It’s pretty clear at this point that the personnel database that holds information on millions of U.S. federal workers, including the military, was not “hacked.”
No one had to hack into it. The information thieves who for months – or, apparently, years – had access to a massive amount of personal information on workers with clearances, and other security-related assignments, were recruited in through the front door.
In a hearing in the House of Representatives last week, an appalled Representative Jason Chaffetz (R-UT) put it this way:
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
The Ars Technica post (link above) buries the lede, however. (Look for yourself; it’s way down at the end of the post.) It’s not just that the Office of Personnel Management (OPM) failed to certify nearly a quarter of its IT systems as secure.
The real news is that outsourcing government IT tasks led to Chinese contract workers, and at least one person working in China, having root access to OPM systems.
Having root access, of course, means having access to any data you want in the system – regardless of any security application that may protect the data against “unauthorized” users.
This is what Ars Technica reports:
A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
This is by far the worst of the disclosures about the lack of IT security for OPM’s personnel systems.
There are others that are very bad, such as the revelation that a contract company (KeyPoint Government Solutions) that was handling federal workers’ background investigations was doing business through its workers’ personal Gmail accounts, because it didn’t have its own IT infrastructure.
That’s bad enough: it leaves the information being moved around as vulnerable as it’s possible to be to low-level snooping.
But thoughtless outsourcing invites data thieves in through the front door. No hacking or even snooping required; a third party just gives the thieves root access as a routine part of the employment proposition.
The outsourcing of background investigations for federal workers is just one aspect of the problem, but it’s an important one. It began during the Bush 43 administration, as a cost-saving measure. (It is to be noted that the CIA manages its own personnel records and background investigations, for which we can be profoundly thankful. But workers in the Defense and State Departments, Homeland Security, Treasury, and other agencies that require background investigations for people who handle national secrets and money are all affected by this OPM catastrophe. And it is a catastrophe. Consider just this fact: the high-clearance workers at the National Security Agency, the one that was Hoovering in data on Americans for over a decade, have their background investigation documents stored in the OPM system. The details of their personal lives are now available to America’s enemies.)
The consultant cited by Ars Technica spoke from direct knowledge – which was presumably limited. He only knew about some of the potential system exposure to Chinese workers. There’s no telling how many times Chinese workers have had direct access to OPM’s systems. There’s no telling which contract workers from other nations may have harvested data from them.
Meanwhile, OPM Director Katherine Archuleta congratulated her agency at the hearing on discovering this massive data breach:
“But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement.
So the bureaucracy’s ritual wagon-circling and excuse-making are well underway. But discovering more and more pieces of information about this problem won’t explain the complete loss of intellectual function (or CLIF, as I like to call it) throughout the federal government that led to this situation.
Ordinary Americans know that “outsourcing” doesn’t just mean paying someone outside your organization to perform tasks for you. In today’s world, it means inviting the entire globe into your business. The political freight of outsourcing is a whole “thing” of its own, sometimes deservedly so and sometimes not. Outsourcing doesn’t always involve banks of IT workers in (or from) India, and sure, it’s unfair to make like a demagogue and pretend that it does. But it’s idiotic to ignore the incontrovertible fact that, in today’s interconnected world, it can.
The American people, whatever their biases and misunderstandings on this head, appear to be much smarter than their government. Hello, Washington? Anybody home?