From the last Morning Jolt of the week:
We Have Our Cyber Pearl Harbor.
Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, saying that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.
J. David Cox, president of the American Federal of Government Employees, said in a letter to OPM director Katherine Archuleta that based on OPM’s internal briefings, “We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”
The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs.
The union believes the hackers stole military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; and age, gender and race data, he said.
People have been warning about a “cyber Pearl Harbor” for a long time, from 1991 through Richard Clarke’s time in the Clinton and Bush White Houses to Leon Panetta in 2012, NSA Director Mike Rogers in February… Is this it?
If getting the personnel files on every government employee isn’t a cyber Pearl Harbor, what is?
For anyone thinking this isn’t a big deal, I refer you to former NSA guy John Schindler, writing at 20 Committee:
The other day I explained in detail how the mega-hack of the Office of Personnel Management’s internal servers looks like a genuine disaster for the U.S. Government, a setback that will have long-lasting and painful counterintelligence consequences. In particular I explained what the four million Americans whose records have been purloined may be in for:
Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86,here).
Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
The bad news keeps piling up with this story, including reports that OPM records may have appeared, for sale, on the “darknet.” Moreover, OPM seems to have initially low-balled just how serious the breach actually was. Even more disturbing, if predictable, is a new report in the New York Times that case “investigators believe that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation.”
We can safely replace “may” in that quote with “almost certainly did”…
The OPM hack was just the start and it won’t be the last. Cyber warfare does not necessarily mean a power plant being shut down nor does it mean someone defaces a website. It means using one’s network against them for whatever purpose the adversary desires.
I am involved in testing security measures (i.e. Red Team) and I see it during every assessment. Sometimes we don’t get the network from the outside but we get someone inside the building who can facilitate access to the correct computer. Other times the cyber team I partner with hacks a security manager’s terminal and puts me on the access roster. Then I’m in and unquestionable because I’m “cleared”. But most satisfying and disturbing is when I’m able to give the cyber team access and see the damage they can do. Notional planes have been shot down because they were able to collect battle plans on the network. Ships have been sunk. The scenario above where we moved numbers around on supply requests? All the time… but we also do it to operational planners. Instead of a strike package of 10 aircraft, you get 4 because of maintenance issues.
Obama’s comment on the OPM hack Monday:
This is going to be a big project and we’re going to have to keep on doing it, because both state and non-state actors are sending everything they’ve got at trying to breach these systems. In some cases, it’s non-state actors who are engaging in criminal activity and potential theft. In the case of state actors, they’re probing for intelligence or, in some cases, trying to bring down systems in pursuit of their various foreign policy objectives. In either case, we’re going to have to be much more aggressive, much more attentive than we have been.
Are you feeling the fury? Yeah.
Rick Wilson makes the case that everyone in the entire country should be furious about this, in his usually insightful, delightfully profane way. Among his important points:
The Chinese assume (correctly) that we’ll do nothing.
Fundamentally unserious county right now. Broken from top to bottom.
Serious candidates would treat this seriously. Serious reporters would lay into this story. Serious elected leaders would act.
A serious President would engage in covert and overt actions to punish and deter the Chinese.
We had our “cyber Pearl Harbor,” and it’s competing for attention in the news cycle with Obama attending the Congressional baseball game. (The Washington Post’s story on this is deep within the A section.)
How did we reach the point where an event like this is something an administration can simply wait out until public interest moves on?