Sen. Ron Wyden (D-Ore.) is demanding to know what measures a top counterintelligence agency took to protect Office of Personnel Management records before a massive hack earlier this year.
The National Counterintelligence and Security Center has yet to disclose what actions it took leading up to the hack that exposed more than 20 million federal personnel records, an oversight that Wyden says is cause for concern.
Wyden asked for answers in a letter to agency head William Evanina, and referred to “significant warning signals regarding the security of OPM’s networks.”
{mosads}”The fact that such sensitive information was not adequately protected raises real questions about how well the government can protect personnel information in the future, especially as the security clearance process moves toward conducting ongoing evaluations and incorporating publicly available electronic information,” Wyden wrote.
The NCSC supports counterintelligence efforts across a number of different agencies.
The senator posed three specific questions, asking if the agency had identified the OPM’s security clearance database as a risk prior to the attacks, if it had made any recommendations for protecting OPM’s information and if it had considered cutting down on how long the office kept background check records to reduce risk.
“I would like to know what actions the NCSC took prior to these OPM security incidents and what the NCSC will be doing to prepare for future attacks that will similarly target personnel and background investigation information,” Wyden wrote.
Wyden has pushed back aggressively against cyber legislation that gained traction in the wake of the hack, as well a provision of the annual Intelligence Authorization Act that would require tech companies like Facebook and Twitter to report incidents of “terrorist activity” to federal officials.
He insisted in a Wednesday statement that the intelligence bill, which he called “severely flawed legislation … would not have prevented the OPM data breach.”
The Senate punted on the cyber bill until after the August recess, but Wyden has continued to campaign against it, calling the OPM hack “a bad excuse to try and pass a bad bill.”
The Cybersecurity Information Sharing Act (CISA) is intended to boost the public-private sharing of information on cyber threats, but Wyden maintains that it is a “surveillance bill by another name.”
“The United States should pull out all the stops to go after foreign hackers and foreign threats, but there’s a way to do that without threatening the privacy of millions of law-abiding Americans,” he said in June.