Two different cyber breaches of the federal Office of Personnel Management were made public last week. The first one — involving, at a minimum, the Social Security numbers of over 4 million past and present federal workers — got the most attention. As bad as that news is, the second breach will have far more serious long-term implications for U.S. national security: it means the Chinese government may have access to the personal secrets of the very people we rely on to hold China’s military ambitions in check.
Late last Friday, new reports surfaced about the additional, earlier loss at OPM. According to unnamed Federal officials speaking to the Washington Post and ABC News, Chinese attackers also stole copies of the highly confidential information supplied by anyone who has applied for a U.S. security clearance in the past several years. The national security implications of the second disclosure are staggering, and far-reaching. To see why, let us compare the information in the two breaches.
The first-announced attack, which according to the American Federation of Government Employees involved the Central Personnel Data File, yielded primarily “PII” — Personally Identifiable Information. This would include, at a minimum, an employee’s Social Security number, home address, birth date, job and pay history, gender, and race. The loss of OPM control over this data is itself a significant national security event. Combining the personal data with the information in the database about where in the federal government each individual had worked will allow the Chinese to build a fully staffed functional map of our federal operations. On a more human note, the personal impact to government employees and their families will be enormous. OPM has begun notifying 4.1 million victims of the breach, offering credit protection services in anticipation of a flood of identify thefts, impersonations, and break-ins to personal accounts using pilfered information.
The second attack, which as of this writing has yet to be officially confirmed, is reported to have revealed the complete federal database of answers to Form SF-86, the Questionnaire for National Security Positions. This questionnaire, which I myself have filled out more than once, is currently 127 pages long. Its purpose is to support an investigation as to the trustworthiness — and, specifically, susceptibility to blackmail — of the applicant.
The form requires that, under penalty of perjury, one answers highly detailed questions. Follow the link for the breathtaking questions regarding:
- Current and former residences, with names of friends there (Section 11)
- Work history, including resignations and dismissals (Section 13A)
- Marital status, including past and present cohabitation (Section 17)
- Relatives, including home addresses (Section 18)
- Foreign travel, and contacts with non-U.S. persons (Section 19)
- Psychological health, including any gambling addiction (Section 21)
- Police record (Section 22)
- Illegal drug use (Section 23)
- Finances, including all debts and bankruptcies (Section 26)
Depending on the level of security clearance involved, the investigator following up on an applicant’s answers will interview both relatives and friends, including old neighbors. One common question, my contacts report, is “Do you know anything about this individual that might make them susceptible to blackmail?”
The database that the Chinese are reported to have stolen is the one containing answers to each of these questions, for all applicants for top-level security clearances in the past several years. Who would that be? Well, many military and intelligence personnel, of course; and also workers in the defense industry, as well as university professors, inventors, and technologists who have assisted the federal government in securing the nation before and after the 9/11 attacks. Many state and federal politicians hold security clearances, too, as do many journalists who cover the national security and military beats. As of 2014, approximately 5.4 million Americans hold security clearances.
If the Chinese now hold detailed information on the 5 million Americans most deeply involved in our national intelligence and security operations and policies, the theft of the SF-85 database must be considered one of the greatest intelligence defeats in history. We, like the Chinese, must contemplate the truth of the military philosopher and general Sun Tzu. He wrote, in The Art of War, “The supreme art of war is to subdue the enemy without fighting.” And we must ask how their access to the personal secrets of America’s intelligence community might affect any future battles.
 “Chinese Hackers Pursue Key Data on U.S. Workers,” July 9, 2014, http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html
 “Chinese hack of federal personnel files included security-clearance database,” Washington Post, June 12, 2015, http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html
 “OPM Hack Far Deeper Than Publicly Acknowledged, Went Undetected For More Than a Year, Sources Say,” ABC News, June 11, 2015, http://abcnews.go.com/Politics/opm-hack-deeper-publicly-acknowledged-undetected-year-sources/story?id=31689059
 “Federal Union says OPM Data Breach Hit Every Single Federal Employee,” June 11, 2015, http://www.forbes.com/sites/katevinton/2015/06/11/federal-union-says-opm-data-breach-hit-every-single-federal-employee/
 “Questionnaire for National Security Positions,” SF-86, Office of Personnel Management, https://www.opm.gov/forms/pdf_fill/sf86.pdf
 “5.1 million Americans have security clearances. That’s more than the entire population of Norway,” Washington Post, March 24, 2014, http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/24/5-1-million-americans-have-security-clearances-thats-more-than-the-entire-population-of-norway/
 “Sun Tzu’s 31 Best Pieces of Leadership Advice,” Forbes, May 23, 2014, http://www.forbes.com/sites/ericjackson/2014/05/23/sun-tzus-33-best-pieces-of-leadership-advice/