Large database breaches such as the one recently suffered by the Office of Personnel Management (OPM) further demonstrate the dire need for the U.S. government to get serious about the security of its sensitive but unclassified information. The recent OPM breach potentially surrendered more than 4 million personnel records (the FBI has estimated nearly 18 million) of individuals that have or are applying for security clearances, while a separate effort identified in May yielded potential background investigation information to the attackers. Taken collectively, it’s little wonder why one U.S. official referred to them as “the most significant breach of federal networks in U.S. history.”
After such noteworthy breaches, the typical response has been to immediately attribute the activity in order to expose the adversary. Indeed, after the 2014 Sony hack, North Korea was immediately singled out as the perpetrator, and in late 2014, the Director of National Intelligence quickly attributed the Sands Casino hack to Iran. There seems to be greater emphasis on assigning blame as to “whom” was responsible for the breach, rather than on “why” it was allowed to happen and “how” that could be prevented in the future.
The OPM hack bears considerable scrutiny due to the fact that it occurred at a time when significant attention has been focused the need to vastly improve the United States’ cybersecurity posture. Since 2008 when the Bush Administration established the Comprehensive National Cybersecurity Initiative (the CNCI) by a classified joint presidential directive, the U.S. has been cognizant of the threat posed by hostile actors, particularly those sponsored or directed by nation states. The Director of National Intelligence has listed cyber as an intelligence community priority in the past four Worldwide Threat Assessments, further indicating the importance placed on this domain.