Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
The Office of Personnel Management’s (OPM) security clearance files were hacked 20 months ago. It is just now notifying the people whose personal identification information was stolen.
Two friends of mine, one a naval officer and the other a defense contractor, received letters from OPM today telling them that their Social Security Numbers had been stolen. All of the information submitted in their SF-86s (the official form for a security clearance application) may have been compromised as well, but OPM does not know for sure what else was taken.
That information would include the applicant’s name, address, date of birth, educational and employment history, foreign travel history, and fingerprints. It would include personal information about his or her immediate family and colleagues, personal references, and “other information used to adjudicate your background information.”
These notification letters gave the recipients activation codes for a taxpayer-funded, three-year identity theft and fraud monitoring service. This is the only bit of good news for the recipients. Unfortunately, hackers began taking information in March 2014, so those without identity and fraud protection services at the time of the theft may have been personally or financially damaged already.
Having submitted a SF-86 for my own application, I can tell you firsthand that the information required is extraordinarily personal and detailed. Obviously, this cyber attack increased many people’s vulnerability to the financial criminality associated with identity theft. The information could also put the nation in jeopardy if it fell into the hands of adversarial governments. OPM admitted that the breach affected over 21 million people, many of whom have access to classified national security information. It is safe to assume the Chinese government has this information. Basically, the Chinese (and whomever they or the hackers sold this information to) have in these SF-86s how-to guides for blackmailing, threatening, or coercing millions of Americans who know military and security secrets.
This is the alarming reality. What’s more frightening is that we have to rely on the US federal government to save us from its own failure. Since OPM first announced that personal information was stolen, every new development has made it painfully clear that bureaucracy cannot handle 21st-century cyber warfare.
The enormous, antiquated, and complex federal bureaucracy is incredibly inert and resistant to change. It took the government over a year even to realize that it had been hacked. OPM delayed announcing that the information had been stolen for another two months. Then came a series of follow-up statements revealing that the leakage of information was much broader and deeper than initially thought. On October 1, 2015, OPM began mailing individual notices to those affected by the “cyber intrusion.” (Is “cyber intrusion” the digital equivalent of “workplace violence?”) Two months later, people are still getting their first official confirmation that their information was stolen. Granted, sending 21 million letters will take some time, but considering that OPM has $272 million in discretionary resources for FY 2016, I’m sure they could expedite the process.
I’m in the pool of potential victims, so I anxiously await my own letter. (Thankfully, I already had identity protection at the time of the hack.) But this problem is bigger than any one person’s identity protection. The OPM hack is the canary in the coalmine for America. OPM’s slow reaction time and confusion in the aftermath reflects a much greater weakness in our national security. The government is structurally unable to adapt and systemically unwilling to modernize. A more ruthless cyber attack by a more organized enemy could pose an existential threat to the United States. I fear that our government, by its design and nature, is not up to the challenge of protecting its critical assets from this kind of threat.Published in