The Office of Personnel Management announced last week that it had been compromised, with four million current and former federal employee records affected (OPM press release, June 4). The story has developed every day since. The number will grow — that is the lesson of every disclosure of this shape — and the harder question is what was in those records.
For the four million on the personnel side, names, Social Security numbers, dates and places of birth, address history, and employment records. That is bad and predictable. The harder question is the SF-86. The Standard Form 86, "Questionnaire for National Security Positions" (opm.gov/forms/standard-forms/sf86.pdf), is the security-clearance background investigation form. It runs to a hundred and twenty-something pages and includes, among many other things, the applicant's residences for the last ten years, every foreign contact ever held, family members and their nationalities, financial difficulties, mental-health treatment, drug use, criminal history, military service, and the names and contact information of references and friends. SF-86 data is the single most concentrated personally-actionable dataset on US federal employees that exists.
OPM has not, as of this writing, confirmed that SF-86 records were taken. The reporting from Reuters and the Washington Post, citing officials speaking on background, says they were (Washington Post, June 12). The number of clearance holders affected appears to be a separate and larger population than the four million personnel-records figure. There may be two intrusions, in different OPM systems, possibly by the same actor, possibly disclosed jointly or staged.
The threat model that follows from this is hard to overstate. SF-86 includes the kind of information that intelligence services assemble through years of patient targeting. The dataset reduces that work to a query. The targeting that becomes possible — of cleared personnel, of their families, of their stated foreign contacts — is materially different from the targeting that was possible last week. The compromise is not a credit-monitoring problem. It is a counter-intelligence problem.
Attribution chatter has been pointing at China since the first day. The same caveats I noted in the Anthem post in February apply: first-week attribution is poor, and even careful attribution takes months. Mandiant's APT1 work in 2013 took the better part of a year of patient infrastructure analysis to produce the public report. The OPM investigation is a week old. The attribution may firm up. It may also turn out to be more complicated than is currently being described — multiple actors, opportunistic resale, instrumentation by intermediaries. I file the China line as the working hypothesis, not the conclusion.
What the SOC and engagement work draws from this. The technical means of compromise reported so far points at credentialled access — possibly via a contractor — and movement into systems whose data-access controls were credential-trust. That is the pattern of Anthem in February, and of much of the year's reporting. The defensive lesson is not new and is being repeated because the architecture decisions that produce it are deeply embedded: identity is the perimeter, and the controls that matter on the data plane are the ones that detect anomalous behaviour by authenticated accounts. We have been saying that to vCISO clients for two years. The OPM disclosure is the loudest possible amplifier of the message.
For organisations that do work with cleared US personnel — and several of our customers do — there is a specific operational concern this week. Cleared employees may be approached, in the coming months and years, by intelligence services with information that those services should not have. The HR and security functions need to be ready for that conversation. The standard counter-intelligence guidance applies, but the volume of approaches that becomes possible against a population of millions changes the operational tempo. I have started a note for the manufacturing client whose engagement closed in March; their workforce includes a number of cleared individuals through their US subsidiary, and the briefing I will give the board next month will not be the briefing I drafted in April.
The bit I keep returning to is the scope. SF-86 is the document the US government uses to assess whether a person is reliable enough to hold a clearance. The questions it asks are precisely the questions an adversary intelligence service would want answers to. The form has existed in roughly its current shape since the 1990s; the OPM database holding decades of completed forms has existed for almost as long. The decision to centralise, digitise, and network-attach that database was made over a long period, by many people, against contemporary cost and convenience pressures that I will not pretend would have been easy to resist. The bill is now arriving.