor for $20 million to provide identity protection policies for 4 million people. That is $5.00 per year per person. What do you think you will get for that? Last time I stopped for gas that would not even buy two gallons.
The true PII loss, by my estimate, is probably closer to 50 million people when you count the relatives whose names, dates and places of birth, addresses, etc., along with their parents names, places and dates of birth, have been compromised.
Yes, that is about 12 to 14 total people per employee who submitted an SF-86/ E-QIP form. The cost to recover from all that compromised information could add up to between $1 billion and $11 billion, depending on who does the protecting. If I were Congress, I would demand that the executive branch grant a $300.00 to $350.00 tax credit each year for ten years for anyone affected by this breach, whether an employee, former employee, retiree or person who submitted or was listed on the security clearance forms of any of those. Then those affected would be free to shop the market and acquire protection they feel they can trust.
There’s another cost that hasn’t been fully calculated yet. It is a certainty that part of the strategy of the adversary that perpetrated this attack was to cause people to doubt the ability of our government to protect the citizens of our nation. That goal is easier to achieve when the government of our nation (that includes at least two of the branches) seems paralyzed and unable to make decisions.
Who trusts OPM and some contractor to protect their data and their financial future? Unfortunately, I am unwilling and unable to have that level of trust at this point. I want to pick my own company based on how they serve my needs and respond. So far, the selected contractor has batted just about zero on all terms of customer service and confidence building, according to published reports and concerned members of Congress. My entire family is pretty upset, and I am, for once, unable to assuage their fears.
Richard A. Russell is a former senior national intelligence service executive who served in progressively responsible national security positions for more than 36 years before retiring in January 2015.