Things seemed to be going swimmingly at the US Office of Personnel Management (OPM), the entity that serves as the federal government's HR department.
"I'm happy to report that this first virtual conference exceeded even my high expectations," agency director Katherine Archuleta wrote on her official blog May 26. "And I'm not the only one who thinks the conference hit the mark. 'By all accounts, the OPM Virtual HR Conference was a smashing success!' said Gary Musicante, Director of Workplace Planning at the Department of Veterans Affairs. On our conference evaluation form, an employee with the Department of Interior's Bureau of Indian Affairs said, 'Why haven't we done this sooner?'"
A week later, however, it was a different story. On June 4, US officials announced that an ongoing series of massive OPM data breaches had begun nearly a year before and gone completely undetected — the thieves had exfiltrated the personal information of up to 18 million federal employees.
Shit, predictably, hit the fan. The US pointed the finger at China, whose government said "hypothetical" accusations are "irresponsible and counterproductive." Last week, OPM Inspector General Patrick McFarland testified before the Senate Homeland Security Committee, saying the failure by OPM to secure its data was being followed up with a shoddy effort to clean it up. On Friday, 17 GOP lawmakers called for Archeleta and other OPM officials to be fired.
And today, OPM announced it had shut down the system used for background checks of federal employees.
According to the Office of the Director of National Intelligence, there are 4.51 million people currently holding security clearances. To get them, each had to first fill out a 127-page form called an SF-86. The dossiers compiled based on one's SF-86 come complete with transcripts, results of polygraph exams, and details of extramarital affairs, past drug use, and gambling problems. If you lie, you face federal charges. One applicant was turned down for a security clearance for lying about having smoked marijuana and having outstanding medical debt. Another, a military veteran who had a 20-year affair with his college roommate's wife, was approved after having "mitigated the sexual behavior and personal conduct security concerns."
Because the SF-86 files were among the data stolen, the OPM breach has been called a "cyber 9/11." Former US Air Force cyber crimes investigator Daimon Geopfert thinks it could actually be worse. He ticked off to VICE News a list of possible outcomes, from blackmail, to the unmasking of clandestine operatives, to a wholesale degradation of national security.
"This is basically a multi-level layer cake of awfulness," Geopfert said, "each layer worse than the last."
* * *
Shortly after it was announced that OPM's database had been breached, software engineer David Auerbach gave "points to the CIA" in an article for Slate, since the agency had "refused to have anything to do with the OPM and thus kept its own employees' information safe."
Yet even though the CIA maintains its own security clearance platform, the agency is not insulated from the OPM data breach, explained Geopfert, now the head of security and privacy consulting for McGladrey Inc. The most functional cover for a covert operative is often a position within the government — for examples, as a low-level assistant at an embassy. This generally entails putting them on the roster of another federal agency handled by OPM.
'There could be people with top-secret security clearances inside US intelligence agencies right now who were improperly cleared by hackers secretly editing their information.'
"Now, you start doing some data mining and come up with a tactical list of anomalies," Geopfert said, noting that cheap, even free, software that does this can be easily found online. "You won't find a big, glowing sticker on someone's file that says they're a spy," but by looking at what isn't there — dates that don't add up, a career path that doesn't fit with a current job — things can quickly turn into "the worst case scenario for someone who is undercover."
Being able to zero in on a specific subject, armed with potentially ruinous information, can lead to blackmail. But former US Army counterintelligence agent Jarrett Kolthoff tells VICE News blackmail isn't what worries him most.
"If you take a historical look at all the 'successful' espionage operations conducted against the United States over the years, the majority have not been based on blackmail, but on money and personal issues," Kolthoff said. "Here, nation-states would be able to use certain data in people's backgrounds to more easily spot and assess individuals to be targeted, people they think might be more susceptible to being turned."
Further, there's no way to know if any SF-86 applications were surreptitiously altered on behalf of an enemy agent who wouldn't have otherwise made it through the application process.
"If that's the case, then we can no longer trust the foundation of the security clearances that have already been issued," ThreatConnect CEO Adam Vincent said. "There could be people with top secret security clearances working inside US intelligence agencies right now who were improperly cleared by secretly edited SF-86es."
* * *
After Mary Cullings retired as a special agent with the Defense Security Service, she continued to perform security clearance investigations for multiple federal agencies, including OPM, as a contractor. However, she says working for OPM was simply too frustrating to deal with for a number of reasons — one being the computer system they used to file reports. She gave up the contract inside of 18 months.
"The computer system at OPM is just horrendous," Cullings told VICE News. "It's so antiquated, it was just a nightmare to work with. I finally said, 'I'm not doing this anymore — if you ever get a system that actually works, I'll reconsider.'"
In 2007, an OPM Inspector General's report said the agency's lack of information security represented a "material weakness." Even so, OPM had no IT security staff until 2013. The following year, an audit by OPM's Inspector General found "significant" deficiencies in its IT structure. A month after that, the networks of USIS, a private company hired by OPM to conduct background checks for the Department of Homeland Security, were breached. USIS was fired and replaced by a company called KeyPoint. It was hacked in December 2014.
Watch VICE News founder Shane Smith interview Secretary of Defense Ashton Carter.
The current cyber best-practices within the US government are a 15 years behind the times, says Richard Stiennon, chief research analyst at IT-Harvest and author of There Will Be Cyberwar. The intrusion detection systems that government agencies, including OPM, are working on implementing right now were state-of-the-art in 2000, he says. Meanwhile, the people hacking into those systems are using today's technology to compromise them.
"The government is taking baby steps while unfortunately, the threat actors are sprinters," Stiennon told VICE News. "A lot of people probably feel the conversation could have started in 2007, when the Pentagon's email servers were taken over by hackers. Or in 2008, when the Pentagon got completely infected by a USB thumb drive. Or when the VA lost laptops with everybody's unencrypted data in them, in 2006 and again in 2010. OPM has affected so many people within the US government, I think there will be a very, very serious 'come-to-the-table' moment, and the right things may start to get accomplished."
Or not. As Donna Seymour, OPM's chief information officer, told Congress in April, "Most of the government's data is in a mainframe. The adversaries in today's environment are typically used to more modern technologies and so in this case, potentially our antiquated technologies may have helped us a little bit."
* * *
In a recent post on OPM's website, Archuleta says she "quickly realized that the agency's outdated, legacy system needed to be modernized," shortly after she took over in November 2013.
"My team got to work on the comprehensive IT Strategic Plan during my first 100 days as OPM Director," she said. "That plan clearly identified security vulnerabilities in our aging systems. We immediately began an aggressive modernization and security overhaul…. It was because of that overhaul and the tools we put in place to strengthen our cybersecurity that OPM — working with our partners at the Department of Homeland Security and the Federal Bureau of Investigation — was able to detect the cyberbreaches of personnel and background investigations data."
Perhaps there was a plan in place, which may very well have included implementing a much-needed security overhaul. But the breach was discovered by a team of sales reps from a company called CyTech Services. During a product demo at the OPM offices on April 21, the software package they were demoing identified malware embedded deep within OPM's systems.
"CyTech Services remained on site to assist with the breach response, provided immediate assistance, and performed incident response services supporting OPM until May 1, 2015," read a statement issued by CyTech's CEO. "During this time, CyTech provided on-site support at OPM to the OPM security personnel as well as representatives of the FBI and US-CERT." US-CERT is the United States Computer Emergency Readiness Team, part of the Department of Homeland Secrity's National Cybersecurity and Communications Integration Center.
OPM spokesman Samuel Schumach disputed this account in a statement of his own, saying the agency's "cybersecurity team made this discovery in April 2015. If not for the fact that OPM was already in the process of updating and strengthening our IT infrastructure, we would have not known about the intrusion, and would have not been able to mitigate any damage."
* * *
Things are going to have to change in a fundamental way, said Alan Cohen, chief commercial officer at Illumio, a data center and cloud security company. Systems need proactive detection systems that can head off incursions before they can do too much damage. And, as Cohen told VICE News, a modicum of accountability would be nice.
"If critical weapons platforms designed to protect the US against terrorist attacks failed, the manufacturer would be scrutinized, there would be an unending river of headlines about the failure, even books would be written — and the maker would certainly be held financially responsible," Cohen said.
Security experts are calling for an end to the overuse of "privileged access" to OPM's systems, in which groups of people share login credentials, removing a network administrator's ability to know exactly who is inside the system.
Archuleta's office declined an interview request from VICE News, saying that she is making official statements via social media for the time being. A June 21 post on Archuleta's Facebook page says OPM is continuing to update its website with new information "as it becomes available. Please share this important resource with your colleagues and be sure to check back often."
"When will we receive an apology for this?" reads one reply. "We trusted OPM with sensitive information, and they let us down. Once our free 18 months of credit monitoring expires, we are on the hook for it every month, for. the. rest. of. our. lives. But no one has felt that maybe they should say 'sorry?'"
Follow Justin Rohrlich on Twitter: @justinrohrlich