Whose Fault is the OPM Hack, Really? Part II

By Benjamin Wittes
Tuesday, June 30, 2015, 12:36 PM

Last week, I posed the question of whether we should really be blaming OPM—which is not an intelligence, counter-intelligence, or cybersecurity agency—for the theft of government personnel records, presumably by professional intelligence operatives, when we have plenty of intelligence, counter-intelligence, and cybersecurity expertise in the federal government.

Today, Shane Harris has this story in the Daily Beast, which casts this question in a somewhat different light:

In 2010, officials across the government were under pressure to chip away at a backlog in processing security-clearance applications. And a sweeping intelligence law, passed in the wake of the 9/11 attacks, required them to merge their records into one, all-purpose security-clearance system.

But U.S. intelligence officials said they couldn’t go along with that plan, “due to concerns related to privacy, security, and data ownership,” according to a report from the Government Accountability Office, Congress’s oversight arm.

Brenda Farrell, the oversight agency’s director of defense capabilities and management, testified before Congress in December 2010 that intelligence officials were particularly concerned that names, Social Security numbers, and personal information for covert operatives would be exposed to hackers if the personnel database, known as Scattered Castles, weren’t left to stand on its own.

But three years later, the Office of the Director of National Intelligence began working with OPM “to set the stage for the upload of active, completed clearance records” from OPM’s system—which was later overrun by hackers—into Scattered Castles, according to a 2014 report (PDF) from the intelligence office. The report noted a “current upload of records” from the Defense Department’s personnel computer system, as well. It is now linked with OPM’s, so that one person can search records in both simultaneously.

The Daily Beast contacted U.S. intelligence officials, as well as spokespeople for the FBI and the OPM. None would definitively say that Scattered Castles is not connected to OPM’s system. If there are connections between the two—as that recent government report suggests there are—it could be exploited by hackers, giving them a pathway from OPM into the most highly classified personnel records in the entire government.

More on this after I've had a chance to read the underlying reports.