A top national intelligence official says the intelligence community had no responsibility to warn the Office of Personnel Management about vulnerabilities that led to the massive hack of more than 21 million sensitive federal employee records — despite the incident now being a significant national security risk.
National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.
In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.
“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”
In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”
The breach of OPM was announced this summer, when the agency revealed that hackers had infiltrated its systems to steal the records of more than 21.5 million current, former and prospective federal employees — a database that included members of the intelligence community, some current members of Congress and some current members of the Cabinet.
U.S. officials have blamed the Chinese government for the attack, saying it amounted to a treasure trove of counterintelligence information. China has denied being behind the breach.
OPM’s director resigned in the wake of the hack, and Congress has taken the agency to task for ignoring years of inspector general reports raising serious concerns about flaws with the agency’s computer networks.
Wyden, who sits on the intelligence community and is a privacy hawk, was displeased with Evanina’s response, saying the intelligence community should have done more to prevent the attack from happening.
“The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job,” Wyden said in a statement. “This is a bureaucratic response to a massive counter-intelligence failure and unworthy of individuals who are being trusted to defend America. While the National Counterintelligence and Security Center shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.”