I’m not sure I’m allowed to say this, but I had a secret security clearance for many years. It may not matter anymore. The investigation to obtain this clearance is fairly extensive and involves completion of a Form SF86. When completed, this federal form includes everything from your certificate of birth, education from elementary school through college, every friend you’ve ever known, relatives, places of residence and employment, and if you’d ever been arrested, used drugs, had foreign encounters, to any number of a hundred other questions.
I dutifully filled this out to get a security clearance required for federal and nuclear industry work. How lucky I was to get a secret clearance, and for all its information to be embedded within the United States government’s “secret” files, that only the government and its authorized entities could access.
Our office was even given a “cage” code and an approved vault for secret data but, they never said everything was secure on their end.
I used to stifle a hushed laugh when employees in my office would cringe when they were required to turn over their social security number for state police criminal investigation background checks, give detailed vehicular and personal information, as well as photographs for USAID in Washington – the agency that gives out all our hard earned money to promote international community. I always felt my data, and hence their data, was safe.
In fact, to continue being a Professional Engineer in the State of Texas, for some odd and undeclared reason, I needed to submit my fingerprints. I can only assume that there are many professional engineers practicing out there who were former criminals. Whatever. But I know that these fingerprints are in the trusted hands of a third party contractor that happens to be located in New Jersey and has a contract with Texas. Aren’t they? Read on; maybe not
I saw holes in the “security level” apparatus early on. First, everyone spoke in code, three or four letter acronyms with need-to-know parameters put around projects – even ones with common team members. Because quality control could not occur if our top ranking officer of the firm did not have authority to be assigned by the client for project work to review processes and work product, the work became isolated from management. I saw this in my own company and the results: poor implementation of technology, “backwards facing” knowledge with a reticence to move forward. But, we moved on because… it was secret.
But here is my big rub. We were required to have a separate isolated secure network with limited access and no “back doors” so no theft of electronic data could occur. You would expect all organizations bearing “secret” would be required to do so, wouldn’t you? Especially the federal government.
Back in June 2015, the United States Office of Personnel Management (OPM) in Washington, DC, was notified that they had been hacked. The way they discovered the hack was by a vendor who came in with a network sniffing electronic system that found the snooper. The Office of Personnel Management had no idea that a dog had run wild into their network and scavenged just about everything having to do with contracts, contractors, secret clearances, and identification. In fact, millions of records were lost. And, it is debated whether the number is 5.6 million or 18 million individual records going back to 1985.
How could this secure network be “open” to outsiders still mystifies, and we will never know. Why not? Because it’s secret. The failure is the entire secret structure and the primitive, almost arcane manners we seek to solidify in creating silos of information – critical national security information.
The information is considered to be the “… most critical and sensitive applications owned by the agency,” said Michael Esser, the OPM’s Assistant Inspector General for audits in testimony to Senate investigators. The American Federation of Government Employees (AFGE) is suing in a class action suit. According to attorneys reviewing the case. It is suggested that the response will result in a massive settlement to AFGE members in perhaps the tens of millions of dollars.
While this concerns me as a taxpayer, disconcerting is that I was notified December 2015 in an undated letter containing my new pin code by Beth F. Cobert, the Acting Director of the Office of Personnel Management. Undated, since it’s been six months. Undated, because they don’t want you to know that it occurred in June 2015. Since it was sent by U.S. Mail, I never would have known if it was lost or stolen.
I no longer laugh at my employees when they’re requested to turn over private information to those that they do not know, since our own government cannot even protect our critical information.
Having lived my life in security, almost 40 years doing everything from securing properties, to businesses, to the highest level of justice facilities, courts, and police facilities, I would never have imagined that my most important information was so negligently controlled by the United States government and that a foreign state now has mine and perhaps every secret and top secret cleared individual in the country. If you think this makes the Snowden debacle look tiny, you should. The release of this information is absolutely the tip of the iceberg. Every single operative that was employed under secret clearance has now been identified by name, social security number, residence, and all family members. Think about it. It’s not only the individual whose information has been released, but every single relative, sibling, mother, father, and friend identified on Form SF86. So, in essence, if even 4 million personnel files were stolen, this would be equivalent to approximately five to ten times that number for personal information of others who were also included in the theft. If it’s 10 million individuals, it could be 200 million to 500 million individuals who have any association through the stolen information. This is almost mind-numbing.
So, what is the solution that OPM offers? What is quite remarkable and perhaps reflects on the original data that was once thought to be secure, is the simple letter that was sent. The letter states that we’re to enroll with ID experts under the web subdirectory “cyber security.” The cyber security consists of a 25-number PIN with five digit numbers in five alphabetized sequences. This is like using an impenetrable lock after the gold has been removed.
