Lawmakers look to strip OPM powers after hack
Lawmakers are debating whether to strip the Office of Personnel Management (OPM) of its control over security clearances after hackers made off with nearly 20 million background check forms housed at the agency.
Reps. Ted Lieu (D-Calif.) and Steve Russell (R-Okla.), who both likely had their security clearance details taken in the breach, are prepping a bill that would move the security clearance database away from the OPM, perhaps back to the Defense Department (DOD), where it was housed until 2004.
“OPM was never designed to deal with national security,” Lieu told The Hill.
But several senators backing a bill to boost oversight of those holding security clearances, told The Hill that it’s more audits, not necessarily a new agency, that the review process needs.
“We can say, ‘Oh move it out of OPM,’ but I’m not sure I have a good place to move it,” Sen. Claire McCaskill (D-Mo.) told The Hill.
The discussion highlights an ongoing tension between security and efficiency that both government and industry grapple with in an increasingly digital world.
“When anything comes to security there’s often a trade-off,” said Michael McNerney, a former cybersecurity policy advisor for the secretary of Defense and a Truman National Security fellow.
Housing the entire security clearance process under one agency is efficient, but it’s not necessarily the most secure set-up, he explained.
The move essentially created a “one-stop-shop” for hackers, McNerney said, even as it helped centralize human resources under the government’s personnel agency, theoretically lowering costs and streamlining the process.
“Where do you draw that line?” McNerney asked. “That’s a really hard question.”
Lieu believes the two efforts can easily complement each other.
His bill is focused on locking down the actual database housing the security clearance forms.
McCaskill and several of her colleagues — including Sens. Susan Collins (R-Maine), Kelly Ayotte (R-N.H.) and Heidi Heitkamp (D-N.D.) — are pushing a separate bill to boost oversight of how the process is managed.
“There are sort of two different angles on this issue,” Lieu said.
The California Democrat is worried primarily about protecting what are considered to be some of the most intimate reports the government holds on federal employees.
The Standard Form 86 (SF-86), for example, is 127 pages and contains details on people’s most closely held secrets, such as affairs, drug and alcohol abuse or bankruptcies. Many people reveal details in these forms that even their spouse or closest friends don’t know.
Those who have filled out an SF-86 told The Hill the form is so detailed, they had to do research on themselves to find all the answers.
“A treasure trove for blackmail,” said Lieu, who submitted an SF-86 during his time in the Air Force as a military prosecutor and adviser.
Suspected Chinese hackers now have this data, which can also be used to digitally imitate officials and launch targeted cyberattacks for years to come. Experts believe it’s part of a broad cyber espionage campaign to gather a thorough database on U.S. government workers.
Rep. Will Hurd (R-Texas), who chairs the important House Subcommittee on Information Technology, called the idea of moving the security clearance database away from OPM “something to be explored.”
But some wonder whether another agency would even want to take on the task of securing that database. The Pentagon might be hesitant to take it back, as government-wide HR doesn’t necessarily fit under their military purview.
“I don’t think DOD would want it,” said McNerney, who also advised the Pentagon’s chief information officer on cyber issues as a lawyer. “Manage that crappy system? Are you kidding me? DOD isn’t the only agency that has SF-86s. Are they going to be responsible for every agency’s personnel files? DOD’s not going to want that mission.”
Plus, the OPM has bigger issues with its security clearance system than just protecting the actual data.
The agency has piled up a backlog of pending clearance requests, which may be exacerbatedby the recent decision to shut down its online submission system until a security defect could be rectified. The OPM receives 20,000 to 30,000 background checks each week.
Some have also accused the agency of poorly managing the security of its outside contractors that help conduct these background checks.
Officials have acknowledged that the digital intruders were able to infiltrate the OPM networks after lifting login credentials from an employee at KeyPoint Government Solutions, the government’s main background check contractor.
These failings are not necessarily a reason to take the whole process away from OPM, McCaskill said.
“I’m not sure that there’s anybody in the federal government that has a corner on running a good contract,” she said. “I’ve done enough oversight of contracts that I can tell you horror stories from every agency in the federal government, starting with the Department of Defense and the Department of Homeland Security.”
The senators’ bill, the Enhanced Security Clearance Act, attempts to fix a portion of the oversight problem by requiring automated random reviews every few years to ensure that those with security clearances — including contractors — are not posing a security risk to government data.
Many issues with the security clearance process are more grounded in lack of oversight, than any specific OPM failure, Collins told The Hill.
“It is not that difficult to do a security update and audit,” she said. “It is not that expensive, it is not that difficult. And I believe that if there were more random audits, that we would be able to detect security problems sooner.”
The measure passed out of the Senate Intelligence Committee this week as part of the intelligence authorization bill.
McCaskill said the backers are now “looking around for vehicles” to attach it to. A long-stalled Senate cybersecurity bill to boost the public-private exchange of data on hackers might be one option, she said.
“I think these are just guidelines that need to be in the law that keep everybody I think on their toes and realizing that they’re not going to be able to slack off and get away with it,” she said.