U.S. counterintelligence center bucks responsibility for OPM hack

The buck stops… somewhere else.

The U.S. agency responsible for guarding computer networks against security threats says that it wasn’t responsible for failing to stop the largest-ever breach of U.S. government systems.

The National Counterintelligence and Security Center’s powers and responsibilities “do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems,” William Evanina, the head of the NCSC, wrote in a letter to Sen. Ron Wyden (D-Ore.).

Wyden wrote to Evanina in August to ascertain the NCSC’s role in securing the networks of the Office of Personnel Management. Hackers believed to be associated with the Chinese government broke into OPM’s servers and stole the personnel records of more than 22 million current and former federal workers.

“The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job.”

In a statement, Wyden slammed the NCSC for offering “a bureaucratic response to a massive counter-intelligence failure,” one that he called “unworthy of individuals who are being trusted to defend America.”

“The OPM breach had a huge counterintelligence impact and the only response by the nation’s top counterintelligence officials is to say that it wasn’t their job,” Wyden said. “While the National Counterintelligence and Security Center shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data.”

Wyden also asked Evanina whether the breach would lead the NCSC to reconsider the length of time for which OPM retains personnel records, including sensitive background-check forms. The NCSC head said that OPM’s decades-long records retention has value for personnel security purposes because it lets the government assess the ‘whole person’ over a long period of time when determining whether to grant a security clearance.

Wyden has used the OPM hack to illustrate the need to address federal network security before passing cybersecurity legislation, known as CISA, that would let private companies send the government vast troves of cyber threat data, which could include Americans’ private information.

“The way to improve cybersecurity is to ensure that network owners take responsibility for plugging security holes,” he said, “not encourage the sharing of personal information with agencies that can’t protect it adequately.”

Wyden is a senior Democrat on the powerful Senate Intelligence Committee, which oversees the work of the NCSC and more than a dozen federal intelligence agencies. A Wyden spokesman said that there were no immediate plans to pursue hearings on NCSC’s role in securing government networks.

Evanina’s response to Wyden can be found below.

Photo via Perspecsys Photos/Flickr (CC BY SA 2.0)

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.