A number of Obama administration officials painted a picture of a government office struggling to catch up, with the Chinese ahead of them at every step.
WASHINGTON — The inspector general at the Office of Personnel Management (OPM), which keeps the records and security-clearance information for millions of current and retired federal employees, issued a report in November that essentially described the agency’s computer security system as a Chinese hacker’s dream.
By the time the report was published, Chinese hackers had already downloaded tens of thousands of files on sensitive security clearances and were preparing for a much broader attack that obtained detailed personal information on at least 4 million current and former government employees. The agency is still struggling to patch vulnerabilities.
Federal officials said Friday the cyberattack appeared to have originated in China, but they didn’t point fingers directly at the Chinese government. White House spokesman Josh Earnest said he couldn’t divulge much while the case was under investigation. Still, he noted investigators “are aware of the threat that is emanating from China.”
The Chinese said any such accusation would be “irresponsible and unscientific” and said the U.S. should be “less suspicious.”
Most Read Nation & World Stories
A number of Obama administration officials painted a picture of a government office struggling to catch up, with the Chinese ahead at every step.
OPM did not possess an inventory of all the computer servers and devices with access to its networks. It did not require anyone accessing information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service — which does background investigations for officials and contractors who are issued security clearances — that the inspector general argued for temporarily shutting them down because the security flaws “could potentially have national security implications.”
But hackers in China apparently figured that out months before the report was published. Last summer, a breach appeared aimed directly at the security-clearance records, information that could help a determined hacker gain access to email or other accounts belonging to those entrusted with the nation’s secrets.
While upgrades were under way, the much broader attack occurred, apparently starting in December. Before it was detected, in April, personal information on at least 4 million people — that number is likely to grow — was apparently downloaded by a patient, well-equipped adversary.
As one senior former government official who once handled cyberissues for the administration, who would not speak on the record because it could endanger the person’s role on key advisory committees, said Friday: “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”
Shutting the barn door
For the Obama administration, which came to office holding East Room events on cybersecurity and pressing Congress, for years, to pass legislation that would allow the private sector to share information with the government, what has happened at the OPM can only be described as a case study in bureaucratic lethargy and poor security practices.
In the most egregious case cited by the inspector general, outsiders entering the system were not subjected to “multifactor authentication” — the systems that, for example, require a code that is sent to a cellphone to be entered before giving access to a user. Asked about that in an interview, Donna Seymour, the chief information officer at the OPM, said installing such gear in the government’s “antiquated environment” was difficult and time consuming, and her agency had to perform “triage” to determine how to close the worst vulnerabilities.
The agency now plans to install two-step authentication across its network, Seymour said.
The longtime data-security official also defended the decision to ignore the inspector general’s advice to shut down two systems that contain the security-clearance information. Seymour said the investigators were using an outdated assessment of the security measures — and the agency was in the process of getting tighter controls when the intrusion happened.
Another senior official said that with the agency under pressure to clear a huge backlog of security clearances, halting the process was “a nonstarter” with Congress.
During the installation of new security scanning software, officials said, they found evidence of the downloading of millions of files.
“This is one of those classic good-news, bad-news stories,” said one White House official who declined to speak on the record. “It was as a result of additional scanning and monitoring tools on the network that they found some of these indicators” of the intrusion “and surged some capability to find out what was happening.”
What’s China up to?
A number of administration officials in interviews Friday painted a picture of Chinese adversaries who appear to be building huge databases of information on U.S. citizens, useful for intelligence gathering and other purposes.
“They didn’t go to sell the data, which is what criminal groups usually do,” said James Lewis, an expert at the Center for Strategic and International Studies. “It’s biographic databases that really give an intelligence benefit — and that get into an opponent’s skin.”
Such databases indicate where a government official was posted, and security-clearance information would list their foreign contacts, useful if there was an effort to find Chinese citizens in contact with Americans.
But the effort went further. Researchers and government officials have determined the Chinese group that attacked the office was likely the same one that seized millions of records held by the health-care firms Anthem and Premera.
Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees “a gold mine.”
“What’s the weakest link in security?” Mitnick said. “The human. Now you know all about your target.”
The hackers may have made off with even more information about workers who undergo security-clearance background checks. That information includes the names of family, neighbors, even old bosses and teachers, as well as reports on vices, arrests and foreign contacts.
Based on the forensics, experts believe the attackers were not part of the People’s Liberation Army, whose Third Departments oversee much of the army’s cyberintelligence gathering. Rather they believe the group is privately contracted, though the exact affiliation with the Chinese government is not known.
At the White House, officials weren’t saying much publicly about how the breach could have happened after warnings from the inspector general and others. Michael Daniel, the White House’s top cyber official, declined to speak on the record and Lisa Monaco, who has been handling cyber issues as one of Obama’s top national-security officials, declined to be interviewed.