With each passing day the U.S. government’s big hacking scandal gets worse. Just what did hackers steal from the Office of Personnel Management? Having initially assured the public that the loss was not all that serious, OPM’s data breach now looks very grave. The lack of database encryption appears foolhardy, while OPM ignoring repeated warnings about its cyber vulnerabilities implies severe dysfunction in Washington.
To say nothing of the news that hackers were scouring OPM systems for over a year before they were detected. It’s alarming that intruders got hold of information about every federal worker, particularly because OPM previously conceded that “only” 4 million employees, past and present, had been compromised, including 2.1 million current ones. Each day brings worse details about what stands as the biggest data compromise since Edward Snowden stole 1.7 million classified documents and fled to Russia.
Then there’s the worrisome matter of what OPM actually does. A somewhat obscure agency, it’s the federal government’s HR hub and, most important, it’s responsible for conducting 90 percent of federal background investigations, adjudicating some 2 million security clearances every year. If you’ve ever held a clearance with Uncle Sam, there’s a good chance you’re in OPM files somewhere.
Here’s where things start to get scary. Whoever has OPM’s records knows an astonishing amount about millions of federal workers, members of the military, and security clearance holders. They can now target those Americans for recruitment or influence. After all, they know their vices, every last one—the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side—since all that is recorded in security clearance paperwork. (To get an idea of how detailed this gets, you can see the form, called an SF86, here.) Speaking as a former counterintelligence officer, it really doesn’t get much worse than this.
Do you have friends in foreign countries, perhaps lovers past and present? The hackers know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that, too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
Perhaps the most damaging aspect of this is not merely that millions of people are vulnerable to compromise, through no fault of their own, but that whoever has the documents now so dominates the information battlespace that they can halt actions against them. If they get word that an American counterintelligence officer, in some agency, is on the trail of one of their agents, they can pull out the stops and create mayhem for him or her: Run up debts falsely (they have all the relevant data), perhaps plant dirty money in bank accounts (they have all the financials, too), and thereby cause any curious officials to lose their security clearances. Since that is what would happen.
Then there’s the troubling matter of who’s behind this mega-hack. U.S. intelligence sources haven’t been particularly shy about pointing the finger at China, particularly at hacker groups that serve as cut-outs for Chinese intelligence and who are the suspected culprits behind several major online data breaches of the U.S. economy, including the health-care industry. What they’re particularly looking for is information about Chinese nationals who have ties to Americans working in sensitive positions.
Why Beijing wants that information isn’t difficult to determine. Armed with lists of Chinese citizens worldwide who are in “close and continuing contact” (to cite security clearance lingo) with American officials, Beijing can now seek to exploit those ties for espionage purposes. And it will. While many intelligence services exploit ethnic linkages to further their espionage against the United States—Russians, Cubans, Israelis, even the Greeks—none of the major counterintelligence threats to America exploit ethnic ties as consistently as Beijing does.
The OPM compromise, however it came about, represents a genuine debacle for Washington, one that will take many years to repair. Our intelligence community already faces serious and long-standing problems with counterintelligence, the Beltway’s perennial redheaded stepchild, and this setback promises to make things exponentially worse. This is a new kind of threat, the melding of ancient counterespionage techniques with 21st-century technology, and we’re playing catchup.
The OPM hack, which is unprecedented in its scope, offers our adversaries the opportunity to penetrate our government and use that information to deceive it at a strategic level. This is the essence of SpyWar, the secret struggle between the West and adversaries like China, Russia, and Iran, a clandestine battle that never ceases, yet which the public seldom gets wind of, except when something goes wrong.
The extent of the damage here appears so vast that all the counterintelligence awareness in the world may not be able to offset the advantage in the SpyWar that Beijing has won with this data theft. If you are or have been employed with the federal government and have listed Chinese nationals on your SF86, it’s time to be vigilant, while anybody who’s worked for the feds since the mid-1980s ought to be watching their credit reports for anomalies.
Then there’s the matter of the lives possibly ruined by this. Simply put, there has long been a tacit agreement: You keep the U.S. government’s secrets safe, it will do the same for yours. That important promise, the bedrock upon which the security clearance process is based, has been violated, with serious consequences for millions of Americans—and for Washington.
Counterintelligence hands warned of the threat posed by putting all sorts of sensitive information in such databases, but they were ignored. It’s too late to undo the damage, but we must finally get serious about preventing the next big compromise, while mitigating the pain of this loss. This disaster was decades in the making and will take decades to set right. There’s no time for back-biting. Honest assessment is what’s required. There’s a SpyWar on that needs to be won.
John R. Schindler is a security consultant and a former National Security Agency counterintelligence officer. He is on Twitter at @20committee. This article is adapted from these pieces on his blog, 20committee.com.