In a Friday afternoon news dump, Office of Personnel Management officials acknowledged for the first time that an earlier breach of employee data included security clearance background investigations. That includes the SF-86 and SF-85 forms of current, former, and prospective employees (so even if you submitted the forms and were later denied, or declined the position yourself, your information was still leaked).
In the wake of the breach, White House Chief Information Officer Tony Scott is calling for a 30-day “cybersecurity sprint” to strengthen government networks. It consists of four chief priorities:
- Deploy anti-malware tools that will indicate when an intruder may be inside a government system.
- Patch critical holes in their systems “without delay.”
- Tighten controls for “privileged users.” The White House indicated that by limiting access to sensitive systems, including the amount of time spent, they can help prevent hackers from stealing the large volumes of data that were breached in the OPM attack.
- Accelerate use of a process called “multifactor authentication,” requiring more than a simple password for system access.
Given the gravity of the attack, it may take more than a cybersecurity sprint to fix the government’s IT problems. Many information security professionals have called it completely irresponsible that the government would leave data – particularly some of its most sensitive personnel data in the form of the SF-86 – unencrypted. For professionals who may have been affected, here are a few tips to consider:
1. Know you’re at risk regardless of whether you work for the government.
China is said to be behind the OPM breach. As the largest aggressor in the battle for commercial intelligence, there’s no doubt it is using the data from SF-86 documents to dig deeper into the defense industry. Because applicants who may have been denied or opted out of a clearance are included in the breach, workers who have moved onto the commercial sector are still affected. Just because you no longer hold a clearance doesn’t mean you can’t still be a target.
2. Beware ALL Email.
Spear phishers have already used the OPM breach as an opportunity to go after government workers. In addition to attacks originating in China, hundreds of ‘copycat’ spear phishing emails are likely to surface over the coming weeks. Some government workers already report receiving emails directed them to an outside website to receive credit monitoring – websites not affiliated with OPM.
3. Log quickly in – and quickly out.
Like the government, you can limit your vulnerability by limiting the time you spend on sensitive sites. Hackers know how to find and pinpoint weakness. If you’re a sloppy internet user – you leave your CAC in your machine, you stay logged into SIPRNet when you don’t need to be – a hacker will be able to track that behavior and you become their best target.
4. Read your SF-86 like a spy.
For most cleared professionals, the OPM breach is unconscionable, but not irreparable – relatively few cleared professionals have extensive family overseas or issues that place them at risk of blackmail – the process is designed to weed out individuals with that liability. But it’s likely all cleared professionals today are considering what’s on their SF-86 and wondering if they’d want it in the hands of China, or published on the front page of a newspaper. If you have concerns, sit down with your security officer and discuss them. If you have family members overseas who you believe could be at risk, discuss that with your security officer.
While OPM continues to stay mum on the details of the breach, it seems likely the news will get worse before it gets better. The best advice is to be cautious, be transparent with your misgivings, and whatever you do – don’t open any unsolicited attachments.
