Lawmakers Want National Security Damage Assessment on OPM Hack

Several House committees want an unclassified report from President Barack Obama on the damage to U.S. spy operations wrought by the historic breach of federal employee background investigations.

The U.S. government has committed to spending $330 million on anti-fraud protections for the 21.5 million victims whose Social Security numbers were compromised. Agencies have warned about risks to these individuals’ financial security. But little has been said about the national security threats posed by the unprecedented exposure of personnel records.

The House version of the 2016 Intelligence Authorization Act would change that within four months of enactment.

Under the bill sent to the floor on Monday, the president must deliver a report covering the effects of the cyberintrusion “on each element of the intelligence community.”

The rundown must include U.S. operations overseas that have been "entirely suspended" or disrupted as a result of hacks at the Office of Personnel Management allegedly perpetrated by China-sponsored cybersnoops.

Obama would have to explain how foreign agents might use the stolen data to put federal employees, their families and their friends in "compromising" positions that could expose sensitive national security information.

The report also must describe the impact of the hack on U.S. foreign policy decision-making. 

In addition, it would lay out how foreigners can exploit the stolen files for "recruiting intelligence assets" -- in other words, for turning U.S. operatives into traitors.

The proposal allows the administration to submit a classified annex to the unclassified report.

The legislation also calls for Director of National Intelligence James Clapper to brief congressional intelligence committees on options for responding to cyberattacks. Clapper has not indicated how, or if, the United States will retaliate against China. He has said the OPM incident is not a cyberattack, but instead similar to the kind of espionage conducted by many nations, including America. 

Notably, the lawmakers want a cybersecurity analysis, not of OPM’s safeguards, but controls at other agencies that have successfully thwarted hackers. 

Obama must provide an assessment of the federal agencies that use “best practices to protect sensitive data, including a summary of any such best practices that were not used by the Office of Personnel Management," the measure states. 

A newly initiated White House Cybersecurity Strategy and Implementation Plan stresses learning from mistakes uncovered during a June "cyber sprint" held in the wake of the massive OPM breach.

"Let's learn from agencies that avoided incidents, not just those who have suffered incidents," John Pescatore, a one-time National Security Agency employee who is now a director at the SANS Institute, a security training organization, said last month. "OPM got breached but Social Security Administration gets attacked all the time, yet it wasn't breached." Pescatore added, "What can be learned from the ones who get As” on federal cybersecurity evaluations?

The records stolen from OPM include 127-page profiles on individuals who applied for clearances to access classified intelligence or other sensitive information. The forms catalog contact information of colleagues, neighbors and other associates, as well as medical histories, drug habits, sexual practices and a host of details on employees’ daily lives. 

Using such tidbits, an adversary can impersonate a trusted acquaintance to send malware-laced emails aimed at upending a U.S. intelligence official's job, said Richard Helms, who has spent 45 years in the intelligence community as both CIA employee and CIA contractor. 

The malware, for example, could download criminal material, say child pornography, on a computer to discredit the official, he said. 

"You identify who they are, and you find their associates, you find out where they work, where they travel. All of that data leads to the opposition being able to develop a really big picture of what U.S capabilities are," said Helms, who founded technology companies Abraxas Corp. and Ntrepid.