CIA archives outline the pre-history of the infamous OPM hack

CIA archives outline the pre-history of the infamous OPM hack

Decades before the massive data breach, CIA had serious concerns about handing over personnel information to a civilian entity
Written by
Edited by JPat Brown

The plot of John le Carré’s The Spy Who Came in from the Cold hinges on the bureaucratic details of retirement benefits for spies. Recently uncovered documents from the Central Intelligence Agency archives show that real-world spy stories sometimes do, too.

The documents reveal a history of bureaucratic maneuvering in the three decades before the massive breach of Office of Personnel Management computer systems in 2015.

The OPM hack was widely seen as an embarrassment for US government cybersecurity and intelligence. But what went largely unremarked on in the media is that for decades, intelligence officials had expressed concerned about working with civilian agencies. In fact, shortly following the creation of OPM in 1979, CIA began a lengthy process of negotiation with this new civilian agency. As usual, the Agency was highly protective of any and all personnel information.

An undated assessment from the ‘80s expresses particular anxiety over the Civil Service Retirement System. The agency had “concern for Office of Personnel Management and Social Security Administration handling of cases” and worried about the possibility of “domestic penetration attempts by opposition.” The document does not specify who is meant by “opposition.”

Notably, the assessment does not consider the possibility of remote access to computer systems by foreign adversaries.

null

Still, the OPM did recognize the need for information security training. OPM involvement in computer security goes back to at least 1981, when that agency wrote to CIA and “expressed interest in the System Dynamics Methodology [course] taught by the Information Science Center,” according to CIA documents.

null

CIA approved OPM’s request - for reasons redacted in the documents available in CREST.

null

Authorization for the training was likely given under a 1976 executive order on “United States Foreign Intelligence Activities.” The order states that “the Central Intelligence Agency shall… conduct administrative, technical and support activities” for, among other things, “communications and data processing; recruitment and training.”

But even with this proactive measure by OPM, CIA remained reluctant to share information, going so far as to internally discuss avoiding government audits.

null

“I will keep you posted on this issue, but it appears we may not be able to avoid the OPM audit of ABP [Association Benefit Plan],” wrote one official in 1985.

While the CIA’s reticence is arguably justified in light of the breach 30 years later, the hack in fact raises a much larger question, posed in a recent essay on the topic: “In a networked digital age, does bureaucracy remain an efficient and effective apparatus for managing human affairs?”

How that question might be answered, we do not know.

Read the OPM assessment embedded below.

Image by Another Believer via Wikimedia Commons and is licensed under CC BY-SA 3.0

Related Stories

Upload large collections of documents to DocumentCloud with ease

Upload large collections of documents to DocumentCloud with ease

by Sanjin, Open Source Fellow
January 27, 2023
Watch oral arguments for the lawsuit fighting to improve how — and when — agencies search for responsive documents

Watch oral arguments for the lawsuit fighting to improve how — and when — agencies search for responsive documents

by J.M. Porup
February 15, 2021
Inside Trump's rushed — and heavily redacted — visit to CIA headquarters

Inside Trump’s rushed — and heavily redacted — visit to CIA headquarters

by Michael Morisy
August 04, 2020
Five questions to ask when investigating law enforcement

Five questions to ask when investigating law enforcement

by Beryl Lipton
July 09, 2020