Were Background Investigations Falsified During the OPM Hack?

There are growing concerns among some security experts that whoever stole data on 21.5 million federal personnel and family members might have falsified background check information, but U.S. officials say they have no evidence of tampering right now.

One motivation for meddling with investigations could be to embed a foreign operative into the U.S. intelligence workforce, according to uneasy experts and a federal watchdog. 

The Obama administration would neither confirm nor deny officials have been able to check the integrity of the compromised records, which were maintained by the Office of Personnel Management. The attack -- a suspected Chinese spy mission -- began more than a year ago but was only discovered in April.

"There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems," an administration official told Nextgov on Monday. 

Federal agencies often do not do their due diligence to verify that data has not been tainted after a cyber incident, one Government Accountability Office auditor said.

"That's one of the areas that a lot of times gets lost," Gregory Wilshusen, GAO director of information security issues, said during a brief interview last week. He said he does not know if the authenticity of the affected investigation records has been confirmed. 

The focus after a breach is on "unauthorized disclosure of information, which is a big problem, but certainly the integrity of the information can be even more problematic for the agencies if that’s not accurate," Wilshusen added.

An attacker, for example, could "insert some new information or a new record," he said. "That's a big problem, and it's often not getting a lot of attention." Wilshusen was speaking about data breaches generally. 

The OPM intruders gained "privileged access," or carte blanche control, to certain agency systems, administration officials said during hearings last month. 

Fifty-year intelligence veteran Charles Allen on Friday urged that all personnel investigations be sequestered until officials can assure the details documented are correct. 

The forms compromised -- including "Standard Form 86" -- are filed by contractors and government employees applying for a security clearance to handle classified secrets. 

"Security clearance practices are dependent upon trust in data integrity," Allen, a former high-level CIA official, said in a FedScoop op-ed. "The manipulation of this database could include the alteration of clearances or the deletion of records as a means of disrupting our workforce and obfuscating the insertion of falsified records."

Even before the administration revealed the extent of the background check breach July 9, some cyber experts questioned the reliability of hacked clearances. 

"Is the person sitting in the high-security facility in fact an agent for another government whose clearance was inserted into the system?” HP Security Strategist Cynthia Cullen pondered July 3. "When you have intruders in your network for such a long period of time," there is "potential that they may be modifying, deleting or creating data within these systems."

The adversaries were inside OPM’s network from May 2014 through April 2015, according to the Department of Homeland Security.

While lingering, "they could easily be creating security clearances for moles, that may be difficult to detect," Cullen said.