Five years ago, U.S. officials refused to merge a database containing classified personnel records of intelligence-agency employees with another run by the Office of Personnel Management, fearing that if the two systems were linked, it could expose the personal information of covert operatives to leakers and hackers.
Those concerns look prescient now that the OPM, the government’s human-resources department, has been overrun by hackers who exploited its weak computer security and made off with huge amounts of personal information on millions of government employees and contractors. But that incident has also raised troubling questions about whether U.S. spy agencies actually heeded their own advice and have kept their records physically segregated from the OPM systems that were recently hacked, presumably by spies in China.
In 2010, officials across the government were under pressure to chip away at a backlog in processing security-clearance applications. And a sweeping intelligence law, passed in the wake of the 9/11 attacks, required them to merge their records into one all-purpose security-clearance system.
But U.S. intelligence officials said they couldn’t go along with that plan, “due to concerns related to privacy, security, and data ownership,” according to a report from the Government Accountability Office, Congress’s oversight arm.
Brenda Farrell, the oversight agency’s director of defense capabilities and management, testified before Congress in December 2010 that intelligence officials were particularly concerned that names, Social Security numbers, and personal information for covert operatives would be exposed to hackers if the personnel database, known as Scattered Castles, weren’t left to stand on its own.
But three years later, the Office of the Director of National Intelligence began working with OPM “to set the stage for the upload of active, completed clearance records” from OPM’s system—which was later overrun by hackers—into Scattered Castles, according to a 2014 report (PDF) from the intelligence office. The report noted a “current upload of records” from the Defense Department’s personnel computer system, as well. It is now linked with OPM’s, so that one person can search records in both simultaneously.
The Daily Beast contacted U.S. intelligence officials, as well as spokespeople for the FBI and the OPM. None would definitively say that Scattered Castles is not connected to OPM’s system. If there are connections between the two—as that recent government report suggests there are—it could be exploited by hackers, giving them a pathway from OPM into the most highly classified personnel records in the entire government.
“There is no connection between Scattered Castles and the OPM hack,” a U.S. official said, speaking on background. But when asked whether Scattered Castles has any physical links to the OPM system, such as for sharing files and records between the two systems, the official declined to comment and referred questions to the FBI, which is investigating the OPM hack.
Over at the bureau, a spokesperson likewise declined to answer whether the two systems are linked, noting that “security procedures prevent us from detailing specifics regarding network infrastructure.” A spokesperson for OPM referred all questions to intelligence officials—who are punting to the FBI.
A computer-security expert who has discussed the OPM hack and its implications with U.S. government officials said he was deeply troubled that the people investigating the breach don’t seem to appreciate how a daisy chain of computer systems could allow hackers who compromised one agency to hop to another and steal more data there. Scattered Castles is used by the National Security Agency, the National Reconnaissance Office, and other highly secretive intelligence organizations.
“Based on my understanding of U.S. government databases and networks, as well as recent conversations with U.S. government officials, I have high confidence that the agencies do not have a clear understanding of the architecture of their systems and how they’re interconnected,” Michael Adams, who served more than two decades in the U.S. Special Operations Command, told The Daily Beast. “I further believe that the U.S. government either doesn’t understand or is obfuscating the national-security implications of this cyberattack. These people either need serious help or need to come clean now.”
U.S. officials have already said that Social Security numbers and other personal information on as many as 18 million employees and contractors were compromised in the OPM hack. And the agency’s chief information officer confirmed that details about government employees’ sex lives, drug habits, and financial problems also may have been stolen.
But so far, there has been no official confirmation that active-duty or former intelligence-agency employees were among those affected by the hack. The Scattered Castles system contains their personal information, which could be used to reveal covert operatives’ real names. The system also contains a list of employees with access to so-called sensitive compartmented information, which can divulge intelligence sources and collection methods.
U.S. officials wouldn’t comment on the apparent data links that were set up between the hacked OPM system and Scattered Castles. The 2014 report said that by this year, the links would allow Scattered Castles to “contain active security-clearance records from all federal agencies.” It also noted that “OPM continues to partner with the [intelligence community] to explore cross-domain interface technology and various alternative solutions for enhanced… information sharing for agencies that use unclassified systems.” In other words, more links.
That was good news for the goal of speeding up and better managing the cumbersome security-clearance process. But it’s not clear how officials intended to do that and keep intelligence personnel records secure. Nor is there any indication in the report that the security concerns of just three years earlier had been addressed or resolved.
While the U.S. official said the OPM hack hadn’t affected the intelligence community’s records, it was clear Monday that new vulnerabilities are still being discovered that could pose future threats.
OPM’s embattled director, Katherine Archuleta, said in a statement that the agency had discovered a security hole in the so-called e-QIP system, a Web-based platform used for filling out and submitting background investigation forms. The agency found no indication that the vulnerability had been exploited, the statement said, but OPM took the drastic step of pulling the entire system offline, potentially for as much as six weeks, while the vulnerability is fixed.
An OPM spokesman didn’t elaborate on the nature of the vulnerability or when it was discovered. He also didn’t specify if the flaw was in the Web platform itself, and whether it could have posed a risk to anyone who used it. Websites loaded with viruses and spyware can implant them on unwitting users’ computers.
Dmitri Alperovitch, a co-founder of cybersecurity firm CrowdStrike, told The Daily Beast that the OPM hack shows how government agencies must stop reacting to attacks after they’ve occurred and start “hunting” for threats in their computer networks. “You have to go looking for the adversary,” he said.