Admiral Mike Rogers Virtually Confirms OPM Was Not on Counterintelligence Radar
For some time, those following the OPM hack have been asking where the intelligence community’s counterintelligence folks were. Were they aware of what a CI bonanza the database would present for foreign governments?
Lawfare’s Ben Wittes has been asking it for a while. Ron Wyden got more specific in a letter to the head of the National Counterintelligence and Security Center last month.
- Did the NCSC identify OPM’s security clearance database as a counterintelligence vulnerability prior to these security incidents?
- Did the NCSC provide OPM with any recommendations to secure this information?
- At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why existing retention periods are necessary?
And Steven Aftergood, analyzing a 2013 Intelligence Community Directive released recently, noted that the OPM database should have been considered a critical counterintelligence asset.
A critical asset is “Any asset (person, group, relationship, instrument, installation, process, or supply at the disposition of an organization for use in an operational or support role) whose loss or compromise would have a negative impact on the capability of a department or agency to carry out its mission; or may have a negative impact on the ability of another U.S. Government department or agency to conduct its mission; or could result in substantial economic loss; or which may have a negative impact on the national security of the U.S.”
By any reasonable definition, the Office of Personnel Management database of security clearance background investigations for federal employees and contractors that was recently compromised by a foreign adversary would appear to qualify as a “critical asset.” But since OPM is not a member or an element of the Intelligence Community, it appears to fall outside the scope of this directive.
But in a private event at the Wilson Center last night, NSA Director Mike Rogers described NSA being brought in to help OPM — but only after OPM had identified the hack.
After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.
NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.
That “as we started more broadly to realize the implications of OPM” is the real tell, though. It sure sounds like the Chinese were better able to understand the value of a database containing the security clearance portfolios on many government personnel then our own counterintelligence people.
Oops.
admiral rogers was quoted (by a high-ranking source who requested, and was happily given, anonymity) as saying:
“we were so fuckin’ busy going thru those haystack, searching for that next needle, that we didn’t have time to do any serious thinking about government targets of cyberteurs. today we’re asking congress for another building at beefhollow road, 400 megaw more power, and two more rivers for cooling, in order to solve this problem, he said.
we are committed to getting this right, he said. “
“As we started more broadly to realize the implications of OPM”. That directive raises the question of whose job is it to identify critical asset databases (and perhaps request assistance from NCSC in safeguarding them). Per the directive (at least for internal IC stuff) “Heads of IC elements shall … designate a senior official responsible for the IC element’s CI program.” If you apply that structure to OPM, that’s at least two heads that should roll. Plus all the IC people whose job it is to review all the non-IC agencies, all the way up to the DNI; they’re supposed to be more security conscious, shouldn’t they be held to a higher standard? Were I that OPM lady who basically got canned. I would have identified, at the hearings, all the gentlemen above her and in the IC community who failed, and asked if they were going to be fired. And how about Congress – didn’t you fail in your oversight role? But, I guess life doesn’t work that way.
You would think that the database that contains security clearance information would be obvious as one to protect,. especially in an administration that is known to lie about security clearances and classifications.
It shows what happens when you concentrate on attack and defense is an after thought. This is a very common military fault. (It reminds me of an old military saying: ‘the best defense is offense’)
Bs and more bs, all the time.
It would be interesting to get Edward Snowden’s judgment on how secure the NSA computer systems were from outside attack. I haven’t seen that point addressed (or maybe I’ve missed it). We know that after the fact they booted up the “insider threat” program, but what about external threats? Snowden was a contractor, after all, with credentials — the type of person they use to gain entry. I’m sure NSA would never admit there was an outside breach, but are (were) they really secure? Anyone know?