Latest in OPM
The results are in. Lawfare's “Name that Database” contest is now closed.
All we can say is that Lawfare readers are a remarkably creative—and scary—bunch of folks. Some of these ideas are really quite spectacular.
Here are several other unclassified government databases the PLA should target—and that our intelligence community might give some thought to protective.
Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University. We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace. Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”
Last week, I wrote a piece on the OPM hack, quoting a GAO report that seemed to me to suggest that the intelligence community had concerns about OPM's computer security back in 2010. In response, I received the following missive from a senior intelligence official suggesting I had misread the GAO report in question:
I have now had a little time to digest Shane Harris’s story in the Daily Beast this morning on the intelligence community’s concerns in 2010 about OPM’s data security. The relevant passage from the GAO report Shane cites is, well, upsetting:
Last week, I posed the question of whether we should really be blaming OPM—which is not an intelligence, counter-intelligence, or cybersecurity agency—for the theft of government personnel records, presumably by professional intelligence operatives, when we have plenty of intelligence, counter-intelligence, and cybersecurity expertise in the federal government.
Everyone's mad at the Office of Personnel Management, and I totally get why. The hack is awful, the magnitude staggering. The consequences will be big, both for the country and for lots of individuals. It's a very ugly situation, and OPM has certainly not handled it competently, let alone well. And the more we learn, the worse it gets.
But here's my question: Is this really OPM's fault?
My response to the estimable Julian Sanchez on privacy groups and the OPM hack. Why expecting privacy groups to have something to say on the subject is not just "stupid posturing."
Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson.
The data breach of OPM’s personnel records system is a privacy and security disaster for the U.S. Government and for the 4 million (and possibly as many as 14 million) current and former federal employees and contractors (including many Lawfare readers, unfortunately!) whose security clearance applications have reportedly been accessed by Chinese hackers.