The House bill funding the intelligence community for the next fiscal year, which passed the lower chamber 364-58 on Tuesday, requires the president to submit to Congress a report on the ripple effects of the OPM breach, in which hackers reportedly linked to China stole the confidential records of more than 21 million federal employees.
The report must detail how the breach changed “the operations of the intelligence community abroad,” including programs that were “negatively affected or entirely suspended or terminated” following the hack. It must also explain the specific consequences of the breach for each of the 17 members of the intelligence community, from the Federal Bureau of Investigation to the National Security Agency.
The United States has not publicly blamed China for the OPM hack, but the unprecedented theft of sensitive government records prompted U.S. officials to step up their cyber deterrence efforts against the communist country. The Treasury Department, for example, began preparing sanctions on Chinese businesses and individuals who were using stolen American corporate and government data.
In September, the two nations reached an agreement on cybercrime, but that accord only covers the theft of business data for economic purposes, not traditional espionage targets like government records.
If China used the stolen OPM records to identify American spies in its territory, it could blackmail them into becoming double agents. It could also reach out to senior American officials whose personnel files contain damaging secrets and attempt to extort them or influence U.S. policy.
The intelligence authorization bill requires the president’s report to describe “how foreign persons, groups, or countries may use the data,” including for “recruiting intelligence assets” and “compromising employees of the Federal Government and friends and families of such employees for the purpose of gaining access to sensitive national security and economic information.”
The bill “takes critical steps to shore up our counter-intelligence capabilities—particularly important in light of the devastating OPM breach,” Rep. Adam Schiff (D-Calif.), the top Democrat on the Intelligence Committee, said in a statement after the bill passed.
OPM has become the chief symbol of the federal government’s increasingly prominent cybersecurity woes. The administration undertook a 60-day “cyber sprint” and released a plan for shoring up federal network security, and Congress is finalizing a bill to promote the sharing of cyber-threat data between businesses and the government.
OPM issued notices to the federal workers whose records were stolen and will provide them with three years of identity-theft protection, although some lawmakers are criticizing that protection as insufficient.