Some on Twitter now call this a “Pearl Harbor” in cyberspace, but that may actually undersell the damage that we now know the US took in the hack on the Office of Personnel Management. On one hand, no one’s been killed; the US lost 2,403 lives and another 1,178 wounded in that battle. Within months or even weeks, the US had repaired much of the damage and went on offense in the eastern Pacific. In this attack, the damage to more than 2 million federal employees is permanent and irreparable — and it had been going on for more than a year before anyone knew (via JeffB from AoSHQDD):
The massive hack into federal systems announced last week was far deeper and potentially more problematic than publicly acknowledged, with hackers believed to be from China moving through government databases undetected for more than a year, sources briefed on the matter told ABC News.
“If [only] they knew the full extent of it,” one U.S. official said about those affected by the intrusion into the Office of Personnel Management’s information systems.
It all started with an initial intrusion into OPM’s systems more than a year ago, and after gaining that initial access the hackers were able to work their way through four different “segments” of OPM’s systems, according to sources.
The hackers got everything from the entire database of federal employees. Much of the data can’t be repaired, either. Social Security numbers, addresses, names and contact information of family members can’t simply be wiped away and rebuilt from scratch. The clients of the hackers — presumed to be China — now can target people for espionage, look for further ways to attack US systems, and wreak havoc in general.
Nor is that all they got. As noted this weekend when the hack first came to light, ABC News confirmed that the hackers and their clients have all of the raw information shared with OPM in applications for security clearances — in all, about 90% of the security clearances issued by the federal government:
However, U.S. officials speaking on the condition of anonymity say unequivocally such information was put at serious risk by the OPM hack. Of utmost concern are U.S. employees stationed overseas, including in countries such as China, whose government would covet personal information on relatives and contacts of American officials living in the communist country, according to officials.
“If the SF-86’s associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people,” one U.S. official told ABC News on Sunday.
Here’s the online version of the SF-86, for those unfamiliar with the form. It runs 127 pages and demands incredibly personal information, not just about the applicant but about relatives, too. Are you a close relative or an in-law of an executive-branch employee with a security clearance? The hackers now have your information, too, and there’s no getting it back from them. Are you a foreign national that had a business relationship with a person who later became a cleared federal employee, or even had contact with them? Surprise!
The OPM hack exposed one of the Holy Grails of government data, which should have had the highest and most vigorous security applied to it. Moreover, no one detected it for more than a year. This is a failure on a monumental scale, especially from an administration that has demanded more authority to impose cybersecurity measures on private networks. It’s impossible to overstate the scope of this defeat in cyberwarfare, or its utter permanence.
Update: Ace himself has more:
Oh, those pesky files merely disclose what foreign nationals US personnel are on friendly, even sexual, terms with.
Do you think some of those people might have been turned to the US for espionage, or at least some friendly influence?
Well, Beijing knows all about them now. And they can sell or trade those names to Russia, Libya, Iran, etc….
Here’s the NSFW (language) response those who have had to fill out SF-86s over the past three decades will get — not directly, but operationally:
Well, yeah. But we never thought the Obama administration could be this incompetent.