No Evidence of 'Nefarious' Use of Stolen OPM Data, Says Director of National Intelligence
There has been no evidence the data stolen during the recent Office of Personnel Management data breach has been used yet “in a nefarious way,” meaning the breach can't be classified as a cyberattack, said Director of National Intelligence James Clapper during a House Intelligence Committee hearing Thursday. The OPM breach, revealed in June, has since been found to have exposed the Social Security numbers for 21.5 million people along with other personally identifiable information (see 1507090049). The data appears to have been stolen via “passive intelligence collection activity, just as we do,” Clapper testified. Rep. Chris Stewart, R-Utah, questioned Clapper's assessment of the OPM breach, saying “we don’t really know what has been the effect of this being taken.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Clapper stopped short of attributing the OPM breach to a particular actor, saying attribution “is not a simple process.” Different intelligence agencies have had “differing degrees of confidence” about whether a foreign government or other entity is responsible for the breach, he said. Congressional Republicans have pressed for the White House to publicly name China as a culprit behind the OPM breach (see 1507220063), though cybersecurity experts have said a public response may be complicated (see 1508200047).
The OPM breach and other recent data breaches involving federal agencies “are eroding confidence in our government's ability to counter” cyberthreats, said House Intelligence Chairman Devin Nunes, R-Calif. DHS' own Protected Critical Infrastructure Information program hasn't received a security audit since 2006, which “raises serious questions about the agency that many government representatives believe should be at the heart of our cybersecurity strategy,” Nunes said. All federal agencies that deal with cybersecurity are getting “better and better at what they're charged to do,” meaning “it's time to knit together all the intelligence that these separate agencies need to defend our networks” via the proposed Cyber Threat Intelligence Integration Center (CTIIC), which President Barack Obama announced in February, Clapper said.
House Intelligence plans to seek further information from federal intelligence agencies in the coming months about the agencies' cybersecurity information practices given the potential for them to become further involved in cybersecurity information sharing if the Senate takes up the controversial Cybersecurity Information Sharing Act (S-754) or House-passed information sharing legislation, Nunes said. “We must ensure that government entities involved in the sharing process are absolutely secure, especially if we allow” the private sector to share cyber threat indicators, he said.
FBI Director James Comey pressed for the tech sector to cooperate with the intelligence community by allowing agencies access to encrypted data. “There shouldn't be venom” from the private sector over the data requests because “we should all care about the same thing,” Comey said. Ranking member Adam Schiff, D-Calif., said tech sector executives told him last week that the federal government “just can’t tell tech to ‘figure it out.’ We have to work with them, and others, to find the best mix of incentives, standards, and technological solutions.” The federal government shouldn't be the one driving efforts to create a form of encryption that can protect data and be easily decrypted for law enforcement purposes, Comey said. “Technological innovation is not our thing.” Rep. Eric Swalwell, D-Calif., claimed the tech sector has overly favored privacy protections and has “forgotten about 9/11.”