National Security & Defense

Hackers Hit the Federal Government Hard

(Olegunnar/Dreamstime)

The latest big computer hack, apparently launched from China, strikes straight to the heart of the federal government. Both the network and data of the Office of Personnel Management (OPM) have been badly compromised. More than 4 million sets of detailed Personally Identifiable Information (PII), all belonging to present or former federal employees, have been taken. It’s identity theft on a massive scale. Current and ex-federal employees may have trouble sleeping for quite some time. An even bigger worry, however, are the national-security problems the hackers may create.

OPM’s first announcements said that only basic information was lost. But even “basic” information is pretty significant stuff, including names, positions, pay scales, Social Security numbers, and more. That alone should be considered a failure of security. And it could get much worse. Though the first report said security-clearance information was not compromised, we don’t yet know if that is true.

While the initial announcements claimed it was the work of Chinese hackers, they couldn’t say whether it was a state-sponsored intelligence operation or “merely” a criminal enterprise. Cyber-intrusion attribution (determining “who did it”) is very difficult in the best of circumstances. And when the activity comes from China, it’s almost impossible to know for sure whether the hacking is being done by the government, a group of criminals, criminals working for the government, or the government helping friendly criminals. Many specialists in Chinese studies will tell you that it hardly makes any realistic difference, as those lines are regularly blurred.

China and Russia are America’s two biggest and most dangerous cyber adversaries. Of the two, Russia is a bit more sophisticated, particularly with regard to cyber-attacks and spying. Beijing is not that far behind Moscow, however, and the Chinese dedicate a great many more people and other assets to their cyber activities. Both excel at the offensive side of things, which is easier and requires less code to do.

As far as offensive capability goes, America is a match for either Russia or Beijing. And America’s defenses are good, but not perfect. Defending a complex network is a 24/7–365 effort. Attacks and spying have to “slip through” only occasionally to be successful. Russia and China are clever and capable, and both have very strong cyber-criminal allies. This is a dynamic battle that the U.S. has to keep fighting over a long, long term.

As for the latest attack, Americans should be very concerned that we still don’t know the full truth. Is what has been announced really the extent of it, or are other federal agencies affected? The Department of Homeland Security’s Computer Emergency Response Team (U.S. CERT) had been called in to check OPM’s system. To their credit, they found the intrusion. Now they need to check everywhere else. This could be a much wider problem than we now believe.

Additionally, many of the affected employees have high-level security clearances. Can their identities be spoofed? Can some be influenced through this data theft into “helping” Beijing? Both these dangers must be watched and mitigated. Frankly, doing that will take more than issuing a new credit card, replacing money lost in an account, or offering a credit-monitoring service.

Yes, our government spokesmen have all assured us that no security-clearance information was taken. But the records that have been compromised are very detailed, with information going back to the subjects’ childhoods. Are Uncle Sam’s “assurances” accurate, or just wishful thinking?

In the past, when private-sector firms such as Target, Sony, and Anthem Insurance have suffered data breaches, some politicians have called for harsh punishment of the “negligent” firms. They seem to think that if you fine private companies often and severely enough, they’ll secure themselves. One hopes that those lawmakers now understand that they have a log in their own governmental eye. OPM is a premier federal agency with access to help from the Department of Homeland Security. If OPM can’t defend itself, is beating up on commercial companies really the right thing to do?

Clearly, putting the federal government in charge of cybersecurity through regulatory rule-making and enforcement is not the answer. There are no silver bullets (yet), either technical or procedural. The best that can be done is to build the best relationships we can between the government and the private sector, share threat information, share best practices, and lower the risk as much as we can.

In the face of a very dynamic threat, fueled by very skilled adversaries, the key question is not “How could this happen?” Far better to ask: “How can we minimize the occasions of it, and the damage it does to our citizens and infrastructure?” This will not be the last major data breach — for the feds or in the private sector. What matters is that every time this happens, we learn from the experience, we share what we’ve learned, and we work together to get better at defending ourselves from the cyber-bad-guys.

Most Popular

Film & TV

Netflix Debuts Its Obama Manifesto

This week’s widespread media blitz heralding Netflix’s broadcast of its first Obama-endorsed presentation, American Factory, was more than synchronicity. It felt as though U.S. publicists and journalists collectively exhaled their relief at finally regaining the bully pulpit. Reviews of American Factory, a ... Read More
Politics & Policy

Capital versus Tucker Carlson

Advertisers do not advertise on Tucker Carlson’s show to endorse the views of Tucker Carlson. They advertise on his show for the same reason they advertise elsewhere: a captive audience — in Tucker’s case, the second-largest one in cable news — might spare thirty seconds of attention that will, they hope, ... Read More
U.S.

Is AOC Politically Powerful?

I recently watched two voices I respect disagree vehemently about whether Alexandria Ocasio Cortez is politically powerful or not. The first observer pointed out that she’s one of 435 House members and 235 House Democrats. She can introduce big pieces of legislation like the Green New Deal, but they’re not ... Read More
Culture

Jussie Smollett Jokes Declared Off-Limits

The Jussie Smollett story has been declared not fit for jokes. "It's a straight-up tragedy," declares the co-creator of a Comedy Central show, South Side, set in Chicago. Bashir Salahuddin, a former Jimmy Fallon writer, says “The whole situation is unfortunate. Particularly for the city, there’s bigger ... Read More