Last week, I wrote a piece on the OPM hack, quoting a GAO report that seemed to me to suggest that the intelligence community had concerns about OPM's computer security back in 2010. In response, I received the following missive from a senior intelligence official suggesting I had misread the GAO report in question:
In your piece about the OPM breach, I am curious why you interpret the paragraph that you quote from the GAO report as indicating that the Intelligence Community believed that OPM’s systems were insecure. I don’t think that is what the paragraph meant, and I don’t think that is accurate in fact. What I see in the paragraph you quote, and in the GAO report as a whole, is two points being made:
(a) The IC doesn’t want classified information combined with unclassified. That’s not an issue about the security of OPM’s networks; it’s a basic counterintelligence concern. No one gets access to CIA’s personnel information, for example, and the unexceptional point being made is that even unclassified information can present counterintelligence risks.
(b) If there were a breach, the threat would be greater if the systems were consolidated. But that’s not a commentary on OPM’s security but on the overall CI risks of consolidating information.
Nowhere in the paragraph that you quote is there anything that suggests that there were concerns expressed about the security of OPM’s systems, or even that the Intelligence Community had visibility into the security of OPM’s systems. And in general the Intelligence Community has no role in evaluating the security of non-national security systems. We don’t, for example, examine the FDIC’s systems to see if they are secure and adequately protect money transfers and the associated personally identifiable information.
So I think the premise of your piece—that the Intelligence Community had concerns about the security of OPM’s systems and failed to insist that they be corrected—is simply not accurate.
I accept my correspondent's suggestion that I overread the GAO statement. Perhaps the concerns being expressed were, as my correspondent suggests, less about the specifics of OPM's security practices than reflecting generic anxiety about the mingling of classified and non-classified data.
But that said, I stand by and reiterate that it will not do to simply blame OPM for this huge intelligence loss. Someone other than the human resources folks needs to be responsible for (a) identifying that data in non-classified databases held by non-security agencies are potentially significant intelligence targets, (b) conducting liaison relationships with the relevant agencies so that they understand the intelligence value of their holdings to an adversary service, and (c) working with those agencies to secure those systems. I am agnostic about who the responsible agency is. And I'm willing to accept that the GAO report does not—as I suggested—imply that the DNI's office had some advance window into the OPM problem.
But that only raises the question of who, if anyone, did? And if nobody did, who should have?