Although the Commander of US Cyber Command is dual-hatted as the Director of the National Security Agency, and although NSA likely has the greatest minds in cyber security on its payroll, they were not on the front-lines of the OPM hack. In fact, NSA did step in to thwart the ostensible Chinese hackers but it took a while for them to get to the battlefield:
After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.
NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.
One of the command’s missions is to be prepared to defend key U.S. infrastructure, including the dot-gov domain — but only at the request of the affected organization and when directed by the president, a Defense official told Nextgov, adding that the top priority of CYBERCOM is to defend military networks.
Anyone surprised the NSA did not step in earlier on in the breach process does not know how the agency generally reacts to these types of events. As an intelligence gathering organization, it is more important to the NSA to learn about attackers trade-craft than actually preventing and defending against these types of breaches. NSA prefers to watch what the attackers are doing because it allows them to gain better insight into how the attacks happen, what vulnerabilities are being leveraged, and what tools they use once they do penetrate networks.
Long story short: if you were surprised the NSA did not prevent the OPM attack, don’t be – this is the NSA modus operandi.