Ex-NSA Officer: OPM Hack Is Serious Breach Of Worker Trust
SCOTT SIMON, HOST:
This is WEEKEND EDITION from NPR News. I'm Scott Simon. The Obama administration has disclosed that hackers have breached security for another Office of Personnel Management database. NPR and other news organizations report that records of some 14 million current and past federal employees have been compromised, including at the CIA and FBI. The White House has not confirmed this number. John Schindler is a security consultant and former National Security Agency official. He wrote about this for The Daily Beast and says that hackers got more than Social Security numbers.
JOHN SCHINDLER: It's far worse than that. The assumption that Social Security numbers were compromised was there at the beginning, but, you know, OPM has sort of slow-rolled how bad this really is. And what has been compromised includes security clearance information, background investigation information for millions of past and present employees across the U.S. government, including the Pentagon and the intelligence community. This is really, really bad.
SIMON: And, potentially, how could this information be used?
SCHINDLER: Well, this is very personal information, as anyone who's ever had a security clearance could tell you. This involves - especially at the higher levels of classification that are needed - very detailed personal information about lifestyle habits, anything you've done wrong - things you probably wouldn't want other people to know about, frankly - if you've had addiction issues, financial problems, marital problems, partner problems.
SIMON: So it could be used to blackmail a federal employee...
SCHINDLER: Absolutely, absolutely.
SIMON: ...To provide even more confidential information, yeah.
SCHINDLER: Also, importantly, this list - the clearance-holders' foreign national contacts. That is the foreigners you are in close and continuing contact with. If I were China, I'd be looking for any Chinese national who pops up in those forms for exploitation. This is counterespionage-101 kind of stuff.
SIMON: There are widespread reports that China is behind all this.
SIMON: What do you think?
SCHINDLER: Well, I think the U.S. government's been pretty unsubtle in pointing the finger, which tells me they're pretty sure that this is linked to notionally independent hackers in China who've done other major hacks against the U.S. health care industry, for instance. But these are, in fact, cutouts for the Chinese security services. China does this to many countries. This isn't really a shock. But, you know, I'd be surprised if it wasn't China at this point, but, you know, if more evidence comes to light, we'll take it from there. But right now, the intelligence community is signaling pretty clearly they're pretty confident it's China.
SIMON: You suggest in The Daily Beast that the U.S. government's failure to protect this information violates a basic understanding between the government and the people it employs.
SCHINDLER: Yeah, and I think that cuts to the heart of this. For anyone who's worked in the federal government or been in the military, who accepts a security clearance, the quid pro quo is that you will keep the U.S. government's secrets and they, frankly, will keep yours because everyone's - I think almost everyone's background investigation includes something they wouldn't want out known to the world. And if the government can't protect that, there is a certain sense that there's a violation of trust here that is very serious and is going to be corrosive of moral of people in the military and in the federal government. And I fully understand why they feel a sense of betrayal now.
SIMON: And I guess that could make them even more vulnerable.
SCHINDLER: Well, right, I mean, that's the horrible paradox here. I mean, when you have a disgruntled and angry workforce, the chance of them wanting to do something to perhaps - they would think - help themselves and harm the U.S. government, that chance becomes even greater. That's exactly right.
SIMON: You worried about the state of cybersecurity in the U.S.
SCHINDLER: Oh, very, very, and I think obviously, that goes far beyond the government problems here. But, I mean, look, I think the horrible truth that's come out is OPM - the Office of Personnel Management - was warned repeatedly in inspector general reports to get serious about cybersecurity. They failed to do so, even though the threat was very real and rising. And I don't like to badmouth the federal government and say if only they were as efficient as the private sector. Any major private company that had cybersecurity this bad, they'd get hacked, too. So I - we cannot undo this damage. What is done is done and it will take decades to fix. We owe this to federal government employees and military members and we owe this to the American public. And we got to start right now, but the first step is admitting how bad it really is.
SIMON: John Schindler, security consultant and former National Security Agency officer, thanks very much for being with us.
SCHINDLER: Thanks for having me. Transcript provided by NPR, Copyright NPR.