Last week the US Government admitted to a second massive security failure within a year at the Office of Personnel Management, which holds human resources details on all 4 million or so current and former Federal Government employees.
These systems appear to have been hacked for over a year and most if not all of the data has been exfiltrated, allegedly to China (not a firm attribution, given how easy it is to leave fake clues in malware).
As the OPM announcement of 4th June 2015 makes clear, this puts millions of people at risk of financial fraud via so called "identity theft".
However, things are much, much worse than mere "identity theft". It is now reported that the copied data includes the completed SF86 Questionnaire for National Security Positions forms (127 pages 7.4Mb .pdf also mirrored here in case you are blocked from accessing a US government website) and perhaps the results of Background Information interviews and checks for the highest levels of security clearances, not just for ordinary Federal bureaucrats, but also for Intelligence Agency personnel.
It should be obvious how a Foreign Intelligence agency could be assisted in finding potential sources / agents / traitors to suborn, through bribery or blackmail or appeals to ideology or religion, who have listed their financial, marital, medical or other personal details and problems on such forms.
It should be obvious how a Foreign Counter Intelligence Agency could use the information revealed in this form on relatives and contacts living abroad, as well as the Passport or ID Card numbers of the applicants for security clearance and those of their families.
Given the closeness of the Intelligence Agencies of the United Kingdom and the United States of America, it is not unreasonable to ask:
1) When was the UK government informed of the OPM security breach ? The admission came only last week, but the breach appears to have been discovered in April and the security breaches seem to have been active for over a year.
2) How many UK nationals holding US security clearances are affected ?
3) What is the UK government doing to protect them ?
4) Given the similar nature of United Kingdom security vetting systems i.e. an allegedly secure Web Portal, a long and complicated Security Vetting form submitted online (possibly insecurely due to the reliance on an Adobe plug-in which only worked in insecure versions of Microsoft Internet Explorer - only changed recently) and a back end Oracle database, what evidence rather than mere assertions, is there that UK systems like the Defence Business Services National Security Vetting Portal has not been attacked and similarly compromised ?
5) Who, if anyone, has audited the UK systems in the light of the OPM disaster and when will their report be published ?
N.B. This should be a task that the Intelligence and Security Committee should have been working on, but they stopped working 2 months before the General Election and a new Committee has still not yet been appointed.
6) Given the push for cost savings and a possible rationalisation of the disparate GCHQ, Security Service MI5 and Secret Intelligence Service SIS/MI6 security vetting systems onto a common platform, as recommended by the Intelligence and Security Committee Annual Report 2011 pages 79 - 80, is it safe to do so ?
7) Why isn't the Government pro-actively reassuring the public about these National Security worries by ordering independent security penetration tests of these systems right now, and publishing the outcomes (but obviously not any detailed vulnerabilities found) instead of their lazy and corrupt policy of Neither Confirm Nor Deny ?
8) Why aren't professional journalists and Parliamentarians holding the Government to account by asking such questions instead of Spy Blog ?