Standard Form 86 — SF86 for short — is where current and prospective members of the intelligence community put the various bits of information the bureaucracy requires of them: Social Security numbers, names of family members, countries visited and why, etc. If hackers have gotten away with those records, as the Associated Press reported Friday, America’s spies are in trouble.
Such a theft could yield a “virtual phonebook” of U.S. intelligence assets around the world and a working list of each one’s weak spot, said Patrick Skinner, former CIA case officer and director of special projects for the Soufan Group. He said such a vulnerability was unprecedented.
“The spy scandals we’ve had in the past … they gave up maybe a dozen foreign spies. It was a big deal. This, basically is beyond that,” Skinner said. “It’s not giving up foreign spies…it’s administration, support, logistics. Basically, It’s a phone book for the [intelligence community]. It’s not like they have your credit card number. They have your life.”
If there’s any good news about the disclosure, it’s that it could have been worse. Office of Personnel Management records don’t detail specific covert identities or missions, assignments, or operations. Records of that type would be held by the intelligence agencies themselves. “I don’t think it’s going to blow people’s cover but it’s going to put them at a real high counterintelligence risk,” said Skinner.
Skinner said some of the information in SF86 records is exactly the sort of information that he, as an intelligence operative, would look to get on people he was targeting. “At my old job, you would spend a lot of time trying to get that biographical information because it can tell you a lot,” he said. “It’s why marketers try to get that much information from you. If you have somebody’s entire life history and network you can craft a pitch to them that they don’t see coming.”
What can the intelligence community do to repair the damage? “I don’t think they can,” Skinner said. SF86 “reveals so much about the person that it makes them incredibly vulnerable. You can’t erase your past. These are the things you can’t change about people: you can’t change your parents, your contacts, or your travel. Foreign contacts? That’s a huge deal.”
One thing that could change as a result of the hack: OPM may begin to encrypt the data in its database. It’s a simple security precaution that many in the technology community say OPM should long since have had in place.
@webbmedia @DefTechPat …which would argue — strongly – for encryption at the data level, behind the firewall. — Alex Howard (@digiphile) June 11, 2015
Certainly Skinner was taken aback. “They spend so much time training us to maintain our cover and then they keep this information in an unencrypted database? I encrypt my hard drive; why don’t they?”