DNI: We don’t know what was stolen in OPM breach

James Clapper, the director of national intelligence, seems to have a habit of going off-message with details of the Office of Personnel Management data breach....

If you’re among the millions of Americans who were affected by the OPM data breach and are upset about the government’s slow approach to disseminating information about what actually happened, you should keep your ear on any public speeches by James Clapper, the director of national intelligence, who seems to have a habit of going off-message.

Just to be clear, I say that with appreciation, not disdain.

A couple months back, he attributed the intrusion to the Chinese government – the first U.S. official to do so in a public setting until then or since then (though, upon further questioning by a moderator, he downgraded that attribution to say that Beijing was just the ‘leading suspect.’)

Then there was this bit of news on Thursday:

“We don’t actually know what was actually exfiltrated [from OPM],” Clapper said at a conference co-hosted by Georgetown University and the National Geospatial Intelligence Agency. “What you’re hearing about is the absolute worst-case scenario, because we cannot and don’t have enough granularity on the forensics to determine what was taken. What has been portrayed, which I think was prudent and honest, is the worst case.”

Clapper, who arrived at Georgetown after having delivered the intelligence community’s Presidential Daily Brief to President Obama a couple hours earlier, is presumably pretty up to speed with the latest intelligence on the OPM hack, which makes his statement hard to reconcile with the rest of the government’s drip-by-drip disclosures over the last several months, such as one a day before in which OPM said it now believes the hackers stole 5.6 million fingerprint records, not just the 1.1 million it initially believed.

To be sure, data forensics is an inherently difficult business. It’s easy to tell whether a physical object is missing after a burglar has broken into your house or your car; it’s much tougher to tell whether a hacker who’s had administrative access to your agency’s network over a period of many months has made digital copies of your data. Given that, it may be unreasonable to expect OPM to deliver a full and immediate accounting of what was lost.

But given the vast scope of the data theft, it would have been helpful to both the affected federal employees and to the democratic debate about what should be done about it if administration officials had said from the outset that the culprit was a nation state and acknowledged from the beginning that we don’t actually know what was stolen by that foreign power.

That approach may, for example, have provoked a serious debate before $133 million was committed from already-scarce agency budgets just for credit monitoring services. Since the perpetrator is assumed to be a foreign government, it seems unlikely that they hacked the OPM systems for the purpose of committing financial crimes.

CSID, the private firm OPM engaged for identity protection services in the immediate aftermath of the first data breach told Federal News Radio that its sophisticated monitoring capabilities revealed no evidence of federal employees’ data being traded on the black market.

Clapper said much the same on Thursday: “We’re looking for evidence of this information turning up someplace, which we haven’t seen yet.”

Thus far however, the government’s most visible response has still been to offer credit monitoring services.

“This is like washing your car when your engine is broken”, Alan Paller, the director of research at the SANS institute told me recently, “You think you’re doing something useful, but it has nothing to do with the actual problem. The value of this data is the long-term creating of spearphishing attacks or any other use of knowledge about you. That’s the real problem. The credit stuff is not a problem.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/Andrii Panchykcybersecurity

    Amid rising threats to critical infrastructure, CISA developing ‘physical security’ goals

    Read more
    (Getty Images/iStockphoto/Kiyoshi Tanno)Veterans Affairs

    VA makes gains in engagement in Best Places to Work results

    Read more