Why the OPM Hack Is Far Worse Than You Imagine

By Michael Adams
Friday, March 11, 2016, 10:00 AM

The Office of Personnel Management (“OPM”) data breach involves the greatest theft of sensitive personnel data in history. But, to date, neither the scope nor scale of the breach, nor its significance, nor the inadequate and even self-defeating response has been fully aired.

The scale of the OPM breach is larger and more harmful than appreciated, the response to it has worsened the data security of affected individuals, and the government has inadequately addressed the breach’s counterintelligence consequences. While we can never know for sure exactly what the government is doing in secret to address the breach and mitigate its consequences, based on what is publicly known, the millions affected by the breach have good reason to fear.

Below, I explore the scale of the problem.

First Cut On the Scope of the Breach

When news first broke about the OPM data breach in early June of 2015, I was not overly concerned. Like many others, I initially assumed the breach involved only routine background checks; it never occurred to me that the “actual” security clearances could be held at OPM. Then, in mid-June, officials confirmed a second breach involving the security clearance files of current, former, and prospective federal employees. The compromised data included SF-86 forms which contain intimate details about the prospective employee’s personal life, family members, and other contacts.

But the breadth of the OPM breach is even broader than these acknowledged massive intrusions. For instance, in December 2015, the Washington Post reported that the government was sending notifications to journalists who “have or once may have had access to federal buildings” to alert them that their personal information could have been compromised. The article notes that this breach alone could involve “hundreds and as many as thousands of reporters, photographers and cameramen and women.”

The first hearing in front of the House Oversight and Reform Committee, on June 16, 2015, gave yet another indication of the breadth of the intrusion. There, OPM Chief Information Officer Donna Seymour acknowledged that the information compromised in the data breach included “SF-86 data as well as clearance adjudication information.” This was a particularly dismaying disclosure. Although most media attention focused on the SF-86 data exfiltration, adjudication data is far more comprehensive and important. The adjudicative guidelines, established for all individuals “who require access to classified information,” are extraordinarily broad. They apply to all “persons being considered for initial or continued eligibility for access to classified information” and “are to be used by government departments and agencies in all final clearance determinations.”

Under these guidelines, the scope of the information required for adjudication vastly exceeds that required by an SF-86. The desiderata ranges from information on “sexual behavior” that “reflects lack of discretion or judgment” to evidence of “foreign influence,” including a broad definition of “risk of foreign exploitation” associated with mere “contact with a foreign family member.” For instance, the information collected to adjudicate a simple Top Secret single-scope background investigation includes a “Personal Subject Interview” and “interviews with neighbors, employers, educators, references and spouses/cohabitants.” It also includes “record checks with local law enforcement where the individual lived, worked, or went to school in the past 10 years.” None this information is included on a standard SF-86.

Although the theft of fingerprint data has been widely reported, there is still another critical component of the adjudication dataset that has been largely overlooked. Certain types of security clearances require the individual to pass a polygraph examination, which can be extraordinarily intrusive and far exceed the subject matter of an SF-86. One former U.S. official noted that “a polygrapher once asked if he’d ever practiced bestiality.” Another said that “he was asked about what contacts he’d had with journalists, including in a social setting. All of the data collected during a polygraph is part of the adjudication data set. While we do not know where and how the full set of polygraph data is stored, adjudication data does include at least some polygraph information and officials have confirmed some polygraph data is shared with OPM.

What does this mean for someone like me, who has had a security clearance for over three decades? Given that the data sets stolen in the OPM go back to 1985, the information known to the attacker potentially includes all data collected during my initial clearance process and every comprehensive mandatory update, including all of the data from multiple polygraph examinations.

Security Clearance Databases & Systems

The full breadth of the security clearance data at risk remains unclear. For instance, U.S. officials have “neither confirmed nor denied” whether OPM’s database was linked with Scattered Castles, the intelligence community’s database of “sensitive clearance holders.” The Scattered Castles database was established by Intelligence Community Policy Guidance (ICPG) 704.5 in October of 2008. This database was intended to be used exclusively by the Intelligence Community. However, there is reason to believe Scattered Castles was not fully and efficiently used within the IC. A DoD IG Report completed in April 2014 concluded: “We found a lack of effective recordkeeping by the Agency security offices, as well as by DIA, NGA, NRO, and NSA IGs. This occurred because the appropriate investigative and personnel security databases — JPAS, DCII, and the IC's SCATTERED CASTLES system — were not being reliably populated with investigative and security information. As a result, the failure to effectively document investigative Subjects in JPAS, SCATTERED CASTLES, and/or DCII significantly hindered personnel security clearance and access adjudications.“ This indicates the landscape of where and how clearance information is stored is far more complex than one or two databases; such complexity makes mapping the full potential impact of the breach even more difficult from the outside.

Some amount of overlap between the government’s various security clearance record repositories is apparent. A report published by the Office of the Director of National Intelligence provides some insight: In order to report security clearance volume levels, the National Counterintelligence and Security Center’s Special Security Directorate (SSD) “compiled and processed data from the three primary security clearance record repositories: ODNI’s Scattered Castles (SC); DoD’s Joint Personnel Adjudication System (JPAS); and the Office of Personnel Management’s (OPM) Central Verification System (CVS). To fulfill specific reporting requirements of the FY 2010 IAA, the SSD issued a special data call to the seven IC agencies with delegated authority to conduct investigations or adjudications.” The purpose of the data call was to consolidate security clearance data. However, it not clear, what, if any, information was shared from SC to CVS.

Similarly, a December 2005 OMB Memorandum on the subject “Reciprocal Recognition of Existing Personnel Security Clearances” directs OPM to “develop and promulgate guidance that directs agencies to: i) query DoD’s JPAS database if the existing clearance was issued by a DoD activity; ii) query the Intelligence Community’s Scattered Castles database if the existing clearance was issued by an intelligence community agency.” While this may indicate that these databases are indeed separate, it clearly means there is some comingling of information including highly sensitive IC clearance material.

Further, a 2008 Intelligence Community Policy Guidance directs the Special Security Center to “collaborate” with both DoD and OPM to ensure that “personnel security information contained in the SC database is accessible and the data is correlated with OPM’s Clearance Verification System database”:


Oct 2008

The DNI Special Security Center shall:

a. Collaborate with the Department of Defense and the Office of Personnel Management (OPM) to ensure Senior Officials of the Intelligence Community -approved personnel security information contained in the SC database is accessible and the data is correlated with OPM's Clearance Verification System database at the appropriate level of classification to protect agency-specific classified information.

We also know from a February 2012 Federal Investigations Notice that the OPM security clearance database (CVS) “contains information on security clearances, investigations, suitability, fitness determinations, Homeland Security Presidential Directive 12 (HSPD-12) decisions, Personal Identification Verification (PIV) credentials, and polygraph data,” provided from “agency sources, OPM legacy systems, and the Joint Personnel Adjudication System (JPAS).”

Finally, a January 2014 Federal Investigations Notice notes that OPM’s CVS database “collects and shares data necessary for agencies to make reciprocal determinations” about clearances for “State, Local, Tribal, and Private Sector Entities (SLTPS).” Due to an Executive Order requiring that “all clearances granted to SLTPS personnel shall be accepted reciprocally by all agencies and SLTPS entities,” OPM has modified its CVS to “collect and display additional data fields” to accommodate these security clearances. The reciprocal contacts contemplated by this Notice therefore hint at linkages between OPM’s CVS and any number of relevant agency databases.

As noted in a July 2015 Congressional Research Service report, “[i]f the IC’s database were linked with OPM’s, this could potentially help the hackers gain access to intelligence agency personnel and identify clandestine and covert officers. Even if data on intelligence agency personnel were not compromised, the hackers might be able to use the sensitive personnel information to ‘neutralize’ U.S. officials by exploiting their personal weaknesses and/or targeting their relatives abroad.”

To make matters worse, it appears that OPM maintained an unsecured and unencrypted database for the security clearances. A 2006 OPM report states that the “Data Repository” is premised on a “shared-disk (shared-data) model,” and that “[a]ll of the disks containing databases are accessible by all of the systems.”

Other Potentially Compromised Systems

Along with the aforementioned databases, the OPM systems are linked electronically to other agencies and databases, and it stored much of this data alongside the security clearance files. According to a 2007 White House report on OPM security clearance performance, checks of State Passport records and searches of military service records are now conducted electronically. According to this report, then, there are electronic linkages between the OPM Security Clearance files, Department of Defense service records, and State Department Passport records.

We also learned from testimony given by OPM’s Federal Investigative Service in February 2012 about OPM’s reciprocity initiative:

Today, reciprocity is fully enabled with relevant security clearance, suitability, and identity data shared across the Federal government. By implementing an automated position designation tool and expanding the data stored in the Central Verification System (CVS), agencies can more accurately determine the proper level of investigation to be conducted. By building a pass through to DOD’s Joint Personnel Adjudication System, CVS is the standard for clearance validation for most of the Federal government.

The linkage with JPAS means that whatever actor successfully breached the OPM system potentially has pass-through access to a complete set of other extraordinarily sensitive National Security data, including detailed information on every US defense contractor facility, data about which defense facilities both USG and contractors may have visited, and any contacts made with non-US officials and civilians both inside and outside the US, even while on vacation. Ultimately, the potential exists even for the compromise of the personally identifiable information (“PII”) of NATO and non-NATO visits to and from the United States.

Counterproductive Mitigation Efforts

Closely following news of the data breaches was the announcement that free credit and identity monitoring would be offered to potential victims of the intrusion. At the time, it was unclear how OPM intended to complete the inventory of people affected by the breach, or how OPM could provide this information to the three major credit reporting agencies without violating the Privacy Act.

On July 16, 2015, OPM published notice to establish “a new routine use” allowing OPM to disclose information “to appropriate persons and entities for purposes of response and remedial efforts in the event that there has been a breach of the data contained in the systems. This routine use will facilitate an effective response to a confirmed or suspected breach by allowing for disclosure to those individuals affected by the breach, as well as to others who are in position to assist in the agency's response efforts, either by assisting in notification to affected individuals or otherwise playing a role in preventing, minimizing, or remedying harms from the breach.”

There are two primary areas of concern with these changes. The first was that this would give OPM permission to pass PII to the three credit agencies. Given the vast number of potential victims of the breach, it would be impossible to do so except via some contracting mechanism that would identify the victims as part of the OPM breach. This would only further perpetuate PII about the attack victims to the agencies’ call centers located worldwide with completely unsecured, unclassified systems. The second area of concern was that the proposed change was inappropriately tailored to address activities related to the suspected or confirmed compromise of information. Instead, it would allow private contractors to have unfettered access to extremely sensitive data.

I submitted these and other concerns to OPM in response to its “new routine use” proposal. (Prior to the deadline for submission of objections to the change, I also contacted members of Congress who had demonstrated concern about the data breach in an attempt to stop this change to the Privacy Act.) In addition to my submission, only one Federal employee union and one NGO objected to the proposed changes.

In the end OPM ignored all but two of my concerns. This was OPM’s response to comments:

Finally, one individual and one Federal employee union sought information about security measures that would be taken to convey information shared outside of OPM pursuant to the new routine use. As with information shared outside the agency pursuant any routine use associated with its systems, OPM will transmit such information in accordance with applicable information security laws, guidelines, and standards including, but not limited to, the Federal Information Security Management Act (Pub. L. 107-296), and associated OMB policies, standards and guidance from the National Institute of Standards and Technology.

The individual commenter and employee union also questioned whether the routine use is appropriately tailored to address activities related to the suspected or confirmed compromise of information, OPM adopted the model language developed by the Office of Management and Budget (OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Attachment 2) and adopted by a number of other Federal agencies. As drafted, this routine use permits the agency to protect sensitive information contained in OPM's systems while also facilitating mitigation and prevention activities in the event of confirmed or suspected compromise of information. Therefore, OPM has adopted the new routine use, first published on July 16, 2015, without further change.

I believe this is an entirely inadequate resolution. OPM appears to be allowing the clearance data of affected individuals to be exposed to unknown contractors brought in to help mitigate the attack. But contractors were at the heart of the initial attack, and we have no way of knowing what contractors now may have access to the clearance data based on an arbitrary “need to know” criterion. Additionally, the bulk PII now provided to the credit reporting agencies, coupled with the absurd notification systems that Jack Goldsmith discussed in January, places those impacted by the breach at greater risk. It is virtually impossible that the PII of impacted persons is being adequately protected as it flows through the systems and global call centers of the credit agencies.

A Counterintelligence “Plan”

One of my biggest concerns since the OPM attack came to light is the lack of a coherent counterintelligence (CI) plan from the Office of the Director of National Intelligence (ODNI), or in particular from Bill Evanina, the National Counterintelligence Executive.

In January, Evanina announced a “new campaign to warn government employees and contractors” that “they are all potential human targets by intelligence agents.” In an interview with CNN, Evanina acknowledged the existence of a permanent threat: “The threat is now, and it is enduring. If they decide to compromise me, they may do it now, they may do it in three years.”

But despite Evanina’s apparent nod to the seriousness of the threat, the ODNI’s public counterintelligence campaign consists of a series of YouTube videos. These videos are so laughably childish so as to remind me of the “Communist threat” films I was forced to endure during Cold War-era basic training for the Army. And I’d suspect these videos will be of little help to former covert operatives facing genuine threats to the safety of themselves and their family. I am confident that at least some of the 22 million victims—and their 6.3 million minor children—of this espionage attack share concerns with the deficiency of this counterintelligence campaign that have not been answered or addressed.

These deficiencies are all the more inexplicable given ODNI’s clear recognition of the existence of so-called “global threats” to the national security of the United States. In February, during testimony to the House Select Intelligence Committee, Director of National Intelligence James Clapper stated, “Russia and China continue to have the most sophisticated cyber programs. China continues cyber espionage against the United States. Whether China’s commitment of last September moderates its economic espionage, remains to be seen. Iran and North Korea continue to conduct cyber espionage as they enhance their attack capabilities.”

I doubt that ODNI can provide a satisfactory account of the inadequacies of its proposed counterintelligence plan. But, to the extent it can, it must do so in order to begin rebuilding a sense of trust with the many victims of this act of espionage.