Intelligence Chief: OPM Hack Was Not a ‘Cyberattack’
Director of National Intelligence James Clapper testifies on Capitol Hill in Washington. J. Scott Applewhite/AP
The intrusion of OPM networks did not involve the destruction or manipulation of data.
The mammoth data breach of millions of background investigation forms at the Office of Personnel Management was one of the largest cybercrimes ever perpetrated against the U.S. government, according to federal officials.
But one thing it wasn’t? A cyberattack. At least in the true sense of the term, according to Director of National Intelligence James Clapper.
Testifying Thursday before the House Intelligence Committee on “worldwide cyber threats,” Clapper told lawmakers the intrusion of OPM networks -- purportedly part of a Chinese espionage operation -- did not involve the destruction or manipulation of data, which are crucial to the “working definition” of an online attack.
Data was “simply stolen,” he said. “That's a passive intelligence collection activity -- just as we do," Clapper added.
Getting the terminology right is important, said National Security Agency Director Adm. Michael Rogers.
“Many times, I'll hear people throw out 'attack,' 'act of war,'" he said. “And I go, 'That's not necessarily in every case how I would characterize the activity that I see.'"
Not all members of the committee were assuaged by the explanation, though.
"I do think that it seems to minimize the gravity of this event by characterizing it [as] not an attack,” said Rep. Chris Stewart, R-Utah, adding, “Many of us view this as simply more than just data mining.”
So far, there’s no evidence any of the stolen data -- including deeply personal information on current, former and prospective federal employees who were vetted to handle sensitive material -- has been used “in a nefarious way,” Clapper said. But the possibility remains a concern.
"There is potentially -- and I emphasize the word potentially -- great risk certainly in the case of intelligence people, particularly those assigned overseas,” Clapper said.
The National Counterintelligence and Security Center is providing information to employees whose personal information was exfiltrated to educate them about potential threats, including blackmail, and how to protect themselves.
In addition, the federal government has picked up the tab -- nearly $330 million in all -- to provide three years' credit monitoring and identity-theft prevention services to those affected.
It’s unclear how effective ID protection services will be at neutralizing the national security implications of the stolen data.
“I feel like that's buying people flood insurance when their neighborhood just burned down," FBI Director James Comey said of the credit monitoring offered to hack victims. "The fire is what I'm worried about. It's not people's credit cards and their credit rating, given what we think the information was taken for.”