The Annotated OPM Update

On July 4, 2015, OPM Director Katherine Archuleta wrote to those who may have lost data in the recent OPM breach. This annotated guide will help you parse her blog-post. You’re welcome.

As our hardworking Federal workforce enjoys a much-deserved holiday weekend, I want to share a quick update on the ongoing investigation into the recent theft of information from OPM’s networks.

The idea that one would share a “quick” update on this topic, in much the same way one would dash off a thank-you note to a modestly successful dinner party, is offensive. Her blog post is an attempt to sound breezy and informal, but this is arguably the most serious data breach ever, because the data stolen included the most intimate personal details of those entrusted with our nation’s most sensitive national security secrets.

Oh, and she published it on a federal holiday.

For those individuals whose data may have been compromised in the intrusion affecting personnel records[…]

She says this as if she is speaking generally, but the fact remains that she actually does not, months after the breach began and weeks after it was disclosed, know exactly whose records were compromised.

[…]we are providing credit monitoring and identity protection services.

This is a nosejob to a dying man: doing something in the hopes that you will appear to be engaging in an intervention. While credit monitoring services have become coin-of-the-realm in retail credit card breaches, this is not a credit card breach. And it is important to recognize that credit monitoring is only efficacious (and this is arguable) in attacks that target financial resources through identity theft and other fraud.

While the data OPM lost here is in fact perfect for that (there are answers in here that would satisfy even the most rigorous personal-history-based customer verification techniques), credit monitoring is wholly irrelevant to the issues raised by this preventable loss: there is nothing to stop foreign governments or criminal gangs (a) knowing who has applied for clearance; (b) knowing the submitted highly intimate personal details; (c) knowing the investigators’ comments and results. How will credit monitoring stop impersonation for intelligence or application for a passport? It won’t. How will credit monitoring prevent the revelation of deeply personal details of US government contractors and employees stationed all over the world, to be exploited by professionals? It can’t.

Stop saying this as if you’re providing relief — this is an attempt to cover an ass the size of Montana with a square of toilet paper.

My team has worked with our identity protection contractor to increase staff to handle the large volume of calls, and to dramatically reduce wait times for people seeking services. As of Friday, our average wait time was about 2 minutes with the longest wait time being about 15 minutes.

Which I infer to read both, “The vendor we selected to provide the service that at best would not work for anything but financial fraud sucked, and people complained when they couldn’t even activate the pathetic ‘“’protection’ we claimed to offer them,” and “I jobbed out sorting that nightmare to my underlings.”

Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM’s background information systems. We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected.

Ha ha ha ha ha ha ha ha, OH, ha ha ha. See my last comment, and then some.

I want you to know that I am as concerned about these incidents as you are. I share your anger that adversaries targeted OPM data. And I remain committed to improving the IT issues that have plagued OPM for decades.

The backpedaling and blaming predecessors, and shirking responsibility for failing to heed warnings given in OIG report after OIG report, begins in earnest.

One of my first priorities upon being honored with the responsibility of leading OPM was the development of a comprehensive IT strategic plan, which identified security vulnerabilities in OPM’s aging legacy systems, and, beginning in February 2014, embarked our agency on an aggressive modernization and security overhaul of our network and its systems. It was only because of OPM’s aggressive efforts to update our cybersecurity posture, adding numerous tools and capabilities to our networks, that the recent cybersecurity incidents were discovered.

As we stumbled and lurched blindly about through the cobwebs of our network of fail, we tripped over attacks in progress, thus alerting the attackers so that they could skidaddle before we could trace the attack, leaving us the old government chestnut: call in Mandiant to blame China.

I am committed to finishing the important work outlined in my Strategic IT Plan and together with our inter-agency partners, OPM will continue to evaluate and improve our security systems to make sure our sensitive data is protected to the greatest extent possible, across all of our networks.

Nothing could be more scary than this last paragraph: “Yes, I have betrayed everything your government has promised you, and I will get better.” If they “continue” to evaluate and improve, basically … well, actually, this means, literally, nothing.

We are living in an era where cybersecurity must be a priority in our lives at work and at home. I encourage you to take some time to learn about the ways you can help protect your own personal information. There are many helpful resources available on our website.

Now the subtle shift to making you somehow feel that this could have happened to anyone… to you…which makes sense if you don’t realize it really means that it could happen to anyone as clueless as she. And oh: it happened to you. Yeah, I’ll be surfing to OPM dot gov to get tips on how to protect my data. . .

I’m wishing you a safe and relaxing 4th of July weekend.

…knowing that our enemies now know about your sexual proclivities and hist0ry; alcohol and drug intake; bad breakups; the dates, places and duration of stay on all your overseas trips; and other information that we will protect by giving you credit monitoring through a vendor that doesn’t answer the phone.

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.