Cybersecurity

Breach of Trust, OPM, and the Intelligence Community

By Benjamin Wittes
Tuesday, June 30, 2015, 4:00 PM

I have now had a little time to digest Shane Harris’s story in the Daily Beast this morning on the intelligence community’s concerns in 2010 about OPM’s data security. The relevant passage from the GAO report Shane cites is, well, upsetting:

OPM, DOD, and ODNI officials with whom we spoke explained that establishing, operating, and maintaining a single, integrated database is not a viable option due to concerns related to privacy, security, and data ownership. First, DOD and OPM mentioned privacy concerns, which involve the unintentional disclosure of personal identifying information, such as name and Social Security number. Second, merging the different systems into one database raises security concerns. For example, according to an ODNI official, since the Intelligence Community's database is classified and separate from the databases used by non-intelligence agencies, even an aggregation of unclassified information from its database could lead to unintentional disclosure of personal identifying information that could compromise security. Moreover, breaches in the system could also compromise security. For example, some officials mentioned an enhanced threat from hackers if there were consolidation of multiple information technology systems. Finally, according to DOD officials, there are issues related to data ownership and the copying and transferring of information between systems that are owned by different agencies. For example, according to OPM officials, OPM can not provide information from investigations it did not conduct to another agency. When investigations are conducted by agencies with delegated authority, the reports are owned and maintained by the investigating agency. Requests for these investigative records must be referred to the owning agency.

To put the matter simply, in other words, the intelligence community resisted integrating its systems with those of OPM because it had security concerns about aggregations of even non-classified personnel records. Yet nobody in the intelligence community bothered, it seems, to help secure OPM’s systems. Why not?

Shane goes on to suggest that the DNI’s initial resistance to integration ultimately broke down and that there has been some integration of intelligence community personnel systems and OPM’s databases. But leave that point aside for the moment. My question is why, if the DNI’s office believed these aggregations of data were insecure, was it remotely sufficient to insulate the IC’s data from those systems? Why did people not perceive an affirmative counterintelligence exigency to secure those systems, even though they are not intelligence community systems?

I’m picking on the DNI here because that’s the office named in the GAO report, but as my initial post suggests, one might ask the same question of the FBI (which has the counterintelligence portfolio), NSA (which has cybersecurity expertise and the information assurance mission), DHS (which has the non-classified government systems security brief), or the NSC (which is supposed to coordinate policy matters across the executive branch). The point is that however incompetent OPM may have been here, identifying intelligence targets in the federal government and securing them against professional intelligence adversaries is really the job of others in the federal government, and at least some of those others had their eyes on this problem.

The more I think about it, the less I think it makes sense to blame OPM for the failure here, and the more I think the intelligence community itself must take responsibility for it--particularly for any portions of the breach or breaches that involve data for security clearance background checks. Explaining its famously rigorous vetting procedure to prospective applicants, the Central Intelligence Agency’s website says (emphasis added):

"The clearance process is strictly governed by rules and regulations derived from Federal statute and executive orders. It involves a thorough examination of your life history and fitness to safeguard the nation's secrets. Think of this process as the first step in building a bridge of trust between you and the Agency."

Building this bridge is, in each case, a shared endeavor, and it’s shared between the individual and the agency in question, not between the individual and OPM. Its successful construction depends on an applicant’s willingness to divulge some quite sensitive biographical details, on the one hand; and on the other, the government’s general willingness and ability to keep those very things under wraps. I cannot help wonder how that dynamic is apt to change now that the government has shown itself manifestly incapable of keeping its part of the bargain.

The bargain, after all, is a tough one: Before you can undertake any sort of intelligence or national security work, the government has to deem you trustworthy enough to safeguard its secrets. Along the way, officialdom collects, analyzes and stores your secrets, which is to say a lot of cringe-inducing stuff about you: The illegal drugs you have used, the affairs you have had, the shrinks you have visited, the debts you have accrued or defaulted on, and so on.

The kicker is that much of this stuff must be obtained from you, the aspiring employee. That’s where the reciprocal “trust” part comes in, the mutual promise is to keep the secrets, well, secret. The government has an enforcement mechanism on its side: You can go to jail if you violate your promise to the government. Persuading people to tell the background checkers about their most unfortunate life moments demands something closer to pure trust. You can’t, after all, prosecute the entire government for violating the Espionage Act if it happens to give 18 million people’s OPM records to the Chinese. For the system to work, rather, the government has to assure people, and would-be and current employees have to believe, that it will keep their secrets safe. And when I say “the government” here, I don’t mean OPM. I mean the whole government: you know, the unitary executive.

It turns out, however, that the United States can't keep such data safe, and it will not do at this moment of breakdown to blame an agency that nobody ever would have posited could keep such data safe and that, in fact, the intelligence community knew was not doing so. Rather, the intelligence community has to bear the blame for betraying government employees just as surely as Edward Snowden has betrayed the government itself, though admittedly more with negligence than malice.  

And as a moral matter, if not as a legal matter, that fundamentally changes the bridge-building project. Is it reasonable for the government to insist that you strip naked, so that government can assess whether you present a tolerable security risk, when the government demonstrably poses a much higher risk in this respect to you than you do to it? Is it fair to ask you to keep the government’s secrets, and to disclose all to convince it of your fitness to do so, when it cannot keep yours?

Query how much all this might dissuade a would-be applicant from showing up in the first place. Would somebody with a real, though not clearance-precluding background issue really want to go through such an intrusive examination, knowing all the while that the examination itself might (will?) expose that person and their family at least to scrutiny by the likes of Russia and China, as well as possible social and professional embarrassment?

I have no way of knowing myself, but I can understand if the answer for many people—at least until the gov’ment cleans up its act—is a resounding "hell no."