The OPM compromise and information dynamics.

Jul 06, 2015

If you pay attention to the news, you've undoubtedly heard that the US Office of Personnel Management, which coordinates the background investigations for every civil servant and contractor of the United States government was pwned so thoroughly that the intruders even got into E-QIP, the online web service that prospectives have to enter their life histories into (well, at most the last decade of it) so the process can begin. Say what you want about government, but this will probably go down as the most gigantic clusterfuck in history and it shows every sign of getting worse, not better. One of the things the US government has gotten incredibly paranoid over since 9/11 is people who aren't USians, almost unto xenophobia. So why, then, did they outsource their entire IT infrastructure management to mainland China?

I got nothin'. And that's not what I wanted to write about, actually. What I wanted to write about is how wrong-headed the idea of "Tell your security officer everything, because if somebody tries to blackmail you about it you can go to them, and they'll help." Here's the idea underlying security clearances: For information of a certain level of sensitivity (the metric of which is how much damage will be done if it gets out or is abused), how much can the government trust the people who will have access to that information? Movies and television have pretty accurately sketched out what they are and whoever wrote the Wikipedia page seems to know their stuff. The more sensitive the information, the higher the classification level and the more hardcore the background investigation is, ranging from talking to your significant others and parents all the way up to having to undergo a polygraph examination (whether or not you think polygraph exams are worth a tinker's dam is the stuff of a separate post) while being asked questions designed to make you cry or blow your stack. You also have to fill out one of two documents (sometimes on dead trees, most lately through E-QIP, occasionally both multiple times because paperwork goes missing and has to be redone, and database backups are usually not being done when you think they should be (anybody who's ever worked in TechOps will expound upon that at length)) which document large swaths of your life history, sometimes all the way back to ten years ago to give investigators something to go on. You can Google those PDFs pretty easily if you've a mind to, they are not themselves sensitive and you can see what kinds of questions you will have to answer: Your arrest record, how hard you party, any affairs you might or might not have had (or be having), how much you drink, whether or not you have ever taken drugs (this can be an immediate deal-breaker for several agencies)... the list goes on and on. There are lots of questions about where you've lived, who you know, and who probably still knows you because the investigators will contact at the very least some subset of those people to verify the answers, and they ask questions about what you did and the kind of person you are (which aren't on the forms). They take notes, and sometimes transcripts of those discussions. The investigators will also interview the applicant at least once (sometimes several times) to question them about things that came up during those field investigations.

OPM's investigators are reasonably hard to shock because they've quite literally heard nearly everything. Chances are you are not the only LeVayan Satanist/crossdresser/swinger/fanfic author they've ever met. You might be the sixth that month. This makes them scarily easy to talk to.

It is standard procedure to fingerprint applicants for security clearances. Whether or not one's fingerprint cards are scanned into E-QIP is unknown. Of course, if they are there's no way they could ever be abused...

It is also common for the security officer you work under (who is usually your boss) to take you aside and tell you "Look, if there's anything you'd like me to know in case somebody tries to twist you with it, you can come to me." The idea is, if the government knows your dark secrets, and your boss knows your dark secrets they'll help you out if anybody tries to use them against you. Feels warm and fuzzy inside, like you just ate a puppy, doesn't it?

Unfortunately, this doesn't stand up to logic. Neither the government nor your boss are in a position to ride to the rescue of anyone who's being twisted. They'll initiate the plans they have in place, which involve calling in the counterintelligence aspect of the agency to handle the in-house stuff and the FBI's counterintelligence unit, which is specifically charged with handling the civilian side of CI work. These protect the military or government entity's interests and do their parts protecting national security, but they don't necessarily protect the individual's.

Hypothetically speaking, the Chinese government (for fuck's sake, we know they had root all over OPM and E-QIP because they were hired to have it so there's no sense in saying "allegedly") could sift through all of the records, all of the interview transcripts, and all of the notes and find particularly useful people working for $agency. It would be ever so easy for them to send an agent (possibly a deniable asset, maybe not, diplomatic immunity covers a multitude of sins) to visit that person and have a little chat with them:

"Hi. I hear you lead an interesting life... I saw you and your wife pick up that other couple and go into that club with the red sheets on the mattresses upstairs two weeks ago. I also know that you and your wife (that is your wife, isn't it, and not your neighbor's?) go shopping at the same lingerie stores. You know those rough characters a couple of miles away, the ones with all the guns that just had that rally downtown? I could be persuaded not to give them that evidence along with $5000 in cash for their time if you used your access at $agency to do the following for me..."

So, the target in question does what they're told is the right thing: They go to their boss and report a security incident, vis a vis they're being twisted by someone who's probably working for a foreign power. They know rather a lot. They want the target to do foo and bar and baz or they'll out them to the community. The boss/security officer hits the panic button and CI gets brought in. Magick happens way above the target's pay grade. Chances are the target's security clearance gets suspended or rescinded, they lose their access immediately and get stuck working offsite for a few weeks to a few months; maybe they lose their job entirely. It's happened.

But then the foreign agent, seeing that nothing's going to materialize for them gets honked off (maybe they hear from someone else inside $agency that counterintelligence has spun up in response) and follows through on their threat. The rough characters a few miles away get their five grand to go after the target and set a few fires, break a few bones, and maybe open fire on the target and their family ("'murica! Fuck yeah!") Possibly some lives are lost. The foreign power follows through on their threat for a few reasons: First, to have tangible, verifiable examples that they can and will follow through on the threats they make. Second, it keeps everybody they're already twisting in line and now they have additional pressure to bear on them ("You could be next.") Third, it's good for career of the field operative because getting shit done always looks good.

Lest this sound like blaming the rivals in intrigue victim, I'm not, or at least I'm not trying to. People find themselves working in positions that require this sort of lifestyle shakedown for many reasons, from not being able to find a job that lets them afford even a shitty apartment in some places to be a True Believer(tm) of some sort or otherivals in intrigue r and working in a cleared government position is a means supporting that. Nobody has to, but then again nobody has to live with a roof over their head and be a contributing member of society, either. Everybody has something in their personal life that they'd much prefer remain private, if only because a sufficiently creative individual could twist it in such a way that it seems like a big deal, and uninformed communities get angry fast and are easy to manipulate. It is my considered opinion (and I've been considering this pretty hard these last few weeks) that OPM well and truly sodomized the canine and possibly ruined the lives of several million people in the United States in so doing. Unfortunately, the way the government usually works, the people who fucked up the worst ("Sure - hire people who live within the borders of one of our biggest international rivals to run our IT infrastructure - what could possibly go wrong?") are going to take so little fire for this they'll barely get a tan. A few might resign, live off of their savings for a few months (maybe they'll sell off some of their stock holdings to raise a little "fuck you" money), and either go to work for another government agency or keep the revolving door going by starting a contracting company. Ripples are undoubtedly being felt down the chain of command at OPM right now. Folks really low on the totem pole (no small number of which probably registered their complaints time and again) are going to get sacked, as they always do. Things might change slightly internally but I wouldn't bet the dime in my pocket that the changes would be anything that could be termed substantial from the perspective of information security.