The Corner

National Security & Defense

‘The OPM Hack Was Just the Start and It Won’t Be the Last.’

From the last Morning Jolt of the week:

We Have Our Cyber Pearl Harbor.

Insert your preferred expletive here:

Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, saying that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees, said in a letter to OPM director Katherine Archuleta that based on OPM’s internal briefings, “We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs.

The union believes the hackers stole military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; and age, gender and race data, he said.

People have been warning about a “cyber Pearl Harbor” for a long time, from 1991 through Richard Clarke’s time in the Clinton and Bush White Houses to Leon Panetta in 2012, NSA Director Mike Rogers in February… Is this it?

If getting the personnel files on every government employee isn’t a cyber Pearl Harbor, what is?

For anyone thinking this isn’t a big deal, I refer you to  former NSA guy John Schindler, writing at 20 Committee:

The other day I explained in detail how the mega-hack of the Office of Personnel Management’s internal servers looks like a genuine disaster for the U.S. Government, a setback that will have long-lasting and painful counterintelligence consequences. In particular I explained what the four million Americans whose records have been purloined may be in for:

Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective.  They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86,here).

Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.

The bad news keeps piling up with this story, including reports that OPM records may have appeared, for sale, on the “darknet.” Moreover, OPM seems to have initially low-balled just how serious the breach actually was. Even more disturbing, if predictable, is a new report in the New York Times that case “investigators believe that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation.”

We can safely replace “may” in that quote with “almost certainly did”… 

 

An unnamed defense contractor who writes under the pseudonym “ibreakthings” writes

The OPM hack was just the start and it won’t be the last. Cyber warfare does not necessarily mean a power plant being shut down nor does it mean someone defaces a website. It means using one’s network against them for whatever purpose the adversary desires.

I am involved in testing security measures (i.e. Red Team) and I see it during every assessment. Sometimes we don’t get the network from the outside but we get someone inside the building who can facilitate access to the correct computer. Other times the cyber team I partner with hacks a security manager’s terminal and puts me on the access roster. Then I’m in and unquestionable because I’m “cleared”. But most satisfying and disturbing is when I’m able to give the cyber team access and see the damage they can do. Notional planes have been shot down because they were able to collect battle plans on the network. Ships have been sunk. The scenario above where we moved numbers around on supply requests? All the time… but we also do it to operational planners. Instead of a strike package of 10 aircraft, you get 4 because of maintenance issues.

Obama’s comment on the OPM hack Monday:

This is going to be a big project and we’re going to have to keep on doing it, because both state and non-state actors are sending everything they’ve got at trying to breach these systems.  In some cases, it’s non-state actors who are engaging in criminal activity and potential theft.  In the case of state actors, they’re probing for intelligence or, in some cases, trying to bring down systems in pursuit of their various foreign policy objectives.  In either case, we’re going to have to be much more aggressive, much more attentive than we have been. 

Are you feeling the fury? Yeah.

Rick Wilson makes the case that everyone in the entire country should be furious about this, in his usually insightful, delightfully profane way. Among his important points:

The Chinese assume (correctly) that we’ll do nothing.

Fundamentally unserious county right now. Broken from top to bottom.

Serious candidates would treat this seriously. Serious reporters would lay into this story. Serious elected leaders would act.

A serious President would engage in covert and overt actions to punish and deter the Chinese.

We had our “cyber Pearl Harbor,” and it’s competing for attention in the news cycle with Obama attending the Congressional baseball game. (The Washington Post’s story on this is deep within the A section.)

How did we reach the point where an event like this is something an administration can simply wait out until public interest moves on?

Most Popular

Elections

Put Up or Shut Up on These Accusations, Hillary

Look, one 2016 candidate being prone to wild and baseless accusations is enough. Appearing on Obama campaign manager David Plouffe’s podcast, Hillary Clinton suggested that 2016 Green Party candidate Jill Stein was a “Russian asset,” that Republicans and Russians were promoting the Green Party, and ... Read More
Politics & Policy

Elizabeth Warren Is Not Honest

If you want to run for office, political consultants will hammer away at one point: Tell stories. People respond to stories. We’ve been a story-telling species since our fur-clad ancestors gathered around campfires. Don’t cite statistics. No one can remember statistics. Make it human. Make it relatable. ... Read More
National Review

Farewell

Today is my last day at National Review. It's an incredibly bittersweet moment. While I've only worked full-time since May, 2015, I've contributed posts and pieces for over fifteen years. NR was the first national platform to publish my work, and now -- thousands of posts and more than a million words later -- I ... Read More
Culture

Feminists Have Turned on Pornography

Since the sexual revolution of the 1960s, the feminist movement has sought to condemn traditional sexual ethics as repressive, misogynistic, and intolerant. As the 2010s come to a close, it might be fair to say that mainstream culture has reached the logical endpoint of this philosophy. Whereas older Americans ... Read More
Economy & Business

Andrew Yang, Snake Oil Salesman

Andrew Yang, the tech entrepreneur and gadfly, has definitely cleared the bar for a successful cause candidate. Not only has he exceeded expectations for his polling and fundraising, not only has he developed a cult following, not only has he got people talking about his signature idea, the universal basic ... Read More
White House

The Impeachment Defense That Doesn’t Work

If we’ve learned anything from the last couple of weeks, it’s that the “perfect phone call” defense of Trump and Ukraine doesn’t work. As Andy and I discussed on his podcast this week, the “perfect” defense allows the Democrats to score easy points by establishing that people in the administration ... Read More
Elections

Democrats Think They Can Win without You

A  few days ago, Ericka Anderson, an old friend of National Review, popped up in the pages of the New York Times lamenting that “the Democratic presidential field neglects abundant pools of potential Democrat converts, leaving persuadable audiences — like independents and Trump-averse, anti-abortion ... Read More
PC Culture

Defiant Dave Chappelle

When Dave Chappelle’s Netflix special Sticks & Stones came out in August, the overwhelming response from critics was that it was offensive, unacceptable garbage. Inkoo Kang of Slate declared that Chappelle’s “jokes make you wince.” Garrett Martin, in the online magazine Paste, maintained that the ... Read More