In light of last month’s historic cyber-breach of the Office of Personnel Management, Derrick T. Dortch (head of career services at IWP) recently hosted two notable guests on his radio show Fed Access (Fridays at 12pm, Federal News Radio 1500 AM). Intelligence experts Charlie Allen and Terry Roberts, both members of the Intelligence and National Security Alliance (INSA), answered questions about the state of cybersecurity throughout the federal government.
Mr. Dortch began his interview by helping the listener understand the tremendous implications of the security breach. “At least four million former, current, and hopeful government employees had their personal information stolen from the database,” he said. That includes everything a person submits to the government in an SF86, the form used to apply for a security clearance.
“I’m currently holding an SF86 and it is 120 pages,” Derrick said. The form requests an exhaustive amount of information on an applicant’s personal finances, health, family, friends, former employers, former addresses, foreign contacts, and a host of other details.
“So what can a foreign intelligence service do with this information?” he asked the experts. Charlie Allen responded by stating that this information would be particularly helpful to those are looking for vulnerabilities to exploit in a recruitment target. He was careful to point out that when a foreign intelligence service seeks to recruit someone to spy on their behalf, there is a certain method used. It is a method centered on amicable relations and generous assistance in personal matters and less formed by blackmail and intimidation.
With the information gathered from an SF86, an intelligence officer can more ably plot the most effective course to be taken in influencing a government employee to disclose classified information. It will also greatly assist a foreign intelligence service in selecting a person to pursue.
Terry Roberts pointed out another way hostile nations could frustrate the efforts of the United States with this information in hand. “The gamut of personal data taken means actors can become you online,” she said. “This means they can try to log back into computers holding sensitive information through different networks throughout the various bureaucracies. They can send emails under the guise of a federal employee to those inside and outside of the government.”
The interview proceeded to the next logical question: “Now what do we do?”
Both Mr. Allen and Ms. Roberts affirmed that the United States needs to structure a cost effective way of protecting the “crown jewels” of the national security industry. “The Office of Personnel Management database was one of those jewels,” Ms. Roberts said. They both advocated for an approach in which the most sensitive and revealing information available should be defined and specifically protected.
Antiquated security systems, staffing issues, and the lack of interagency cooperation was discussed at length. Even some prevailing cultures within the U.S. national security industry were identified as problematic. “Very candidly, the United States has not put enough resources into counterintelligence,” Mr. Allen stated early in the interview. “Particularly since 9/11, we’ve put so much into collection, analysis, and operations. Our lifeblood, counterintelligence, has always been underfunded.”
“It seems to me that if I was sitting in Moscow or Beijing, I would have a lot of information on targets,” Charlie Allen stated. “The information may not be used for five or ten years, but it can still hurt us in the future.” The breach was a watershed moment for the United States and stands “without precedent.” Terry Roberts instructed listeners to be extra careful in opening suspicious attachments and emails in the coming months.
Both interviewees are current members of the Intelligence and National Security Alliance. Charlie Allen has many years of experience in cybersecurity, both with the Department of Homeland Security and the Central Intelligence Agency. He is also a senior intelligence advisor at the Chertoff group. Terry Roberts is the former Deputy Director of Naval Intelligence, former Executive Director of the Carnegie Melon Software Engineering Institute, and founder and president of Cyberseek Incorporated.