Skip to content
Member Login
Cybersecurity

Placing the Office of Personnel Management Hack in Perspective

<p>OPM Hack China CFR Net Politics Cybersecurity</p>
OPM Hack China CFR Net Politics Cybersecurity

By experts and staff

Published

By

  • Robert K. Knake
    Whitney Shepardson Senior Fellow

Part of the reason I am a bit blasé about the Office of Personnel Management hack, is if the Chinese government is indeed behind it, it’s not by any stretch the most dastardly thing they have done in cyberspace. It’s just the most recent one that we know about. It’s getting a lot of press because personally identifiable information (PII) was compromised.

The Obama administration has decided to eat its own dog food on disclosure, and is abiding by its own legislative proposal that would require companies to disclose a breach like this. OPM has disclosed what investigators reasonably believe intruders took. That information includes names, social security numbers, date and place of birth, and current and former addresses according to the OPM FAQ. It may also include job assignments, training records and benefit information.

According to the same FAQ, here’s no indication that information related to contractors or family members was compromised. That strongly suggests that, at this point, the investigation has not concluded that security clearance data or the associated investigative files were taken. Given that OPM is following the administration’s draft data breach legislation, I fully expect that if the investigation concludes this data was lost, OPM will disclose it. Stay tuned.

This breach has crossed streams with a breach a year ago that did involve investigative files. David Sanger and Julie Hirschfeld Davis at the New York Times do a good job of untangling these two incidents in their recent article. It takes some close reading to understand that the headline, “Hackers May Have Obtained Names of Chinese With Ties to U.S. Government”, isn’t about this incident but the hack of an OPM contractor a year ago.

So, based on what we know now, this incident is a big loss of PII but it’s not that big a loss of information of intelligence value. We may find out later that the hackers also got their hands on the SF-86s—the forms you fill out when you apply for a security clearance. I am fully confident that if the investigation uncovers those losses, there will be a second statement from OPM and an offer for credit monitoring for contractors and family members.

To put all of this in perspective, here are five Chinese hacks that are worse than the breach at OPM based on a list of significant cyber incidents compiled by the Center for Strategic and International Studies: