A Democratic senator blasted counterintelligence officials this week for saying it isn’t their responsibility to identify security vulnerabilities in federal agencies such as the Office of Personnel Management.
“The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job,” Sen. Ron Wyden, D-Ore., said in a statement.
This month, Wyden sent a letter to the National Counterintelligence and Security Center asking if they had identified security weaknesses in OPM systems. The agency’s head responded in a Sept. 15 letter.
“The statutory authorities of the National Counterintelligence Executive, which is part of the NCSC, do not include either identifying information technology vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems,” NCSC Director William Evanina wrote to Wyden.
However, Evanina did have an opinion on the long-term retention of personnel records. Responding to a question from Wyden as to why OPM stored personnel records dating back to 1985, Evanina wrote that while “we may incur certain vulnerabilities with the retention of background investigation information … this retention has value for personnel security purposes.
“The ability to assess the ‘whole person’ over a long period of time enables security clearance adjudicators to identify and address any issues … that may exist or may arise,” Evanina wrote.
Wyden responded in disgust.
“This is a bureaucratic response to a massive counterintelligence failure and unworthy of individuals who are being trusted to defend America,” Wyden said. “While the National Counterintelligence and Security Center shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.”
In an interview published on Monday, Wyden hadn’t ruled out using the Senate’s subpoena power to compel a response from the NCSC if it failed to offer one voluntarily. He has been seeking answers as to how intelligence officials failed to foresee or prevent a cybersecurity breach of the OPM that resulted in the access of personnel files on 21.5 million people who have applied for security clearances from the U.S. government.
Life has been hard for officials associated with the OPM breach. Former OPM Director Katherine Archuleta resigned over the incident in July, while members of Congress have continued to call for the resignation of OPM Chief Information Officer Donna Seymour.
“I was not at all unhappy that we were not called in to help with OPM,” said Lt. Gen. Kevin McLaughlin, the deputy commander of U.S. Cyber Command, in response to a question on the breach on Thursday.
Responsibility for defending the cybersecurity of federal agencies generally falls under the Department of Homeland Security. However, the breach has implications for U.S. intelligence personnel.
Evanina acknowledged the security implications last month, suggesting that China was sharing the information with Russia to look at “who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, [to] put together a common picture.”
