EXCLUSIVE: Entire US national security system possibly compromised by year-long cyber-assault


July 21, 2015: Acting OPM director Beth Cobert is shown. (Government Executive Media Group)

The prolonged hacking into the White House Office of Personnel Management, which put the personal information of at least some 21.5 million past and current federal employees in jeopardy, is only the beginning of the security threat to the Obama Administration and its successors, a number of top-level experts in cybersecurity have told Fox News. The attack has been frequently sourced as coming from China.

The experts warned that the entire U.S. national security clearance system could be compromised, that future senior government leaders and advisors could be targeted even before taking office, and hundreds, perhaps thousands, of government officials might successfully be blackmailed, bribed or otherwise manipulated in the future into handing over still more sensitive information.

The identity disaster could also weaken the U.S. in any time of military confrontation: “If we choose to engage in conflict, we are in a much weaker position,” one expert concluded.

The threat could include intruders already in the government whose security credentials were stealthily enhanced during the OPM intrusion, which may have lasted a year before it was detected last April.

“There may be people walking around with higher levels of clearance than they should have,” said one of the experts. “I believe the entire national security apparatus is now at risk. It’s mind-boggling.”

“It’s the digital equivalent of Pearl Harbor,” another expert told Fox News. “Because people don’t see the carnage, they don’t recognize that this is the equivalent of an act of war. This is about espionage—Cold War tactics in the modern digital age.”

The experts consulted by Fox News were former government officials with deep knowledge of federal information systems and experience with national security issues, who had worked in top positions in both the Obama and George W. Bush administrations. In some cases they requested anonymity to express their views.

The experts were skeptical — to put it mildly– that the Obama Administration did anything significant to stem the disaster during a much-touted “30-Day Cybersecurity Sprint” announced in the wake of the hacking at the Office of Personnel Management (OPM). That exercise ended on July 12.

“They are saying ‘The horse has left the barn, let’s lock the door,’ ” declared Theresa Payton, who served as White House Chief Information Officer from 2006 to 2008, and now runs her own cyber-security consulting firm, Fortalice Solutions. “This is an unrecoverable situation. Our most sensitive data is in bad peoples’ hands.”

At the time, the White House declared that the sprint objectives were among other things to bolster cybersecurity defenses, “patch critical vulnerabilities without delay” and “dramatically accelerate” the installation of more sophisticated user sign-ins and verification.

Even before the sprint ended White House Chief Information Officer Tony Scott was lauding the effort for “dramatically” hiking the use of so-called multi-factor authentication among higher-level government users — to a bureaucracy-wide average of 20 per cent.

After it ended, a spokesman for the White House Office of Management and Budget told Fox News that “OMB is still assessing and analyzing the data received from agencies as part of the sprint. Once our team has completed the analysis we will release a progress report.”

On the basis of its announced efforts, “I honestly think the government is paralyzed,” one expert told Fox News. “They don’t know what to do.”

In underlining the sweeping nature of the national security challenge that the hacking assault has created, one expert drew a timeline of the intrusion that apparently began at OPM in March, 2014.

In August 2014, a firm named USIS that did background checks for the Department of Homeland Security was also hacked, and files stolen; in December 2014, Keypoint, a company that took over background checking from USIS, was also breached.Last June, OPM revealed that information on some 4.2 million government employees had been stolen, and this month upped the tally to some 21.5 million, while revealing that the Standard Form 86 material had been hacked as well.

“If you take the three breaches together, you can see what leverage people have over us now,” the expert concluded.

Taken together, the forms contained in the OPM databases contain everything from Social Security numbers to fingerprints, financial and employment history, data about friends, spouses and other family members.

All this can offer targeting opportunities not only among the employees themselves but among their named family members, acquaintances, and all their contacts abroad, which are included in security clearance files, along with in-depth security interviews.

The expert, self-described as one of the persons whose national security information, contained in a background clearance document called Standard Form 86, had been stolen, further charged that Administration confusion, disarray and secrecy were still making the problem worse.“We are not doing things in a timely manner,” the expert said. “Many people had their information stolen and have not been informed by the government.”

They are thus still unprepared, the expert said, for all of the risks that they may face as a result — which the expert said went far beyond the financial exposure that the Administration is addressing through credit counselling for civil servants whose identity files had been hacked.

“At a minimum, 24 million people have a counter-intelligence problem,” the expert added. “The question is how they will not be blackmailed or bribed by another government.”

“ID protection is the least of my concerns,” said Fortalice’s Payton. “That eventually works out. But if you steal my entire life, every place I have ever lived, my foreign contacts, you don’t recover from that. “

“I received training to deal with this,” another expert said, “but my children didn’t. It used to be my job to be careful, not theirs. The government owes a conversation to all the family and friends in those forms.”

The problems deepen further if the cyber-intruders start to combine that information with data from the social media of targets, which can deepen understanding of their habits, fears, travel plans and much more. It also heightens their vulnerability in travelling outside the U.S.

“You can expect their home networks, everything around them to be targeted,” the expert said.

Moreover, when the data is matched against current employment and a variety of other indicators, the “bad actors” who have the information can also build an “easy” road map of the most valuable targets to go after.

“I would triage the top 100 or 1,000 or 10,000 people with the highest security clearances and go after them,” the expert said. “I’d ask, who might their No. 2s be? Or follow their meetings. That would be a great target list going far into the future.”

Big Data tools, such as supercomputer processing, make that task easier. “We used to think it would take centuries to go after me,” says Fortalice’s Payton. “But computing processing power has never been faster.”

“This is an octopus,” she concluded.

What can be done about it? The experts agreed that the speed demanded for accountability in the private sector should be the standard for the Administration’s reaction time.

“In the private sector, if I have a significant deficiency in an audit, I have to cure it in 30 days,” one expert said. “Management has to be held responsible. At the moment, nobody owns the problem.”

Other solutions include “Red Teaming” the government’s information systems, meaning use your own hackers to test for further vulnerabilities, — something that one expert said could be done “in a week.” The same expert said the government could reconfigure the security architecture of its systems “in a month” — the time that has already gone by since the 30-Day Sprint was announced.

Another suggestion, from Fortalice’s Payton: create a team “working out of OPM, the FBI, the national intelligence agencies, to sit down and assume what actions could be taken against us, and what we could do about them. We need protocols for this, for example making code words part of our daily routine. And it needs to be done across the whole system.”

Without drastic action, she said, “If you are the bad guys, you are now taking a victory lap and coming back for more.”

George Russell is editor-at-large of Fox News and can be found on Twitter: @GeorgeRussell or on Facebook.com/George Russell

Read more at Foxnews.com