Clapper: ‘We Don’t Know Exactly What Was Taken in the OPM Breach’
Months after one of the biggest hacks in American history, Washington's top spy said the U.S. was still assessing the damage.
With Chinese President Xi Jinping set to arrive in Washington Thursday for a highly anticipated summit with President Barack Obama, America’s top spy said that the U.S. government still does not know what was stolen from the servers of the Office of Personnel Management in a breach U.S. officials privately attribute to Chinese agents.
“We don’t actually know what was actually exfiltrated,” Director of National Intelligence James Clapper said during an appearance at Georgetown University. “So what you’re hearing about is absolutely the worst case.”
On Wednesday, OPM revealed that as many as 5.6 million fingerprint records were among the data stolen in a breach disclosed in June. That’s up from their previous estimate of 1.1 million fingerprint records. The 5.6 million people whose fingerprint records were compromised are a subset of the total number of people whose records were stolen from OPM. The total number of people whose records — including documents gathered during the course of background investigations for current, former, and prospective federal employees seeking security clearances — were compromised remains at 21.5 million.
Federal computer sleuths are examining the scope of the breach, and it was during that investigation that they discovered fingerprint files that OPM said in a statement had not been “previously analyzed.”
On Thursday, Clapper referenced what appears to be the difficulty of that investigation as a contributing factor to the lack of certainty on how many people were affected by the breach. “We do not have enough granularity [or] fidelity on the forensics to determine exactly what was exfiltrated,” he said. Clapper said nothing Thursday about who was responsible for the attack.
The breach of OPM’s servers has been described by security experts as a possible intelligence bonanza, and Clapper said Thursday that the information poses a particular risk for employees of the intelligence community who may be working under cover. China has denied any involvement in the hack.
Clapper has said previously that the U.S. government has no indication that the stolen information has been used against American agents, and said Thursday that the intelligence community has been searching for “evidence of it turning up some place,” but it so far hasn’t.
In talks this week, Chinese and U.S. officials may announce the completion of an agreement to govern behavior in cyberspace, but such an agreement would all but certainly not have prevented the breach of OPM’s servers. That agreement may commit the United States and China to not attacking each other’s critical infrastructure systems during peacetime, but would likely say nothing about the kind of intelligence activity targeting systems such as OPM.
While lamenting that it was allowed to take place, Clapper has in the past saluted the OPM breach as an example of good intelligence work. “You have to kind of salute the Chinese for what they did,” Clapper said in June.