recommended reading

These NASA Researchers Saw the OPM Hack Coming a Decade Ago. But Nobody Listened.

Steve Heap/Shutterstock.com

In a few weeks, San Francisco attorney Daniel Girard plans to file a formal complaint against Uncle Sam on behalf of nearly 22 million hacked federal employees.

It’s widely accepted that massive data breaches discovered last year exposed personal information belonging to current, former and potential federal employees and contractors. The breaches, attributed to Chinese state-backed cyberspies, targeted the computer systems of the federal agency responsible for conducting and filing background checks.

What’s less clear is whether the release of that information, which could include details about hacking victims’ drug use, medical history and sexual practices, has actually demonstrably harmed those individuals.

The delicate legal task of proving harm falls squarely on the shoulders of Girard, who was recently named the lead counsel in a consolidated case against the Office of Personnel Management, representing the American Federation of Government Employees. Girard specializes in digital cases, having served as lead attorney for the class action lawsuit brought by employees of Sony Pictures Entertainment, whose emails fell victim to a hack attributed to North Korea.

To at least two members of the 22 million-person class in the case currently on the court’s docket, Girard’s job is an all too familiar uphill battle.

Aerospace engineer Dennis Byrnes and astronomer Bob Nelson, who both worked as NASA contractors, opened letters from OPM informing them their personal data had been compromised.

The two say they saw the whole thing -- a massive data breach involving sensitive background investigation forms -- coming almost 10 years ago.

In a case that made it all the way to the Supreme Court, Byrnes, Nelson and 26 other NASA contractors argued that the risk of a large-scale hack against the federal government was one of many reasons they should not be forced to submit to what they felt were too-intrusive background checks.

But the risk of a large-scale hack was too hypothetical to even address in court proceedings, Supreme Court justices concluded, and the contractors lost their case.

New Post-9/11 Security Rules

The case stretches back more than decade. In 2006, a group of scientists and engineers working on projects related to exploring the solar system, moon landing and space observatories, received some uncomfortable news: For the first time in their careers, they were all going to have to undergo federal background checks to keep their jobs.

Members of NASA’s Jet Propulsion Lab staff operate in a semi-status between federal employee and contractor. Technically, they are California Institute of Technology employees, since CalTech operates JPL as a Federally Funded Research and Development Center. But until 2006, the scientists hadn’t been required to complete the same background checks applied to regular federal employees.

That all changed with Homeland Security Presidential Directive 12, issued by President George W. Bush in 2004. Three years after the 9/11 terrorist attacks, the new order called for a governmentwide standard for checks on both employees and contractors.

The researchers, whose livelihood was understanding the solar system, were now, like other federal employees, required to authorize the government to ask their personal contacts open-ended questions about them.

‘Far Too Much Intrusion’

Under the new policy, background investigators were directed to obtain “any information” related to contractors’ activities from personal contacts, schools, employers, credit bureaus and other sources. Contractors were also required to list recent drug use, and to note and provide details about subsequent drug counseling they had received.

The background checks struck some JPL staff, including Byrnes, then-chief engineer for flight dynamics at JPL, as too expansive for scientists and engineers. He and Nelson, a senior research scientist, began objecting to the background checks at public meetings, attracting a crowd of other employees who shared their views, he said.  

“My concern, and the concern of all of us, was that this was far too much of intrusion into privacy for something that has nothing to do with classified work,” Byrnes told Nextgov in a recent interview. “Looking at the atmospheres or the giant planets or the trajectories of how you get there is something that [we] simply don’t need a security clearance” to do, he said.

In 2007, Byrnes and Nelson along with 26 other scientists and engineers filed a lawsuit against the federal government and CalTech. Most of their case centered on the right to informational privacy -- that background checks, which often included open-ended questions about employees’ personal lives and character, were far too invasive for their level of work.

Data Breach Warning Went Unheeded

Beyond the intrusiveness of the questions, Nelson told Nextgov, the JPL contractors were convinced the information would be stolen -- many suspected federal data protection couldn’t effectively prevent a hack.

“We knew that it was not going to be well protected,” Nelson said. “They were lying to us about that.”

Together, the group raised about $100,000 between personal contributions and donations from coworkers and citizens who discovered their case online. That money covered filing fees and travel expenses to the Supreme Court. Attorneys provided services pro bono, according to Byrnes.  

The case wound its way through the federal courts for the next three years before oral arguments were presented at the Supreme Court in 2010.

The team’s warnings about potential data breaches went unheeded. Transcripts of oral arguments show the justices didn’t even bother asking about the government’s track record of securing sensitive information or whether its data protection policies were adequate -- even though several amicus briefs strongly cautioned against the collection of sensitive data.

The brief submitted by the Electronic Privacy Information Center pointed to the hundreds of federal agency breaches in the years leading up the lawsuit. If the court were to rule against the NASA contractors, the brief stated, “it will require these scientists to disclose sensitive, personal information that is insufficiently protected and at substantial risk of disclosure,” it wrote.

In its brief, the American Civil Liberties Union wrote, “there have recently been numerous high-profile incidents in which, despite government’s best efforts and best intentions, highly personal and sensitive information collected by the government has been disclosed.”

Still, in an 8-0 decision handed down in January 2011, the Supreme Court ruled against the 28 contractors, prompting several of the plaintiffs to leave the research center.

“It Should Have Had an Impact…”

Byrnes retired from JPL in 2012; he said he would have stayed several more years had he not been required to fill out the investigation forms, though he still consults for NASA through Cornell Technical Services, a firm based in Virginia.

Nelson transferred his research grant from NASA to the Planetary Science Institute in 2013 so he would not have to undergo a background investigation. Many other plaintiffs retired or left the JPL center, according to attorney Dan Stormer, who represented the NASA contractors.

JPL still performs these background checks, according to a statement submitted to Nextgov. CalTech told Nextgov in a statement JPL’s employees have been vetted by the federal government since the legal dispute was settled. JPL’s director did not respond to Nextgov’s multiple requests for comments.

The Supreme Court justices “didn’t want to hear” arguments that the government was unable to protect data, Stormer said in an interview with Nextgov. “We have numerous examples in our briefs … there was a demonstrated inability of the government to keep information which should be kept private,” he added.

Stormer said he isn’t sure the Supreme Court decision would have been any different even if it had been argued after the OPM hack.

“It should have had an impact,” he said. “I can’t say that it would.”

(Image via /Shutterstock.com)

By Mohana Ravindranath March 7, 2016

JOIN THE DISCUSSION

Close [ x ] More from Nextgov