WASHINGTON -- The U.S.’s lead agency in countering foreign intelligence threats, has one answer for people asking why it failed to identify the massive database of sensitive information that was hacked starting last year as a potential vulnerability: not our problem.
The National Counterintelligence and Security Center issued a collective shrug in response to Sen. Ron Wyden's (D-Ore.) questions about the devastating cyber attack on the Office of Personnel Management, a breach that purportedly exposed 22 million federal workers’ personal information to China.
“The statutory authorities of the National Counterintelligence Executive, which is part of the NCSC, do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems,” reads a letter from the NCSC dated Sept. 15. That responsibility, the letter continues, rests with the Office of Management and Budget or with each respective agencies’ Inspector General.
Last month, Wyden asked the NCSC, which falls under the office of the Director of National Intelligence, whether it had identified the massive data trove as a potential security weakness before it was infiltrated by hackers. Included in the hacked data were tens of thousands of SF-86 forms, which are background check forms required for federal workers seeking security clearances.
The potential compromise of those SF-86s -- some of which may have dated back to the 1980s -- has roiled the intelligence community, and may have put undercover U.S. agents overseas and their families and friends at risk of exposure.
“The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job," Wyden said in a statement Wednesday. "This is a bureaucratic response to a massive counter-intelligence failure and unworthy of individuals who are being trusted to defend America. While the National Counterintelligence and Security Center shouldn't need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.”
In the letter, NCSC also told Wyden it is necessary to keep decades' worth of data on federal employees, despite concerns that this overstocking could make the database more fragile.
“While it is possible that we may incur certain vulnerabilities with the retention of background investigation information over a significant period of time, its retention has value for personnel security purposes,” the letter reads.
The ripple effects of the OPM hack, which was first revealed earlier this year, have yet to be seen, though government officials have been bracing for protracted effects on foreign operations. Katherine Archuleta, the head of OPM at the time of the hack, was forced to step down in wake of the scandal.
The Senate plans to eventually take up a cybersecurity bill that would streamline the information-sharing process between federal agencies, something Wyden has long contended they are incapable of doing in a secure fashion under the current arrangement.
“The Senate is now trying to respond to the OPM hack by passing a bill that would lead to more personal information being shared with these agencies,” Wyden said Wednesday. “The way to improve cybersecurity is to ensure that network owners take responsibility for plugging security holes, not encourage the sharing of personal information with agencies that can’t protect it adequately.”
Clarification: Language has been updated to indicate that the OPM hack began in 2014, but was only revealed this year.