The OPM Cyber Blunder is America’s Fault, not China’s
America has been abuzz about the new revelations about OPM’s incredible loss of personal data — it’s being called a “hack,” the “biggest cyberattack in U.S. history.” Though the number of personnel compromised is said to reach 21.5 million, that total will increase exponentially due to the information about friends, family, and associates contained in each of those investigations. It is an incredible defeat for America.
Yet despite calls for retaliation and questions about whether this is a new high-water mark in “cyberwar,” the “OPM Hack” seems to have not been a real hack — let alone a cyberattack. Rather, the OPM “heist” was completely the fault of a blundering, incompetent bureaucracy that quite literally handed the secrets of our security-cleared citizens to a strategic adversary. We can hardly blame the Chinese for gratefully receiving such an intelligence treasure trove.
When we think of “hacking” or “cyberwar” we tend to picture the virtual equivalent of someone tunneling into a bank or cutting the brake lines on a car. At least one contractor with root access to the OPM database was physically based in China. DHS cybersecurity experts have rightly stated that encryption would not have helped in this case. The OPM heist is the equivalent of the Berlin CIA station chief asking someone who works in the Russian embassy to hold on to his vital papers during a meeting.
Mature adults realize that all nations, even allies, conduct intelligence operations against one another. American and European intelligence experts’ frustration at the faux outrage caused by Snowden’s revelations of common inter-state intelligence practices tells us as much. China maintains a vast and insidious campaign to penetrate and compromise government and corporate networks in the United States, but we cannot consider the OPM heist part of China’s catalogue of crimes. This was incompetence on our part; a cyberblunder, not a cyberattack. If China had decided to give American personnel root access to their databases, it would be criminally negligent for our intelligence agencies not to take advantage of the situation.
Still, perception matters; this fiasco’s public image may encourage even greater levels of cyber subterfuge against the United States. The scale of the intelligence haul projects an image of aggression the OPM heist likely did not require. The public dissemination of its success combined with U.S. inaction creates an appearance of Chinese impunity reaching new heights as compared to other known Chinese cyber operations. Unfortunately, the reality is a case of high-return, easy cyberespionage, enabled by our folly. A response of similar effort would hardly produce the same results; you cannot force your adversary to make your mistakes. A response of similar effect would require an uncomfortably disproportional response; you cannot start a fight because you punched yourself in the face.
So if China did nothing but pick up the secret documents we let them babysit, wrath should fall on those whose willful apathy is responsible for our failure. In this case, it is a clear failure of OPM leadership. We cannot forgive three years of apathy about grave cybersecurity warnings made to OPM, let alone the OPM’s open knowledge of malicious activity on its network since June 2014. Director Katherine Archuleta insisted on retaining her office almost a month after the full scope of OPM’s failure under her tenure was revealed. She was not ousted ignominiously, but allowed to resign with a bizarrely triumphal statement touting her success at OPM, particularly in the office’s cybersecurity initiatives. Meanwhile, any number of unknown federal employees or contractors whose job it was to resolve these cybersecurity issues remain nameless and secure in their jobs. We have institutionally allowed the risk to fall on the warfighters, intelligence agents, ground-level bureaucrats, and the American people they serve. Appointees and their staff who abandon their duties are able to retire quietly to the lecture circuit for cocktail party awards celebrating the minor tactical successes they pursued at the cost of strategic failure.
This lack of consequences has created a situation allowing for apathetic appointee leadership. As a first line of defense, presidents must be more willing to take decisive action against their more useless appointees — there’s no political risk in a president being decisive against dead weight. Bowsher v. Synar prevents Congress from enacting laws enabling the legislative dismissal of political appointees following incompetence or dereliction of duty. Symbolic congressional votes of confidence might add some spice. Perhaps Congress could even find a way to dock or even suspend the specific pay of appointees openly flouting their responsibilities.
Ultimately, there is no administrative or policy solution to this problem. You cannot design a regulation for every blatantly obvious cybersecurity blunder such as “no contractors in China” or “no campfires in the server room.” Without an answer to Bowsher v. Synar, turning the screws of accountability against institutional inertia could be hard, though the coming congressional investigation into OPM’s decisions is helpful and necessary. It falls upon Congress and the president to be more discerning in their selection and approval of appointees on the front end, demanding that appointees have the qualification for and dedication to their critical roles. For problem federal employees and contractors — better appointees will care enough to lead, reform, or fire them.
Now, while we want superstars for our appointees, not everyone is a Christine Fox. We could live with mere positive stewards, people with the maturity and humility to understand the scale of their office, the public trust, and the challenges we face. While we may presume to pursue a “comprehensive cybersecurity strategy” to defend us from our opponents, it is of far lesser importance than finding the right kind of people — the ones in whose hands a strategy would succeed. Until then, we cannot blame an adversary for exploiting our barefaced incompetence.
Matthew Hipple is a U.S. Navy Surface Warfare Officer. A graduate of Georgetown University’s School of Foreign Service, he is president the Center for International Maritime Security — where he hosts the Sea Control Podcast. The venn diagram sections of “his opinions” and “official representation of the U.S. Navy, Department of Defense, or Government,” do not intersect. Follow him on twitter: @AmericaHipple
Photo credit: Tripp