As a newly elected Senator, I am here to tell you a hard truth: Washington does not take cybersecurity seriously.
But you probably already knew that if you’ve read anything about the massive OPM data breach. To recap today’s news from OPM, since 2013, a malicious attacker—likely the Chinese government—breached government databases and stole information on some 21 million federal employees. This included personal information like addresses and Social Security numbers. Most of these people held security clearances and for them it also included nearly 150 pages of material in what are called Standard Form 86s (SF-86), which detail nearly every aspect of their lives.
Here’s the kicker: despite today’s jaw-dropping news, the attackers were in our networks so long that it may still be a while before we figure out everything they stole. Most news coverage has centered on federal employees. But that’s an incomplete picture because it’s now clear many victims never worked for the federal government. When applying for a security clearance with the SF-86, applicants list their family members, neighbors, co-workers, foreign contacts, and even college roommates.
What this means is that not only do the hackers know lots of sensitive information about millions of government employees, they also know a great deal about many of the people they know and love. The implications for threats, intimidation, and blackmail are chilling. "Oh, you don't want to sell out your country? OK, we get it. By the way, your parents still live at 2911 Rainbow Drive, right?"
China may now have the largest spy-recruiting database in history.
Bottom line: If you have any family or friends who work for the government and put your name down on an SF-86, a foreign government might well know a lot more about you and your kids than you'd like.
Let's step back: All who care about national security and privacy should be alarmed that our government suffered a massive data breach. It has failed to respond in any rational manner. The Office of Personnel Management (OPM) hack dealt a serious blow to our national security. Unless we admit our mistakes, and build a robust response and deterrence strategy, it will absolutely happen again.
Most of what we've learned about this breach has dripped out slowly from OPM and has been contradictory, misleading, or just plain wrong. Even today’s announcement seems designed to avoid blame rather than to stop this from ever happening again.
But here's what we know: the federal government is failing to protect its own sensitive information. This government is failing to protect the American public.
OPM’s announcement today gives the impression that these breaches are just like some of the losses by Target or Home Depot that we've seen in the news. The analogy is nonsense. This is quite different—this is much scarier than identity theft or ruined credit scores. Government and industry need to understand this and be ready. That’s not going to happen as long as Washington keeps treating this like just another routine PR crisis.
In the coming days, when OPM provides Congress more details about the hack, Director Katherine Archuleta may play the sacrificial lamb and lose her job. This will be a transparent attempt to con the public into thinking the problem is solved. At best, firings are consequences, not solutions.
What we need is a long-term, intelligence-driven strategy for safeguarding sensitive, personal information and for deterring future attacks.
This takes transparency and hard truths. I sit on the Senate’s homeland security committee, and I’ve been trying to get answers from OPM officials about what has happened. Today’s news is big but here are four important questions we still need answered.
OPM says it has “high confidence” it understands the full scope of the data losses. I’m skeptical.
This is the same crowd that could not detect the hacks in the first place. And just yesterday, OPM’s Inspector General told Congress that most of the people responsible for safeguarding this information had essentially no background in IT.
Last month, I asked OPM, DHS, and OMB if information was stolen from the military or intelligence community. Even today, government officials have not answered this question and may not even know.
We do now know attackers successfully stole security clearance background information. However, we still do not know if the attackers made their way to the intelligence community’s separate database for clearances, Scattered Castles.
Regardless, our enemies have a road map to our vulnerabilities. By piecing together information from a variety of databases—even unclassified ones—our adversaries can build a picture that is damaging to our national security. Intelligence analysts call this “mosaic theory.” This mosaic of our intelligence personnel exposes them and our nation to serious threats.
Protecting the American public requires an understanding that privacy is everyone’s responsibility now. Safeguarding information has always been essential to securing the nation. It is the same in the private sector, which faces many of the same threats from the same malicious actors.
Government and industry must partner together to keep information safe. Failing to do so hurts both. Private industry’s ability to protect their customers will in one way or another be affected by the government’s capacity to do the same.
Some in the defense and intelligence communities think the attacks on OPM constitute an act of war. The rules of engagement in cyber warfare are still being written. And with them, we need to send a clear message: these types of intrusions will not be tolerated. We must ensure our attackers suffer the full consequences of their actions.
Starting now, government needs to stop the bleeding—every sensitive database in every government agency must be immediately secured or pulled offline. But playing defense is a losing game. Naming and shaming until the news cycle shifts is not enough.
Our government must completely reevaluate its cyber doctrine. We have to deter attacks from ever happening in the first place while also building resiliency.
This is not going away. Yes, many difficult and controversial issues remain that will take time and compromise to address. But the attacks on OPM, and other large-scale data losses, demonstrate that the public and private sectors are more closely linked than ever. Good governance and good business depend on protecting our nation’s sensitive data.
We need answers if we are going to fix this.
