WASHINGTON—An Office of Personnel Management investigative official said Tuesday that the agency entrusted with millions of personnel records has a history of failing to meet basic computer network security requirements.
Michael Esser, assistant inspector general for audit, said in testimony prepared for delivery that for years many of the people running the agency’s information technology had no IT background. He also said the agency had not disciplined any employees for the agency’s failure to pass numerous cybersecurity audits.
Esser and others were testifying Tuesday to the House Oversight and Government Reform Committee about the cybertheft of private information on millions of former and current federal employees, as well as U.S. security clearance holders, by hackers linked to China.
Officials fear that China will seek to gain leverage over Americans with access to secrets by pressuring their overseas relatives, particularly if they happen to be living in China or another authoritarian country. Over the last decade, U.S. intelligence agencies have sought to hire more people of Asian and Middle Eastern descent, some of whom have relatives living overseas. The compromise of their personal data is likely to place additional burdens on employees who already face onerous security scrutiny.
China denies involvement in the cyberattack that is being called the most damaging U.S. national security loss in more than a decade.
The potential for new avenues of espionage against the United States is among the most obvious repercussions of the pair of data breaches by hackers who are believed to have stolen personnel data on millions of current and former federal employees and contractors.
Rep. Jason Chaffetz, a Utah Republican who chairs the oversight panel, said the incident “may be the most devastating cyberattack in our nation’s history, and said OPM’s security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen.
In the cyberattack targeting federal personnel records, hackers are believed to have obtained the Social Security numbers, birth dates, job actions, and other private information on every federal employee and millions of former employees and contractors.
In a second attack, which the Obama administration acknowledged on Friday after downplaying the possibility for days, the cyberspies got detailed background information on millions of military, intelligence, and other personnel who have been investigated for security clearances. Together, the hacks compromised the records of as many as 18 million people.
Applicants for security clearances are required to list drug use, criminal convictions, mental health issues, and the names and addresses of their foreign relatives.
“You’re supposed to list every relative outside the U.S. who could be a source of foreign government pressure on you,” said Stewart Baker, who served in senior roles at DHS and the National Security Agency.
The pitch to a Chinese-American working with U.S. secrets, he said, would amount to, “You belong to us, and we can make an approach that is designed to make you understand that.”
But the fears don’t end with China. China’s intelligence service could share the information with countries such as North Korea or Pakistan. Also, experts say, many who hack on behalf of the Chinese government are allowed to freelance and sell what they steal.
“The ‘friends and family’ dataset is ultimately the most useful for a hostile intelligence service,” said Richard Zahner, a retired lieutenant general and former top NSA official. Tie the information to what’s publicly available, and other intelligence the adversary has already collected, “and you have insights that few services have ever achieved.”
Those insights go beyond merely spying on the U.S. government, he said. Many senior business executives need government clearances to serve on advisory boards, or hold them from prior government service. Google chairman Eric Schmidt, for example, holds a security clearance, he has said. So at one point did Microsoft founders Bill Gates and Steve Ballmer.
“If I can get into the strategic planning side of a U.S. competitor, investment decisions and negotiating strategies are vastly simplified,” Zahner said.
Also Monday, DHS disclosed that as many as 390,000 employees, contractors, and job applicants may have had their personal data breached in a separate hack of a contractor, KeyPoint Government Solutions, that was discovered in September. In December, DHS acknowledged another hack of the same contractor in which 48,000 people were affected.
Administration officials have left many questions unanswered, including why the latest hacks went undetected for months. The federal chief information officer, Tony Scott, ordered government agencies to beef up their network security by scanning logs, patching security holes, and accelerating their use authentication that goes beyond passwords.