It now seems that the Office of Personnel Management, which had outsourced its data storage to other Federal agencies, has lost an astonishing 18 million personnel records, including most of those involving security clearances. The information is now in the hands of unknown hackers who almost certainly have bartered the stolen information to willing buyers. Most experts think that the buyer is most likely China, with Russia running a close second.
When a prospective employee applies for a job that requires a security clearance he or she fills out a form called an SF-86 which is called a Questionnaire for National Security Positions. The Questionnaire is extensive and demanding and requires so much information to be handed over to the government that there is virtually nothing left one could dream of adding to it. Your friends, colleagues, bosses, neighbors are all included along with all your personal information. In the wrong hands this document at minimum guarantees easy identity theft. Worse, in the hands of a determined adversary, a person’s vulnerabilities can be exploited including tracking the employee and making sophisticated “phishing” operations possible. Phishing is a technique where a false email or message can be sent to an employee that, when opened, puts spyware on the employee’s computer.
You would think given the explosive importance of the SF-86 form that the government would take strong steps to protect the information. Perish the thought. Nothing like that has been done: in fact, the government passes around these forms to other agencies (such as the FBI) and gives them to contractors for “processing.”
Our government has consistently failed at computer security from the beginning. The first Computer Security Act was passed in 1988, and there have been many subsequent legislative initiatives since then along with Executive Orders and pronouncements from agencies including NSA and the National Institute of Science and Technology (NIST), the latest one just this week.
None of them understand the problem or demonstrate any real willingness to solve it. All of them have the wrong cart in front of the wrong horse.
The truth is that unless special steps are taken to protect sensitive unclassified information the game is lost from the start.
What are those steps? Most fundamentally there are two: compartmenting information and encrypting it. For unclassified information which is what the SF-86 is considered to be, the government neither compartments nor encrypts. NSA won’t let them because the information is not classified: our government security experts keep thinking they can do it another way. No they can’t.
NIST has just put out a new directive for contractors. It is worthless. Why? Because it does not require either compartmentalization or encryption.
Compartmentalization means that not everyone can access everything. It is as simple as that. It can be made weightier by adding a “need to know” requirement, meaning that you are only entitled to look at what is absolutely necessary for your job. Properly administered need to know and compartmentalization protects any major theft of information particularly if the data itself is stored in an encrypted format.
The real crime is the failure of both the administration and the Congress to put in place a higher standard of information protection applying these known and effective tools. While everyone is running around thinking about firing the head of the Office of Personnel Management, perhaps they should think about firing themselves for the crimes against privacy they have perpetrated.