Remedying the OPM hack: we need an innovative policy response, not just credit and identity monitoring
In the wake of the recent major hacks of Office of Personnel Management (OPM) databases, OPM has announced that the federal government will be offering the millions of affected individuals with access to identity theft monitoring and restoration services. For individuals who are affected by the background check database hack, additional online services will be offered to protect against fraud, misuse of minors’ identities, etc.
The provision of these types of identity theft and credit monitoring services has become a reflexive action for companies and government agencies. When Company Z gets hacked and tens of millions of its customers’ personal and financial information is at risk, it offers free credit monitoring. When Government Agency Y has a data breach, the same routine. These entities then offer to provide such online services for a fixed period of time, and a limited number of affected individuals bother to sign up, at a cost to the company or agency at around $5/month per enrollee. Those who do sign up get a sense of security that any financial misuse of their information will be detected.
But with respect to the recent hack of the OPM security clearance database, the offering of such services is is a woefully inadequate remedy. As former CIA official Charlie Allen noted in a recent piece, this hack creates “a national security risk unlike any I’ve seen in my 50 years in the intelligence community”. Former CIA and NSA Director Michael Hayden provided a similarly dire commentary in a Washington Times op-ed in June.
Given this context, the offering of online credit and identity monitoring services to the affected population is necessary but should only be viewed as a small, preliminary step in responding to this hack. The U.S. government needs to focus its attention on implementing a broader set of policy remedies that will help to prevent and deter the foreign entity that hacked this database from being able to exploit this information for counterintelligence or other nefarious purposes.
One such policy remedy would be a law or executive order (EO) that protects affected individuals against the adverse consequences of public disclosure of information that had been willfully disclosed on an SF-86 but would provide harm or embarrassment if publicly disclosed. For example, such a law or EO could clarify that it is impermissible and illegal to use SF-85/86 information, if derived from hacked documents, in an employment action or in a legal proceeding, with very limited exceptions. If such a policy remedy were put in place, this would hinder the ability of foreign intelligence services to blackmail and recruit Americans working in positions of trust who are potentially exposed by this hack.
The foreign entity that hacked the OPM security clearance database and stole this information could also attempt in the coming months and years to use information to try to smear and slander individuals (perhaps selectively targeting its high-level critics in government), using unwitting third-parties in the news media and other online mechanisms. The federal government needs to look carefully now at how it can protect otherwise innocent employees against such personal attacks, and needs to bring federal law enforcement agencies and Inspectors General into this discussion, so that they can better differentiate between legitimate predicates for internal investigation versus when they have been baited to investigate by an entity that is using misappropriated information. This will also be an area where Congress will need to carry out judicious oversight and perhaps consider legislation.
These are just two examples. There are other scenarios where one can envision this hack leading to the risk of unique adverse consequences for the affected population, in ways that are ultimately harmful to U.S national security. The federal government needs to be much more forward-leaning in addressing this issue than it has been to date (at least based on its public statements), and develop, publicly explain, and implement innovative policy remedies, working with Congress, that can mitigate the counterintelligence risks of this hack and re-establish trust and confidence within the U.S. national security workforce.