Those of us who have had security clearances in the past endured plenty of lectures on the need to secure sensitive material. The Office of Personnel Management in the Obama administration apparently needed to listen a little more carefully. A hack by China’s intelligence service not only exposed four million current federal employees, but also thirty years of data from security clearances, with the most personally sensitive information possible now exposed to foreign spies:
Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks. …
The cyber attack was among the most extensive thefts of information on the federal work force, and one U.S. defense official said it was clearly aimed at gaining valuable information for intelligence purposes.
“This is deep. The data goes back to 1985,” a U.S. official said. “This means that they potentially have information about retirees, and they could know what they did after leaving government.”
Access to data from OPM’s computers, such as birth dates, Social Security numbers and bank information, could help hackers test potential passwords to other sites, including those with information about weapons systems, the official said.
“That could give them a huge advantage,” the official said.
Indeed, and not just for second-order hacking, either. The raw files on these background checks can contain incredibly sensitive personal information that could be used for blackmail or extortion. That’s why the discovery of hundreds of raw FBI files in the Clinton White House created such a stir, although not nearly enough of one. The only people who are allowed access to the raw files are the investigators, not political operatives, for that very reason. Those who apply for clearances get assurances that their information, some of which is gleaned from family, neighbors, and financial institutions, will never get seen outside of the clearing agency.
So far, the scope of this breach hasn’t been fully explained. Were the full investigative files breached, or just summaries? Did it encompass only those who worked directly for the White House since 1985, or for all federal agencies? Did this include those who got cleared — as I did — through DISCO (Defense Industrial Security Clearance Office), now the DSS, to work for defense contractors? How about personnel files from our own intelligence services? None of these are good options, but some are a lot worse than others.
No one’s quite sure of the answers, actually:
The Office of Personnel Management and the Interior Department have declined to publicly identify which database in the business center was targeted in the breach disclosed Thursday, one of the largest intrusions into federal employees’ personal information. But experts in and out of government in technology and federal personnel systems say they strongly suspect that a central database hosted by the Interior Business Center containing all executive branch personnel information, called Enterprise Human Resources Integration, was targeted.
The database contains a trove of data on every civilian employee in the government that goes way beyond their Social Security numbers. It’s a compendium of personnel files containing 35 years of historical data on federal employees. The records track an employee’s career in the government, from salary to benefits to training and certification. They also connect to other federal data sources on employees, including sites containing former employees’ retirement status and benefits.
Right now, the administration is pointing fingers at China. It’s pretty easy to see why they would want this data, but what’s the end game? The Washington Post thinks that China wants to build the kind of Big Brother database that some fear the US government might have wanted:
China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.
Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.
“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm. “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human recruitment.”
It’s not just useful for recruitment, but to see who the US has recruited, too:
Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counterintelligence. Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China. “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.
The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official. “They can find specific individuals they want to go after, family members,” he said.
Ironically, the Obama administration has lectured incessantly on cyber security for the last six years, demanding more federal regulation and oversight over private networks to harden communications. Maybe they should focus closer to home first.