In the days after the Office of Personnel Management announced that hackers had stolen the security records of nearly 22 million feds, former feds, would-be feds and government contractors, the fact that those records had not been encrypted was one of the many points detractors used to heap scorn on OPM.
Encryption is coming, although no one can quite say when. As part of the Defense Department’s role in building a new IT system for background investigations, it will encrypt the data it handles with techniques appropriate to a national security system, officials said Friday during a hastily arranged pre-blizzard conference call.
(Federal News Radio reporter Nicole Ogrysko has a top-notch writeup on the broader security clearance reforms and the standup of a new National Background Investigations Bureau.)
Although the new NBIB will report to the director of OPM, the office of the DoD chief information officer will be in charge of IT security, with the Defense Information Systems Agency handling most of the legwork and contracting to build and run the eventual IT system.
In a conference call with reporters, Richard Hale, the deputy DoD CIO for cybersecurity, downplayed the importance of encryption relative to this particular OPM breach. Crypto-techniques alone might not have helped, since the thieves made their way in by first stealing the credentials of a user with broad administrative privileges.
“But what we’ve been doing with OPM is looking in detail at exactly what happened, and we’re going to use the best national security system standards to design the new system,” he said. “We will use encryption everywhere that it’s appropriate. We’ll have encryption of data while it’s at rest and while it’s moving around in the new system.”
Little else is known about the new system so far — least of all when it will be up and running. Tony Scott, the federal chief information officer, said an interagency group would first need to establish a transition plan, beginning with the assignment of a transition team that would be in charge with ensuring that existing business processes are fully understood and that the new system can adequately support them. The DoD team in charge of IT will move in behind them and begin development some time after that.
“We anticipate that a number of the business processes will change and the policies regarding that will also change,” Scott said. “Some of that has already happened, so you should think of this as an ongoing process, not a series of one-off activities.”
But the new system may address at least one other major question about the OPM breach that I’ve asked several experts inside and outside of government, but to which I’ve never heard a satisfying answer: Considering the gargantuan potential impacts associated with losing this trove of data, was it really necessary to store every government background investigation performed over the past 15 years on a system that’s hooked up to the public Internet?
Probably not, Hale suggested.
“We’ve already started a pretty rigorous process for looking at what information needs to stay online in the new system and what information can be stored offline — or in a more private place so that it’s not accessible from the Internet,” he said.