Cyber Security at the Speed of Bureaucracy

 

mediumThe Office of Personnel Management’s (OPM) security clearance files were hacked 20 months ago. It is just now notifying the people whose personal identification information was stolen.

Two friends of mine, one a naval officer and the other a defense contractor, received letters from OPM today telling them that their Social Security Numbers had been stolen. All of the information submitted in their SF-86s (the official form for a security clearance application) may have been compromised as well, but OPM does not know for sure what else was taken.

That information would include the applicant’s name, address, date of birth, educational and employment history, foreign travel history, and fingerprints. It would include personal information about his or her immediate family and colleagues, personal references, and “other information used to adjudicate your background information.”

These notification letters gave the recipients activation codes for a taxpayer-funded, three-year identity theft and fraud monitoring service. This is the only bit of good news for the recipients. Unfortunately, hackers began taking information in March 2014, so those without identity and fraud protection services at the time of the theft may have been personally or financially damaged already.

Having submitted a SF-86 for my own application, I can tell you firsthand that the information required is extraordinarily personal and detailed. Obviously, this cyber attack increased many people’s vulnerability to the financial criminality associated with identity theft. The information could also put the nation in jeopardy if it fell into the hands of adversarial governments. OPM admitted that the breach affected over 21 million people, many of whom have access to classified national security information. It is safe to assume the Chinese government has this information. Basically, the Chinese (and whomever they or the hackers sold this information to) have in these SF-86s how-to guides for blackmailing, threatening, or coercing millions of Americans who know military and security secrets.

This is the alarming reality. What’s more frightening is that we have to rely on the US federal government to save us from its own failure. Since OPM first announced that personal information was stolen, every new development has made it painfully clear that bureaucracy cannot handle 21st-century cyber warfare.

The enormous, antiquated, and complex federal bureaucracy is incredibly inert and resistant to change. It took the government over a year even to realize that it had been hacked. OPM delayed announcing that the information had been stolen for another two months. Then came a series of follow-up statements revealing that the leakage of information was much broader and deeper than initially thought. On October 1, 2015, OPM began mailing individual notices to those affected by the “cyber intrusion.” (Is “cyber intrusion” the digital equivalent of “workplace violence?”) Two months later, people are still getting their first official confirmation that their information was stolen. Granted, sending 21 million letters will take some time, but considering that OPM has $272 million in discretionary resources for FY 2016, I’m sure they could expedite the process.

I’m in the pool of potential victims, so I anxiously await my own letter. (Thankfully, I already had identity protection at the time of the hack.) But this problem is bigger than any one person’s identity protection. The OPM hack is the canary in the coalmine for America. OPM’s slow reaction time and confusion in the aftermath reflects a much greater weakness in our national security. The government is structurally unable to adapt and systemically unwilling to modernize. A more ruthless cyber attack by a more organized enemy could pose an existential threat to the United States. I fear that our government, by its design and nature, is not up to the challenge of protecting its critical assets from this kind of threat.

Published in General
Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 29 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Brian Wyneken Member
    Brian Wyneken
    @BrianWyneken

    Best post title of the year!

    I got my letter last week.

    • #1
  2. Arahant Member
    Arahant
    @Arahant

    Great. I may still get one, then. I was hoping the work I did had me somewhat insulated, but probably not.

    • #2
  3. Arahant Member
    Arahant
    @Arahant

    Any idea if they are going in last name, ZIP code, or SSN order and where they are in the list?

    • #3
  4. Mallard Inactive
    Mallard
    @Mallard

    Yup, got my letter from the Postman. He knew it was important so he rode his horse clear up on the porch to de-liver it. Kwik, too!!

    • #4
  5. Eeyore Member
    Eeyore
    @Eeyore

    Wonder how far back it goes. I’ll ask my brother if he got The Letter. He separated about 1973.

    • #5
  6. Arahant Member
    Arahant
    @Arahant

    Eeyore:Wonder how far back it goes. I’ll ask my brother if he got The Letter. He separated about 1973.

    Except he may not have gotten it yet, considering people are still receiving them. And assuming I am going to get one, I have yet to receive it.

    • #6
  7. EJHill Podcaster
    EJHill
    @EJHill

    My Marine got his letter about three weeks ago.

    • #7
  8. wilber forge Inactive
    wilber forge
    @wilberforge

    Recall the IRS was still using AS-400’s and have to make replacement parts. They have nice furniture and bonuses though. Have to admit the DoD was amusing in it’s sparkling effecieny and inspiring confidence.

    Wash, rise, repeat – It was said once, Things go on, until they can’t anymore, but they never imagined it on this magnitude.

    • #8
  9. Hank Rhody Contributor
    Hank Rhody
    @HankRhody

    It’s not just that people’s PII got ripped off. That’s bad enough. The fact that it’s also everything you’d need to blackmail anyone with a remotely important post in the government is so much worse.

    I’d be less unhappy about the whole thing if I didn’t think it was going to happen again five minutes down the road.

    • #9
  10. drlorentz Member
    drlorentz
    @drlorentz

    I also received the notice from OPM. In an amusing demonstration of bureaucratic inefficiency, the letter was sent to an address where I never lived — amusing because I’d rather laugh than cry.

    • #10
  11. genferei Member
    genferei
    @genferei

    Gee, I hope no-one has a smart device or security system that relies on fingerprints for authentication.

    • #11
  12. aardo vozz Member
    aardo vozz
    @aardovozz

    If I get a letter from OPM,then we really are in big trouble, since I never worked in the government.

    • #12
  13. aardo vozz Member
    aardo vozz
    @aardovozz

    Of course,we are in REALLY deep doo-doo if instead of a letter from OPM,we get a letter from the Chinese government.

    • #13
  14. Basil Fawlty Member
    Basil Fawlty
    @BasilFawlty

    I have yet to get the letter.  The Chinese probably took a look at my information and returned it to OPM.

    • #14
  15. PsychLynne Inactive
    PsychLynne
    @PsychLynne

    I got my letter a few weeks ago.  I have only the most basic security clearance (or had when I was with the government), but the amount of detail in my file is still enough to give me credit trouble the rest of my life.

    What astounds me is the fact my friends who are federal employees and not conservative, are much less aware of the extent of the breach, and don’t seem to think about implications beyond their credit record.

    • #15
  16. iWe Coolidge
    iWe
    @iWe

    The same people who are victims of the breach continue to assert that the government is the solution to every problem.

    The world is insane.

    • #16
  17. Matthew Roy Inactive
    Matthew Roy
    @MatthewRoy

    Arahant:Any idea if they are going in last name, ZIP code, or SSN order and where they are in the list?

    No, unfortunately I don’t know any details of how they’ve organized their list or how they’re progressing through it.

    • #17
  18. Matthew Roy Inactive
    Matthew Roy
    @MatthewRoy

    Eeyore:

    Wonder how far back it goes. I’ll ask my brother if he got The Letter. He separated about 1973.

    According to the news reports I read, everyone who submitted an SF-86 since 2000 is at risk. If your brother separated in 1973, I’d guess he’s ok. Although, it’s not the kind of thing you want to take for granted.

    • #18
  19. EJHill Podcaster
    EJHill
    @EJHill

    genferei: Gee, I hope no-one has a smart device or security system that relies on fingerprints for authentication.

    I don’t think people realize that the Feds have started doing biometric IDing. It took three trips to the Military Entrance Processing Station before my son was considered to be officially enlisted, not because he didn’t “sign” the right papers, but because they didn’t get a clear enough finger print.

    • #19
  20. Brian Clendinen Inactive
    Brian Clendinen
    @BrianClendinen

    I am waiting to get mine, even though my clearance expired 10 years ago. However since the electronic form was so poorly designed I had to write on a print out some of the information so maybe my information was not in the main database. Some idiot programmer required a naturalization number if someone was born on a overseas U.S. military base because you could not put a place a birth outside the U.S. with-out one.

    The one thing I am really hoping they did not get is my finger prints. The government lost mine the first time around and I had to get finger printed again 12 months later. So hopefully they lost them again.

    So basically they are so incompetent in the first place, I am crossing my fingers that their incompetence “misplaced” my information.

    • #20
  21. Tom Riehl Member
    Tom Riehl
    @

    Personal data integrity is obviously in shambles.  What worries me as a recent clearance holder, beyond my data rocketing around the ISIS net at the speed of light, is the trove of data they have to create normal or believable appearing CV’s for immigrating deadly Jihadists.  Think they might outsmart DHS?  Thanks for that, Satan-obama.

    • #21
  22. John Russell Coolidge
    John Russell
    @JohnRussell

    Mine arrived three days ago.

    • #22
  23. Claire Berlinski, Ed. Member
    Claire Berlinski, Ed.
    @Claire

    Matthew, the really disturbing thought in your post — and I don’t disagee — is this one:

    I fear that our government, by its design and nature, is not up to the challenge of protecting its critical assets from this kind of threat.

    If it isn’t, what kind of government would be? And is the answer, “Only one that none of us would want to live under?”

    • #23
  24. iWe Coolidge
    iWe
    @iWe

    Claire Berlinski, Ed.:

    I fear that our government, by its design and nature, is not up to the challenge of protecting its critical assets from this kind of threat.

    If it isn’t, what kind of government would be? And is the answer, “Only one that none of us would want to live under?”

    That is actually the poisoned chalice – NOT because a totalitarian state is the only government that could do the job, but because people believe that if government had absolute power, it could achieve more things.

    History tells us otherwise. Governments with absolute power are often effective tyrannies, but they are no better at achieving basic tasks than much more limited organizations.

    If we want to best protect our assets, then harness the private sector. Even for the government, using the government is rarely the best way to get something done.

    • #24
  25. Instugator Thatcher
    Instugator
    @Instugator

    I got a few things via email, including credit monitoring for a few years gratis.

    • #25
  26. Reldim Inactive
    Reldim
    @Reldim

    Strictly speaking, the logical thing to do is to offer affected individuals the ability to apply for a new social security number.  I know they can’t change my fingerprints, but I know they can issue a new SSN. Unlike private companies that let that info get out, in this case the people who can actually order the creation of a new number allowed the breach and could, by allowing the creation of a new number, fix a good portion of the problem.

    Not that I trust the government database that will hold the info linking my new number to my old number, but it’s certainly better than shrugging your shoulders and offering me free identity theft  insurance.

    • #26
  27. The Evergreen Man Inactive
    The Evergreen Man
    @TheEvergreenMan

    It’s like being in a club with 20 million members…

    As for the three year identity theft protection, will I get a new SSN, date of birth, and other Peronal Identification Information after that period is up? No? So the likely nation-state adversary behind this could still use it to my personal detriment, or for those of you still in government service to the detriment of the national security.

    Considering how a credit check is part of maintaining and gaining a clearance, they could just drop all that info onto the web for cybercriminals to use. Thereby throwing the defense system in chaos as supervisors throughout at least the uniformed services must counsel their subordinates on their failure to pay “their” credit card bills and the resulting suspension of their inability to handle & access classified material while their case is adjudicated…

    • #27
  28. Tuck Inactive
    Tuck
    @Tuck

    Matthew Roy: …What’s more frightening is that we have to rely on the US federal government to save us from its own failure. Since OPM first announced that personal information was stolen, every new development has made it painfully clear that bureaucracy cannot handle 21st-century cyber warfare….

    That’s why they’re giving up:

    Defense Dept. Throws in the Towel—on Defense

    • #28
  29. Arahant Member
    Arahant
    @Arahant

    Hey, y’all! Guess what I got today! Finally.

    • #29
Become a member to join the conversation. Or sign in if you're already a member.