Outsourcing is the rage these days and the US businesses, chasing cheaper labour in perpetual pursuit of efficiency/savings/greater profits, are at the head of the field. US government agencies have followed suit, trying to make do with the limited budgets they have, and the Office of Personnel Management (OPM) is no exception.
The OPM is a somewhat obscure US federal agency which, among other things, conducts 90+% of background checks for personnel applying for sensitive jobs in the military and security agencies. Just as with large corporations, the cost and staff requirements of maintaining their IT infrastructure led them to seek savings by hiring outside talent for the job. What OPM did was't any different than what many US corporations do.
As it goes, outsourcing functions one can easily end up outsourcing the related know-how and the judgement acquired by experience (all the stuff you can't put into an SLA). Which savings just were not worth it usually becomes apparent only in hindsight. Given that there are things that are irreversible, lack of foresight results in a self-inflicted wound.
Obviously, with outsourcing knowledge retention becomes a real problem. Staff tends to run away when they see the writing on the wall and the best leave quickly in pursuit of more rewarding employment and to escape the terminal boredom administering to Whatnot in Mumbai or worse, having to train their replacement before being given the boot. That is to say, those who remain are usually not the creme de la creme.
♦ Security Breach
I'm guessing, but perhaps that was why the OPM hired the wrong people. That they did so is clear. I wonder whether the OPM will heed the sage advice Dr. Watson dispensed to the hapless pawn shop owner in the Jermey Brett adaptation of the The Red-Headed League: "Next time you engage an assistant, pay him the proper wage!" ... but I digress.
As it went, OPM came to hire apparently chinese hackers - and gave them root access. This would have been bad for a company, but became something else entirely when it came to government data. Here, the hackers were able to steal the senstitive personnel records of federal employees working in military and security agencies. Businessinsider reports (links below):
"Specifically, the hackers reportedly acquired SF86 forms, which detail sensitive background information."Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
"[The] OPM is responsible for administering the SF 86, which is one of the most extensive national security questionnaires that exists."
"Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via an SF 86 questionnaire, which is then stored on OPM's largely unencrypted database. ..."
"In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday."
The time the hackers had to sift through all that data likewise was unprecedented:
"The average time Chinese hackers have access to a compromised system is 356 days and the longest recorded was 4 years and 10 months"
♦ Dimension of the breach
This has a potential to severely compromise US personnel and more, and here I hand over to TTG who is better able to explain what it means:
"When I heard of this data breach, my first thought was that here was another reason to watch my credit card and bank accounts very closely. What more could I lose after the news of the Anthem Blue Cross data breach discovered back in February. Then when the loss of the security files of up to 14 million Federal employees, retirees and contractors was announced, I knew this was a lot worse than the temporary loss of a credit card or two.
I have seen opinions that the information lost in this data breach poses a danger to U.S. personnel operating overseas in sensitive and covered positions. Fortunately, most people operating in those kinds of positions do not have records stored at OPM. I didn’t have contact with OPM until I retired from DIA. However, a lot of people who work with those in sensitive positions do go through the OPM for their security clearances. That includes a slew of support personnel and contractors. Those working under cover could be discovered through their associations with those support personnel and contractors.
The loss of the information contained in the SF86s and background investigations of these people is a treasure trove to China or whoever has this information. Filling out an SF86 is a laborious and time consuming task for anyone. It can take weeks to gather the detailed information requested in the form. The information in the OPM’s database of SF86s represents decades of man-years of detective work.
With that information and a halfway decent data mining tool, one can easily construct an accurate and detailed model of the vast national security structure of the USG. This model would include all the myriad government and contractor offices, the leadership structure along with detailed contact information, what they think of each other, and everyone’s dirty laundry. This model would also show how this national security structure evolved over time, at least since 9/11. With additional inputs, this model may even be predictive. This is indeed a serious data breech."