Cybersecurity

The OPM Data Breach: Congress Should Investigate, but Should Consider Its Own Responsibility for Protecting Federal Workers

By John Bellinger
Saturday, June 13, 2015, 5:14 PM

The data breach of OPM’s personnel records system is a privacy and security disaster for the U.S. Government and for the 4 million (and possibly as many as 14 million) current and former federal employees and contractors (including many Lawfare readers, unfortunately!) whose security clearance applications have reportedly been accessed by Chinese hackers. The completed SF-86 forms (Questionnaire for National Security Positions) include not only the applicants’ social security numbers, dates of birth, telephone numbers, security clearance levels, and foreign contacts but also detailed information about police records, drug and alcohol use, financial problems, and psychological and emotional health.

Congress should and undoubtedly will hold hearings on the extent of the breach and responsibility for it.

Before members of Congress get too outraged, however, they should remember that three years ago Congress itself passed legislation that would have similarly endangered U.S. national security as well as the privacy and safety of federal employees by requiring that the SF-278 financial disclosure forms of 28,000 senior executive officials (including military officers and national security officials) be posted on the websites of their home agencies. The SF-278 forms contain specific details regarding the assets, debts, and bank accounts not only of federal officials but also their spouses (and even their dependent children). This information would have been available not only to Chinese intelligence but to seven billion people in the world!

Because the Internet publication provision was part of legislation intended to stop insider trading by Congress (the STOCK Act) and 2012 was an election year, President Obama signed the legislation without a peep over the strong objection of numerous government departments and agencies, and the White House then refused to allow federal agencies to continue to pose national security and privacy objections to Congress.

Congress fortunately came to its senses after a group of 14 former senior national security officials wrote a strongly worded letter to Congressional leaders warning that the legislation would pose irreparable harm to U.S. national security interests and potentially endanger senior officials and their families serving overseas. Congress initially delayed implementation of the Internet publication of SF-278s and ordered the National Academy of Public Administration to study the effects of the law. NAPA then concluded that the law would do more harm than good and recommended that it be indefinitely suspended. In April 2013, Congress finally passed new legislation stating that Internet publication of the SF-278 forms of senior military officers, senior executive branch officials, and congressional staff “shall not be effective.”

The congressionally mandated Internet publication of SF-278s of senior executives would not have affected nearly as many federal workers (and would not have disclosed as much information) but was still shockingly myopic. When Congress holds hearings to investigate the OPM data breach, it should consider what Congress can do to help mitigate the damage and prevent further breaches. Congress should consider what it can do to assist affected national security officials now and in the future, not just excoriate OPM.