Outsourcing is the rage these days and the US businesses, chasing cheaper labour in perpetual pursuit of efficiency/savings/greater profits, are at the head of the field. US government agencies have followed suit, trying to make do with the limited budgets they have, and the Office of Personnel Management (OPM) is no exception.
The OPM is a somewhat obscure US federal agency which, among other things, conducts 90+% of background checks for personnel applying for sensitive jobs in the military and security agencies. Just as with large corporations, the cost and staff requirements of maintaining their IT infrastructure led them to seek savings by hiring outside talent for the job. What OPM did was't any different than what many US corporations do.
♦ Outsourcing
As it goes, outsourcing functions one can easily end up outsourcing the related know-how and the judgement acquired by experience (all the stuff you can't put into an SLA). Which savings just were not worth it usually becomes apparent only in hindsight. Given that there are things that are irreversible, lack of foresight results in a self-inflicted wound.
Obviously, with outsourcing knowledge retention becomes a real problem. Staff tends to run away when they see the writing on the wall and the best leave quickly in pursuit of more rewarding employment and to escape the terminal boredom administering to Whatnot in Mumbai or worse, having to train their replacement before being given the boot. That is to say, those who remain are usually not the creme de la creme.
♦ Security Breach
I'm guessing, but perhaps that was why the OPM hired the wrong people. That they did so is clear. I wonder whether the OPM will heed the sage advice Dr. Watson dispensed to the hapless pawn shop owner in the Jermey Brett adaptation of the The Red-Headed League: "Next time you engage an assistant, pay him the proper wage!" ... but I digress.
As it went, OPM came to hire apparently chinese hackers - and gave them root access. This would have been bad for a company, but became something else entirely when it came to government data. Here, the hackers were able to steal the senstitive personnel records of federal employees working in military and security agencies. Businessinsider reports (links below):
"Specifically, the hackers reportedly acquired SF86 forms, which detail sensitive background information."Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
"[The] OPM is responsible for administering the SF 86, which is one of the most extensive national security questionnaires that exists."
"Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via an SF 86 questionnaire, which is then stored on OPM's largely unencrypted database. ..."
"In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday."
The time the hackers had to sift through all that data likewise was unprecedented:
"The average time Chinese hackers have access to a compromised system is 356 days and the longest recorded was 4 years and 10 months"
♦ Dimension of the breach
This has a potential to severely compromise US personnel and more, and here I hand over to TTG who is better able to explain what it means:
"When I heard of this data breach, my first thought was that here was another reason to watch my credit card and bank accounts very closely. What more could I lose after the news of the Anthem Blue Cross data breach discovered back in February. Then when the loss of the security files of up to 14 million Federal employees, retirees and contractors was announced, I knew this was a lot worse than the temporary loss of a credit card or two.
I have seen opinions that the information lost in this data breach poses a danger to U.S. personnel operating overseas in sensitive and covered positions. Fortunately, most people operating in those kinds of positions do not have records stored at OPM. I didn’t have contact with OPM until I retired from DIA. However, a lot of people who work with those in sensitive positions do go through the OPM for their security clearances. That includes a slew of support personnel and contractors. Those working under cover could be discovered through their associations with those support personnel and contractors.
The loss of the information contained in the SF86s and background investigations of these people is a treasure trove to China or whoever has this information. Filling out an SF86 is a laborious and time consuming task for anyone. It can take weeks to gather the detailed information requested in the form. The information in the OPM’s database of SF86s represents decades of man-years of detective work.
With that information and a halfway decent data mining tool, one can easily construct an accurate and detailed model of the vast national security structure of the USG. This model would include all the myriad government and contractor offices, the leadership structure along with detailed contact information, what they think of each other, and everyone’s dirty laundry. This model would also show how this national security structure evolved over time, at least since 9/11. With additional inputs, this model may even be predictive. This is indeed a serious data breech."
Links:
- http://uk.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6?r=US
- http://uk.businessinsider.com/level-of-damage-omp-hack-2015-6?r=US
- http://uk.businessinsider.com/opm-hack-was-classic-espionage-on-a-scale-weve-never-seen-before-2015-6?r=US
- http://abcnews.go.com/US/feds-feared-tens-millions-impacted-opm-hack-internal/story?id=31950577
- http://www.govexec.com/pay-benefits/2015/06/size-opm-hack-quadruples-18-million/116011/
- http://www.ibtimes.com/deep-panda-group-wasnt-behind-massive-opm-hack-other-chinese-hackers-were-fireeye-1975658
"Clearly the Champion received a fat private bonus and an offer of employment at the outsourcing company."
On the lower level, a common incentive is iirc a percentage of the nominal savings as a bonus to the salary, something like 10+%. The immediate effect is that even if the costs remain the same, nominal productivity per employee goes up, if only for the books.
At a certain point there is no more staff left to deal with vendor shortcomings. Vendor sales people pitch that they are flexibly scalable. They usually aren't.
I have seen tripling of agred upon workdays (like ten instead of three days?) per task, not to mention the price hikes, as soon as dependency set in. The customer then was barely in any position to do something about it. They couldn't do it themselves for lack of manpower, and besides, the vendor had made sure there was no backwards compatibility of tools, just in case. Classic.
And I haven't spoken about quality yet. If something went bad, they could point out the lack of quality and the champions would say it was a pricing issue, and besides, the customer wouldn't notice or mind (a 200 € book falling out of its cover). The vendor, a broker, had hired the lowest bidder. The solution was a penalty by contract (which will not fix the binding), underlining the priority: Cost trumps quality.
In a sense, outsourcing redefines technical and quality problems into contractual, organisational and pricing problems. That happens as an artificial layer is been put in as the task is being relocated to the vendor sphere.
That they still must work the same tech, are tasked to provide a product they only can produce in a certain way and thus face basic technical limitations, doesn't matter, because that was now the vendor's problem. The contractor would figure it out because he has a profit interest in doing so.
See? No more hasslesome technical responsibility, and know how is no longer necessary. The Champions are always numbers people and they choose people like themselves for their teams and take care to avoid technical people because those folks would slow the project down.
Posted by: confusedponderer | 24 June 2015 at 06:03 AM
Thank you.
That fits with what I assumed to be the case but lacked the knowledge to be sure about. I work in IT but not specifically on data security. Snowden is an interesting case as how do you vet for loyalty. In a case like Bletchley Park where it was clear who the enemy was, to those inside, and the data they saw confirmed this. The problem is different if the highly patriotic work begins to have doubts that he is fighting for the right team once he sees what his side is doing. Now he is being asked if his patriotic duty is to the the Constitution & Law or to his non-disclosure oath. Would this not be closer to the soldiers dilemma when ordered to perform what he views as an illegal order?
Posted by: JJackson | 24 June 2015 at 06:56 AM
"You have the same large, inefficient bureaucracies choosing which contractors to hire. A lot of potential to make things even worse."
While I understand the discussion is related to IT contractor outsourcing, the positive thing about OPM outsourcing the field investigation work to contractors is the caliber of the investigators. I know some retired federal special agents and 30-year police detectives who are now doing this work part time. They interview candidates for security clearances, talk with neighbors, etc. These guys are the types you want, not the GS types whose only qualification is a college degree and they won the USAJobs lottery.
Posted by: BostonB | 24 June 2015 at 09:20 AM
Many thanks for this comment!
Posted by: William R. Cumming | 24 June 2015 at 10:19 AM
Thanks Beaver! Could SECDEF be rethinking these policies and issues and assignments?
Posted by: William R. Cumming | 24 June 2015 at 10:21 AM
Great comment IMO! Your sentence: " It will have come full circle when the US freak out at some country conducting a targeted assassination, or perhaps a drone strike, against an enemy on US soil."
MAYBE BUT THERE ARE MANY MANY SOFT TARGETS AND EVEN HARD TARGETS OFFSHORE IMO.
DISCLOSURE: Have some dated expertise in targeting of conventional weapon artillery and nuclear weapons.
Posted by: William R. Cumming | 24 June 2015 at 10:25 AM
Many thanks for this insightful comment and links!
Posted by: William R. Cumming | 24 June 2015 at 10:27 AM
TTG! What many do not seem to know or care about is that Chinese hacking efforts often launched domestically in the lower 48!
Posted by: William R. Cumming | 24 June 2015 at 10:29 AM
Probably IMO!
Posted by: William R. Cumming | 24 June 2015 at 10:30 AM
Amir
Same thing happened last year at this time. One Japanese woman on a green card got stuck in Paris when she forgot her bag in a cab. Husband and child managed to get back to the US bur she couldn't. As a last resort, she went back to Tokyo to stay with her parents and did the paper work there ( cheaper than staying and waiting in Paris in her case)
Posted by: The Beaver | 24 June 2015 at 11:14 AM
TTG & WRC,
"The cyber world consists of inter-networked bad neighborhoods and battlefields where no one or no data is truly safe."
This is what troubles me about commercial drones and self-driving cars. I don't think Silicon Valley types appreciate that they effectively want to build giant risk portals from cyberspace into meatspace.
Posted by: Patrick D | 24 June 2015 at 11:46 AM
As someone who's information was hacked, the government's solution was - as its par - to double down.
Apparently they outsourced with a information security group to provide credit monitoring, hahaha. Everything is so surreal nowadays.
Posted by: Tyler | 24 June 2015 at 12:44 PM
Agree!
Posted by: William R. Cumming | 24 June 2015 at 01:50 PM
Agree!
Posted by: William R. Cumming | 24 June 2015 at 01:52 PM
YUP!
Posted by: William R. Cumming | 24 June 2015 at 01:56 PM
Tyler,
That is credit monitoring for life - which is how long the hackers will have your information - or for one year? One year is what my employer offered when they got hacked. Or in this case when the HR employee's laptop with everyone's information was stolen.
Posted by: Fred | 24 June 2015 at 02:17 PM
For sale 12 million personnel files with security cleanance info of many!
http://www.cyberdefensemagazine.com/opm-data-offered-for-sale-on-the-dark-web/
Posted by: William R. Cumming | 24 June 2015 at 04:15 PM
@ CP & TTG
While the info contained in the SF86 is important, it turns out that there is now an admission that the "adjudication information" was also compromised. This "adjudication information" could be considered to be the gov't-generated info, including via polygraph, which follows up on the info provided on the SF86. Take the broad view: OPM has information on gov't employees. That information has been compromised. You have to determine the coverage (which employees) and extent (what information) that has been compromised. SF86 is just the tip of the iceberg (some tip! some iceberg!).
news report: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11698876/China-hackers-gain-access-to-sex-secrets.html
more detailed report: http://www.thedailybeast.com/articles/2015/06/24/hackers-stole-secrets-of-u-s-government-workers-sex-lives.html
Posted by: Turing's Cat | 25 June 2015 at 11:20 AM
The only good news I can add from experience conducting background checks ages ago is the following.
If "adjudication information" was also compromised and if that information was really damaging, the applicant would not have been issued a security clearance and would therefore not be vulnerable, as they would not have current access to classified information (and probably not be currently employed).
At least that's how it worked "way back when". Nowadays I have no idea....
Posted by: McGee | 25 June 2015 at 02:12 PM
WOW! The FBI must be envious!
Posted by: William R. Cumming | 25 June 2015 at 03:29 PM
Adjudication information would be a devasting loss. This would include reports written about any potential issues a security clearance candidate had. It would also include the nitty-gritty details of things like security breaches even where there was no compromise of information. E.g., they could see human factors vulnerabilities in existing security procedures and exploit them. Some more than others, i.e., electronic communication vs. physical.
If they could get the info on which candidates were denied a clearance, China would have a treasure trove. Imagine some recently divorced, financially devastated 50-something guy who has spent 25 years in crypto-analysis. Because of his financial issues he gets his clearance denied (#1 reason for denial, see: http://www.dod.mil/dodgc/doha/industrial/2015.html) and he can no longer do sensitive work. He might even be pushed out. Do you think this guy would make a good target for some attractive mature Chinese female spy? Heck, the Chinese would now have the personal weaknesses and peccadillos of even the ones who get the clearance granted, and have current access.
Posted by: BostonB | 25 June 2015 at 04:52 PM
An interesting effort was OMB's to define INHERENTLY GOVERNMENTAL FUNCTIONS
in its policy guidance. Still-born IMO!
Posted by: William R. Cumming | 26 June 2015 at 08:16 AM
To avoid personal responsibility in lifting the security clearances of Dr. Robert Oppenheimer,PhD, President Dwight D. Eisenhower issued Executive Order 10450, still in effect, giving the head of each Department or Agency, the authority for final adjudication of adverse background information. Lewis Strauss, Chair of the AEC, after some adversary hearings [not a right of government employees but a right of government contractor personnel] lifted some of Dr. Oppenheimer's clearances. JFK gave Dr. Oppenheimer the Presidential Medal of Freedom!
Posted by: William R. Cumming | 26 June 2015 at 08:29 AM