US Intelligence Community's Cavalier Attitude Towards OPM Hack

from the that-old-thing... dept

After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.



NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.

Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”



And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've obviously written a few times now about the big OPM hack that was revealed a few months ago, in which it appears that hackers (everyone's blaming China for this) were able to get in and access tons of very, very private records of current and former government employees -- apparently including tons of SF-86 forms. Those forms are required to be filled out for anyone in a national security job in the government, and it basically requires you to 'fess up toyou've ever done that might, at some point, reflect badly on you. The basic idea behind it is that if you've already admitted to everything, then it makes it much harder for anyone to somehow blackmail you into revealing US national security secrets. But, of course, that also makes those documents. And, by now of course you've heard that the Office of Personnel Management was woefully unprepared to properly protect such sensitive data.Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize untilthe hack that this might be a relevant target.Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them . At least that's the implication of his "wink wink, nod nod" statement to the Senators:Now, he's actually making a totally valid point concerning what the US'sshould be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we dothese kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.

Filed Under: admiral mike rogers, china, cybersecurity, james clapper, nsa, opm, opm hack, surveillance, us cyber command