Whose Fault is the OPM Hack Really?
Everyone's mad at the Office of Personnel Management, and I totally get why. The hack is awful, the magnitude staggering. The consequences will be big, both for the country and for lots of individuals. It's a very ugly situation, and OPM has certainly not handled it competently, let alone well. And the more we learn, the worse it gets.
But here's my question: Is this really OPM's fault?
Published by The Lawfare Institute
in Cooperation With
Everyone's mad at the Office of Personnel Management, and I totally get why. The hack is awful, the magnitude staggering. The consequences will be big, both for the country and for lots of individuals. It's a very ugly situation, and OPM has certainly not handled it competently, let alone well. And the more we learn, the worse it gets.
But here's my question: Is this really OPM's fault?
OPM, after all, is not an intelligence agency or a counterintelligence agency. Even had it behaved competently, it had no chance of protecting data that a professional adversary intelligence service wanted to go after. It also does not have the expertise to identify which data it is holding that are—individually or collectively—likely of interest to foreign intelligence powers. To put the matter simply, protecting sensitive data from foreign spies is not within the wheelhouse of an agency whose job is "to recruit, retain, and honor a world-class workforce for the American people."
It is very much within the wheelhouse of some other federal agencies, however.
Let's start with the FBI, whose mission includes "Protect[ing] the United States against foreign intelligence operations and espionage" and "Protect[ing] the United States against cyber-based attacks and high-technology crimes." I don't know whose job, if anyone's, it is to identify large aggregations of data outside the security sector that would be of foreign intelligence interest and to protect them from espionage, but it seems to me that the agency tasked with foreign counterintelligence would be the place to start. So here's a question: Did anyone at the bureau ever flag for OPM that this material might have a giant bullseye painted on it?
Then there's NSA, which has the government's Information Assurance portfolio, and also has a huge cybersecurity capacity. NSA describes its information assurance mission as follows: "NSA's Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities." The OPM systems were not classified, but any database that potentially exposes millions of federal workers—including defense and intelligence workers—to potential recruitment, blackmail, or other bad conduct at the hands of a foreign intelligence service could certainly be regarded as "critical to military or intelligence activities." So here's another question: Did anyone at NSA ever flag for OPM that this material might have a giant bullseye painted on it or offer to help secure it?
Or maybe the problem lies with DHS. DHS, after all, proudly boasts that it "has the lead for the federal government for securing civilian government computer systems"—something that clearly did not happen here. So here's a third question: Did anyone at DHS ever work with this civilian agency to security its government computer systems?
If this all sounds like an interagency mess of authorities, well, there are also agencies whose job is to work through those. What, one might ask, about what role the DNI has played in this area? His mission statement starts with the broad aim: to "lead Intelligence Integration." In other words, if it was someone's job to imagine that there are a lot of non-classified systems around the government that have extraordinarily sensitive data an intelligence service would want to steal, and that this data is being housed at agencies that probably don't understand that fact and don't have the capacity to defend that data, perhaps having that imagination was the DNI's job. And if it was some office's job to reach out across the government and assess what datasets would be catastrophic to lose and to set up programs to protect that material, perhaps that was the DNI's job too.
Taping Rational Security this morning, I mentioned all this to the Hoover Institution's Kori Schake—a defense analysts and former NSC staffer—who joked with gentle bitterness that it's a good thing this country does not have a National Security Council, whose job is to coordinate the activities of the various agencies engaged in national security activity to make sure questions like this get addressed. The NSC describes its mission as including "serv[ing] as the President's principal arm for coordinating these policies among various government agencies." So here's a fourth question: Was anyone at the DNI's office or the NSC serving as the President's principal arm for securing data of intelligence value at OPM?
I'm sure it will make a lot of people feel good to beat up on OPM, and I'm sure some folks there probably deserve it. But after we've gone through the political ritual of extracting our pound of Washington flesh, let's ask the serious question: Whose job is this really? And whose do we want it to be?