Impact of OPM breach could last more than 40 years

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fedscoop.com/opm-losses-a-40-year-problem-for-intelligence-community

The theft of background investigation data on millions of federal employees
and contractors has created a massive threat to U.S. national security that
will last for decades and cost billions of dollars to monitor, current and
former intelligence officials said.

The Office of Personnel Management announced last week that personal data
on 21.5 million individuals was compromised by the hack of the agency's
background investigation database. That includes 19.7 million individuals
that applied for a security clearance, and 1.8 million non-applicants,
predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM's efforts to fix vulnerabilities
in the system used to manage background investigation data, known as
Electronic Questionnaires for Investigations Processing (e-QIP), as well as
the 30 day cybersecurity sprint ordered by the Office of Management and
Budget, intelligence experts say there is little the agency can do to
reverse the damage that has already been done.

"I don't think there is recovery from what was lost," said former CIA
Director Michael Hayden, in a telephone interview with FedScoop. "It
remains a treasure trove of information that is available to the Chinese
until the people represented by the information age off. There's no fixing
it."

According to Hayden and other former CIA officers, the data breach has
created a massive counterintelligence threat that could easily last 40
years — until the youngest members of the federal workforce enter
retirement.

"This isn't about blackmail or bribery. This is knowledge about potential
human intelligence targets," Hayden said.

A former CIA officer, who spoke to FedScoop on background, agreed that the
counterintelligence damage stemming from the data breach will last well
beyond OPM's cybersecurity remediation efforts. "You have provided the
Chinese with the pool of contractors and employees who have access to
classified information. This represents a target pool of possible
recruitments with a list of their vulnerabilities," the officer said. "Over
time, the pool will be added to and people will leave thus making the
information less valuable. In short, time will take care of some of the
problems. But, what a mess."

House Armed Services Committee Chairman Rep. Mac Thornberry, R-Texas,
called the breach "a critical force protection and counterintelligence
issue" for the Defense Department. "I am far from convinced that steps
taken so far by OPM to mitigate the impact to civilian employees and their
families are sufficient, nor am I confident the steps taken to protect
information, employees, and their families in the future are adequate,"
Thornberry said in a written statement.

What's in the data?

The background investigation process for granting a federal employee a
security clearance begins with a detailed questionnaire known as a Standard
Form 86. The 121-page document includes detailed biographical information,
residence and employment history, lists of family members, foreign travel
and business activities, and detailed summaries of psychological and
emotional health counseling the employee may have received.

The form also covers any interactions with police, use of illegal drugs and
alcohol, detailed information on financial problems, and information on any
unauthorized use of information technology systems. The form requires
candidates to provide information for the past seven years. However, top
secret security clearance investigations go back 15 years.

Monetary costs

The size, scope and sensitivity of the OPM data breach also have major
financial implications.

Richard A. Russell is a former senior national intelligence service
executive who served in progressively responsible national security
positions for more than 36 years before retiring in January 2015.According
to Russell, the U.S. government has vastly underestimated the financial
cost of providing identity theft monitoring.

At least four to five people will require monitoring for every non-married
federal employee in the background investigation database, according to
Russell. For those who have been married, or married more than once, the
number of affected people is more like 12 to 14, he said.

"With those factors alone, the total number of people whose information is
likely to be rolled up in the breaches would be in excess of 50 million,"
Russell said. "Just doing the math suggests it could be higher: 19.7
million times four to 14 yields between 78.8 million and 275.8 million
whose information is now in untrusted hands," he said.

"This is about more than getting the numbers right. It's about taking a
true measure of what has happened and what must be done," Russell said.
"For some, the proposed protection would run out before their child enters
the first grade in school. If a child is currently 20 years old, their risk
will last between 50 and 70 years or longer."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!