Former Office of Personnel Management Director Katerine Archuleta.
Photo courtesy the U.S. Department of Education on Flickr.
FBI Director James Comey went to Capitol Hill last Wednesday to argue that technology companies should make our data less secure, in the interest of national security.
Less than 24 hours later, the Obama administration disclosed the full scope - or at least, what we pray is the full scope - of a data breach that is probably the biggest national security debacle since the Soviets stole our nuclear secrets at the start of the Cold War.
Nearly everyone of consequence in our nation’s defense structure was compromised when foreign hackers, ostensibly from China (though the administration has not publicly identified a culprit), took detailed personal information from the federal Office of Personnel Management. In all, more than 22 million Americans are believed to be affected - not only government employees, but also their family members, friends and business associates.
Think about it. An unidentified foreign power (or powers) now holds potentially compromising information about every White House chief of staff who has served in the last two administrations. Every secretary of state, including one who is currently running for president. The 30-year-old computer whiz I have known since his boyhood, who now works for a defense contractor, had his security clearance files stolen. So did Comey himself.
The irony of the revelation following Comey’s complaint to Congress that increased encryption standards are making the FBI’s job harder is painfully clear.
Nobody was guarding the keys to the castle. And while Katherine Archuleta, the director of the OPM, resigned Friday because of the incident, she is more scapegoat than villain in this scenario. Archuleta may have been out of her depth, but she was never meant to be the sole and chief protector of the government’s data. Meanwhile, our national security agencies were evidently too busy over the past decade trying to Hoover every scrap of data they could to spare a moment to ensure their own security was airtight. Rather than secure and encrypt the government’s most sensitive files on the people who did its business, agencies instead focused on keeping track of where each of us went and with whom we communicated, in case one of those communications should be part of a terror plot.
This is part of a systemic crisis that pervades the federal government. It is a crisis of competence, specifically information management competence. And it is one of the most serious threats to our security and to our ability to operate an efficient and effective government in order to protect it.
Failures of federal data management projects are so routine that we expect them. The HealthCare.gov rollout disaster, which still has not been fully corrected, was just one high-profile example. The Internal Revenue Service is funding the government with a computer system that belonged on the set of “Mad Men.” The air traffic control system can’t take advantage of modern facilities like GPS that would greatly increase our takeoff and landing capacity without the need to build a single additional runway; we pay for that lack of capacity in reduced competition and higher fares. The Defense Department spent nearly a decade just trying to get its travel spending centralized so it could take advantage of volume discounts.
Of course the threat of terrorist attacks is real and serious. But we have a much bigger problem on our hands: The people in charge of national security have a warped view of what actually makes us secure. The evidence shows that they don’t know what they should be protecting, let alone how to protect it. While they chase the occasional lone wolf who draws inspiration from the Islamic State group - the FBI claims it made a dozen arrests that may have been linked to terror plots aimed at Fourth of July celebrations - they let organized hackers compromise nearly the entire national security establishment.
Comey seems to have been aware of the irony of his appearance before Congress last week. He previewed the next day’s announcement by saying publicly that “millions and millions” of records had been lost, making it sound like the number of hamburgers sold reported on a McDonald’s sign. Once the OPM came out with the newly expanded details (for at least the third time since the breach, which happened a year ago, was first revealed this spring), the FBI was quick to issue a release about the dozen arrests it made over the last four weeks in supposed terror cases, though no details were given and not all the arrests have resulted in terror-related charges. As an attempt to balance the scales, it goes to show just how warped our security agencies’ perspective has become.
Our security forces can’t be everywhere all the time. Even after Russia warned that Tamerlan Tsarnaev was a potential threat, the future mastermind of the Boston Marathon bombing remained free and without close surveillance. We have spent the past decade honing our efficiency at gathering data - more data than the law authorized, in many cases - but not necessarily our efficiency at using it.
I say this even in the full knowledge that there probably have been some successes against significant terror plots that we don’t know about. But that assumption begs the question.
As awful and upsetting as terror plots are, they usually affect a few dozen or a few hundred lives. In the worst cases, such as 9/11, they can affect a few thousand. But if we lose our freedom to act in response to, say, Chinese aggression against Taiwan or the South China Sea navigation lanes, or against a Russian incursion into the Baltics, or (as may already be the case) an Iranian effort to build and deploy nuclear weapons, the result could be a chain of events that escalates into a war that would kill millions.
Think this is far-fetched? Even without someone holding some dark personal secret over his head, President Obama backed away from supporting opponents of Syria’s President Bashar Assad early in the current conflict, when moderate secular forces were the main opposition and before the Islamic State group became a factor. The result has been four years of war, hundreds of thousands dead, and 4 million displaced Syrians, in the greatest refugee flux of the past quarter-century.
It would be hard to overstate the damage done by the OPM breach. Despite the administration’s hollow claims that it is responding appropriately, whatever that means, there is probably not much that can be done now. It will take a generation or two for the people currently in and around our security establishment to be replaced by others whose records were not affected by the breach.
But at present, there is no reason to think such a disaster can’t or won’t happen again in the meantime. We don’t even know how to define national security, let alone defend it.