Washington, DC, is reeling from revelations that the Office of Personnel Management, the Federal government’s HR hub, has been extensively hacked. OPM is an obscure but important agency since it holds the personnel records of Federal workers, past and present, and even more, it conducts background investigations for security clearance holders across many Federal agencies.
Based on available information so far, the records of some four million Federal workers, going back to 1985, have been compromised, of whom 2.1 million are currently serving. In what has become the custom inside the Beltway, OPM had repeated warnings about its slipshod computer security practices but not much was done despite the enormously rising threat of foreign hackers. The extent of this needless debacle is truly disastrous, as I explained in a series of tweets the other day.
Speaking as a former counterintelligence officer, it really doesn’t get much worse than this. For our Intelligence Community to get hit by this and the Snowden debacle within two years speaks to systemic failure, not “oversights” and “mistakes” any longer. We’re not serious about stemming foreign espionage, as I recently explained, and now that neglect has caused serious pain that will last decades. Some of the damage may not be repairable, ever.
The IC is pointing the finger at China, tentatively, apparently at hacking entities that have a “close relationship” with Chinese intelligence. The case for official Chinese culpability is growing. It seems that Beijing is using aggressive hacking to establish a database of information about millions of Federal workers and security clearance holders.
Why China would do that isn’t difficult to guess. While defensive counterintelligence, the preventing and uncovering of enemy spies, is the “JV” level of counterespionage, as President Obama might put it (notwithstanding that the IC can’t manage even this), the real pros engage in offensive counterintelligence, which aims at recruiting spies inside the enemy camp, particularly inside the opposing intelligence service. That’s how you gain control of the enemy’s central nervous system: You know what he knows about you, hence you can deceive him at a strategic level. This is the essence of SpyWar, as I’ve explained, the secret struggle between the West and adversaries like China, Russia, and Iran, a clandestine battle that never ceases, yet that the public seldom gets wind of, except when something goes wrong. “May we read about you in the newspapers,” is the old Mossad curse/wag for a reason.
Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86, here).
Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
Perhaps the most damaging aspect of this is not merely that four million people are vulnerable to compromise, through no fault of their own, but that the other side now so dominates the information battlespace that it can halt actions against them. If they get word that a American counterintelligence officer, in some agency, is on the trail of one of their agents, they can pull out the stops and create mayhem for him or her: run up debts falsely (they have all the relevant data), perhaps plant dirty money in bank accounts (they have all the financials too), and thereby cause any curious officials to lose their security clearances. Since that is what would happen.
If this sounds like a nightmare scenario for Washington, DC, that’s because it is. Decades of neglect have gotten us here and it will take decades to get us out of it. The first step is admitting the extent of the problem. Getting serious about security and counterintelligence, finally, is the closely related second step. Back in the 1990’s, CI professionals warned the U.S. government about the hazards of putting everything online (we also pointed this out about internal databases that were supposed to be “secure”). Any cautions or caveats were dismissed as “old think,” out of hand. We were right about this, just as we were right about insider threats like Snowden. The past is the past, it’s time to move forward and do better without delay. The SpyWar is heating up and there’s no time to waste.