The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions
David Larter and Andrew Tilghman report: Anxiety is spreading among defense officials and the military community that the recent theft of federal government data linked to China may affect hundreds of thousands of service members.
“They had access on everyone who has applied for a security clearance: families, residences and job assignments, bank records. If that’s not an absolute calamity, I don’t know what is.”
Compounding those concerns is the limited information made public by the Office of Personnel Management.
“They got everyone’s SF-86.”
Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.
“This is a surreal new world and they are not being truthful. The way this works now is that they tell you a little bit of the truth, and then they obfuscate.”
“They got everyone’s SF-86,” one Pentagon official familiar with the investigation told Military Times.
The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.
Given the scale of the breach as publicly disclosed by the Obama administration and OPM, it’s likely that the hackers obtained the SF-86 data of every military member who filled out the form on a computer, something that has been standard practice in Defense Department for well over a decade, said a retired senior intelligence community official who writes a blog under the pen name Victor Socotra.
The services began to make the digital SF-86 form mandatory in 2007, but service members used the digital form for years before that. Read the rest of this entry »
OPM IT Outsourced to Foreigner Contractors, with Root Access, Working from their Home Country. In this Case, Oh Yeah, ChinaPosted: June 17, 2015
Encryption ‘would not have helped’ at OPM, says DHS official: Attackers had valid user credentials and run of network, bypassing security
Sean Gallagher reports: During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.
But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.
At least we found it
Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from her prepared statement. Read the rest of this entry »
China hacked into the federal government’s network, compromising four million current and former employees
Ellen Nakashima reports: China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.
“This is part of their strategic goal — to increase their intelligence collection via big data theft and big data aggregation. It’s part of a strategic plan.”
— U.S. government official, on condition of anonymity
Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.
“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation.”
— Chinese Foreign Ministry spokesman Hong Lei
“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm. “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human recruitment.”
The targeting of large-scale databases is a relatively new tactic and is used by the Chinese government to further its intelligence-gathering, the officials and analysts say. It is government espionage, not commercial espionage, they say.
“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target.”
“This is part of their strategic goal — to increase their intelligence collection via big data theft and big data aggregation,” said a U.S. government official, who, like others, spoke on condition of anonymity to discuss a sensitive topic. “It’s part of a strategic plan.”
One hack of the OPM, which was disclosed by the government Thursday, dates at least to December, officials said. Earlier last year, the OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.
“So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese.”
Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counterintelligence. Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China. “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.
“For bigger data storage, for bigger data theft. And when you can gain it in bulk, you take it in bulk.”
— China cyber and intelligence expert
The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official. “They can find specific individuals they want to go after, family members,” he said. Read the rest of this entry »
WASHINGTON — The Obama administration is scrambling to assess the impact of a massive data breach involving the agency that handles security clearances and employee records, U.S. officials said Thursday.
A congressional aide familiar with the situation, who declined to be named because he was not authorized to discuss it, said the Office of Personnel Management and the Interior Department were hacked. A second U.S. official who also declined to be identified said the data breach could potentially affect every federal agency.
The White House was considering a public announcement of the breach Thursday night or Friday morning, the second official said.
The Office of Personnel Management is the human resources department for the federal government, and issues security clearances….(developing)