Three Congressional Responses to the OPM Hack

After acknowledging that as more than 20 million people have been affected by the hack of the Office of Personnel Management, OPM head Katherine Archuleta “resigned” today.

In announcing that Office of Budget and Management Deputy Director of Management Beth Cobert would serve as acting Director, Josh Earnest played up her experience at McKinsey Consulting. So we may see the same kind of management claptrap as OPM PR in the coming days that we got from CIA’s reorganization when McKinsey took that project on. Over 20 minutes into his press conference, Earnest also revealed there was 90 day review of the security implications of the hack being led by OMB.

Happily, in spite of the easy way Archuleta’s firing has served as a proxy for real solutions to the government’s insecurity, at least some in Congress are pushing other “solutions.” Given Congress’ responsibility for failing to fund better IT purchasing, consider agency weaknesses during confirmation, and demand accountability from the intelligence community going back at least to the WikiLeaks leaks, these are worth examining.

Perhaps most predictably, Susan Collins called for passage of cybersecurity legislation.

It is time for Congress to pass a cybersecurity law that will strengthen our defenses and improve critical communication and cooperation between the private sector and government. We must do more to combat these dangerous threats in both government and the private sector.

Of course, nothing in CISA (or any other cybersecurity legislation being debated by Congress) would have done a damn thing to prevent the OPM hack. In other words, Collins’ response is just an example of Congress doing the wrong thing in response to a real need.

Giving corporations immunity is not the answer to most problems facing this country. And those who embrace it as a real solution should be held accountable for the next government hack.

Freshman Nebraska Senator Ben Sasse — both before and after Archuleta’s resignation — has appropriately laid out the implications of this hack (rebutting a comparison repeated by Earnest in his press conference, that this hack compares at all with the Target hack).

OPM’s announcement today gives the impression that these breaches are just like some of the losses by Target or Home Depot that we’ve seen in the news. The analogy is nonsense. This is quite different—this is much scarier than identity theft or ruined credit scores. Government and industry need to understand this and be ready. That’s not going to happen as long as Washington keeps treating this like just another routine PR crisis.

But one of his proposed responses is to turn this example of intelligence collection targeting legitimate targets into an act of war.

Some in the defense and intelligence communities think the attacks on OPM constitute an act of war. The rules of engagement in cyber warfare are still being written. And with them, we need to send a clear message: these types of intrusions will not be tolerated. We must ensure our attackers suffer the full consequences of their actions.

Starting now, government needs to stop the bleeding—every sensitive database in every government agency must be immediately secured or pulled offline. But playing defense is a losing game. Naming and shaming until the news cycle shifts is not enough.

Our government must completely reevaluate its cyber doctrine. We have to deter attacks from ever happening in the first place while also building resiliency.

We’re collecting the same kind of information as China — in methods that are both more efficient (because we have the luxury of being able to take off the Internet) but less so (because we are not, as far as we know, targeting China’s own records of its spooks). If this is an act of war than we gave reason for war well before China got into OPM’s servers.

Meanwhile, veterans Ted Lieu and Steve Russell (who, because they’ve had clearance, probably have been affected) are pushing reforms that will affect the kind of bureaucracy we should have to perform what is a core counterintelligence function.

Congressman Russell’s statement:

“It is bad enough that the dereliction displayed by OPM led to 25 million Americans’ records being compromised, but to continue to deflect responsibility and accountability is sad. In her testimony a few weeks ago, OPM Director Katherine Archuleta said that they did not encrypt their files for fear they could be decrypted. This is no excuse for a cyber-breach, and is akin to gross negligence. We have spent over a half a trillion dollars in information technology, and are effectively throwing it all away when we do not protect our assets. OPM has proven they are not up to the task of safeguarding our information, a responsibility that allows for no error. I look forward to working with Congressman Lieu on accountability and reform of this grave problem.”

Congressman Lieu’s statement:

“The failure by the Office of Personnel Management to prevent hackers from stealing security clearance forms containing the most private information of 25 million Americans significantly imperils our national security. Tragically, this cyber breach was likely preventable. The Inspector General identified multiple vulnerabilities in OPM’s security clearance system–year after year–that OPM failed to address. Even now, OPM still does not prioritize cybersecurity. The IG testified just yesterday that OPM ‘has not historically, and still does not, prioritize IT security.’ The IG further testified that there is a ‘high risk’ of failure on a going forward basis at OPM. The security clearance system was previously housed at the Department of Defense. In hindsight, it was a mistake to move the security clearance system to OPM in 2004. We need to correct that mistake. Congressman Steve Russell and I are working on bipartisan legislation to move the security clearance database out of OPM into another agency that has a better grasp of cyber threats. Steve and I have previously submitted SF-86 security clearance forms. We personally understand the national security crisis this cyber breach has caused. Every American affected by the OPM security clearance breach deserves and demands a new way forward in protecting their most private information and advancing the vital security interests of the United States.”

A number of people online have suggested that seeing Archuleta get ousted (whether she was forced or recognized she had lost Obama’s support) will lead other agency heads to take cybersecurity more seriously. I’m skeptical. In part, because some of the other key agencies — starting with DHS — have far to much work to do before the inevitable will happen and they’ll be hacked. But in part because the other agencies involved have long had impunity in the face of gross cyberintelligence inadequacies. No one at DOD or State got held responsible for Chelsea Manning’s leaks (even though they came 2 years after DOD had prohibited removable media on DOD computers), nor did anyone at DOD get held responsible for Edward Snowden’s leaks (which happened 5 years after the ban on removable media). Neither the President nor Congress has done anything but extend deadlines for these agencies to address CI vulnerabilities.

Perhaps this 90 day review of the NatSec implications of the hack is doing real work (though I worry it’ll produce McKinsey slop).  But this hack should be treated with the kind of seriousness as the 9/11 attack, with the consequent attention on real cybersecurity fixes, not the “do something” effort to give corporations immunity.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. earlofhuntingdon says:

    Many thanks for noting this. Although it’s good to see – its absence in the corporate community for equally egregious failures is glaring – the rare demise of an agency head is theater. As with the corporate “apology” industry, it is message management, meant to distract from the facts and deflect responsibility, not to signify improvement of problems or their resolution.
    I’m more interested in what happens to the OPM’s tech gurus, both govt employees and the inevitably outsourced ones. I’m more interested in who dictated privacy and security standards, virtual and physical, who implemented them and how well. And I’d like to know how those standards and their implementation are mirrored (or worse) elsewhere in the federal government and its plethora of private contractors.

  2. galljdaj says:

    I am at a loss as to my fellow 99% lack of attributing all Our woes to the criminals that have taken over Our Govt. War Criminals and RICO Criminals are running Our Govt(s), Corporations, and Our lives! And they are feeding us “austerity” to fix Our Woes, in stead of Common Good, Rule of Law, and Our Constitutional Law. The Fact that Our Country fully excludes itself from International Law and the UN Charter, which is also included into Our Law, condemns American Workers to the same fate(s) as being meted out in most of the World with Greece being the Poster!

    http://www.counterpunch.org/2015/07/10/jeb-bush-and-his-brothers-wars/

    The above article shows the dirty hand at play, and the Snowman gave us a blizzard of Truth about the How(s) it being done.

    Start putting the Picture Puzzle together Folks!

  3. jerryy says:

    .
    Why should the other department heads take security seriously when at the very top levels, the governments are sharing information with each other anyway? And those in charge of protecting are crying and whining they have to be let in the front, side and back doors to stop jay-walkers…
    .
    — As in Britain tells the US what US citizens are up to, etc., the US hires the same hackers that sell tools to the most repressive regimes we know of, etc.
    .
    This fish does stink the whole way down… it will take a massive change of view points before we see real progress.
    .

  4. dutch says:

    Did all of those 20 million security clearance checks do any good? I mean, they didn’t prevent the Manning or Snowden revelations. Both had security clearances – as did every other notorious double-agent who ever betrayed this country’s secrets. The best way to secure information is to not collect it in the first place. This is especially so when the information has proven useless for the intended purpose.

  5. Trevanion says:

    Still untalked about, no doubt willfully like Grandma’s unfortunate toot during church, is the absolutely unbelievable notion that either the Manning or Snowden hoist were solitary events. Theirs were “lone” or “rare” acts only in the sense they were done for publication. The narrative has been warped to implicitly (and crazily) suggest that there have not been any other previous snatches of similar volume — strictly for payment and not publication. Two years later it is amazing that no one has openly explored that question, no doubt to the appreciation of the “collect it all” folks — whose likely “we don’t know” response is just as bad as “yes, it happened.”

  6. Procopius says:

    “… they did not encrypt their files for fear they could be decrypted.” This is just stunning. You know, third graders know how to hack the iPads they get from the school so they can actually use them. I first started learning computer programming in 1976, when I was 39 years old. Seeing this degree of ignorance is … I’m at a loss for words. I would expect this kind of thing from Congresscritters, especially those charged with overseeing the intelligence community, not from Civil Service Super Grades. At the very least they spend a sh**load of money on consultants. Is this the kind of advice they’re overpaying for?

Comments are closed.