Heads have started to roll after the director of the Office of Personnel Management (OPM) resigned Friday, but the aftermath of the agency’s massive data breach are far from over.
The breach was one of two OPM experienced since 2014 — one involved the loss of over 4 million Social Security Numbers, and the other exposed 21.5 million government background check records used for security clearances. Both breaches have been linked to the Chinese government.
China has held onto the seized employee data for a year, and there is no evidence the stolen data has been used. Information from typical breaches involving private companies, such as social media or retail sites, are used for phishing scams or financial gain. However, the agency’s breach points more toward political leverage than identity theft for profit.
“This is the mother lode of social network analysis,” said Paul Rosenzweig, cybersecurity legal consultant for Red Branch Law and Consulting in Washington, D.C. “The key is figuring out who influences whom. If you know somebody who knows (Senate Minority Leader) Harry Reid (D-NV), and you’re two degrees of separation from him: That’s what you need. This is a map of that.”
Rosenzweig holds a top secret security clearance and was personally affected by breach. For those who hold security clearances, he said, the background check application process is extensive, cataloging an individual’s life in such detail to determine whether an individual could pose a national security risk down the line.
“It’s everything. Everywhere I’ve lived for the last 10 years, where I went to school, every job I ever had, my 10 closest friends and coworkers — supervisor included — and their information. It’s an in-depth biographical. If they actually lost my fingerprints, there goes my ability to be bio-metrically secure,” he said, alluding to the iPhone’s fingerprint-scanning Touch ID feature.
The data trove could potentially serve as an asset that’s accessed only when needed “because the more they use it, the more we’ll know their capabilities,” Rosenzweig said.
For the 7 percent of the U.S. population caught in the OPM breach, he said, the effects are akin to “voluntarily giving up” everything the National Security Agency (NSA) wants to know.
That amount of specific information gives the entity holding the data the ability to determine who works for the NSA or Central Intelligence Agency (CIA), what projects operatives are working on and where they are in the world, Rosenzweig said. “Short of real-time intelligence of U.S. activities, this is the intelligence equivalent of the discovery of the nuclear bomb. It’s tragic to me because I lost my fingerprints to the Chinese but it’s far more tragic for the country.”
Besides serving a clear intel advantage, the breach is a grim look at the future of espionage and cyber warfare that experts have long predicted.
“Everyone is always talking about cyberwar as turning off the electricity. The real [threat of cyberwar] is stuff like this, not a use of force,” said retired Air Force Maj. Gen. Charles Dunlap, Jr., who teaches national security law and ethics at Duke University in Durham, N.C. “In the era of big data states will be able to zero in on specific individuals. It’s the hyper-personalization of war.”
In an academic paper of the same name, Dunlap wrote that “’Big Data’ technologies mainly intended for commercial uses enable not only the acquisition and archiving of vast amounts of data, but also empower a radically enhanced ability for rapid analysis. The convergence of these technologies will permit what might be called ‘the hyper-personalization of war.’” and that “21st century conflicts will take place in an environment defined by enormous advances in information technologies.”
At this point, Dunlap said the Chinese are still “assimilating and mining the information” and could later be used to recruit spies or extort people for political favors.
“This will be a long term project to figure out what they have, how they can use it, and how they can mine it effectively,” he said. The Chinese “would have so much information on people they would be able to to send personalized emails to families [of military, law enforcement, or intelligence personnel], saying: ‘We know where your son or daughter is [stationed], and we will kill them tomorrow unless you protest the war,’” hypothetically speaking. “It could even be used in some future conflict,” he said, based on dossiers compiled on military units and operations.
The true extent of the OPM breach and its ramifications are still unknown, and hard to quantify, even for longtime military personnel like Dunlap. “Even though I was in the military for 35 years, I can hardly wrap my head around this. I’m not sure how productive it will be to point fingers,” at who is to blame for the gross lapse in security. I think we’re only now starting to understand what the consequences are,” and how governments can strike in a way that wasn’t possible before.”
Both Dunlap and Rosenzweig agree the breach is a tipping point in U.S. cybersecurity and demands a complete and direct solution.
“There are going to be a number of things that need to be done on the diplomatic level with the Chinese. And the U.S. has to decide what the response will be, cyber or otherwise,” including economic sanctions or pushing for international law to govern espionage, Dunlap said. “We’re going to have to think of the worst case scenario and how can we counter that, instead of having some hearing to figure out who had the contract (for the program).”
OPM Director Katherine Archuleta resigned from her post Friday as pressure roiled from Capitol Hill in the wake of the agency’s crippling data breach. But Rosenzweig believes it’s going to take a greater show of strength from the White House. The breach “really suggests that we should take the entire government offline” and grant “complete amnesty to anyone who is approached by the Chinese and comes forward,” he said.
But there’s no way to be 100 percent safe from cyberattacks. “We can do better but there are no silver bullets. It’s just doing your best to mitigate the risk and make sure your systems are resilient,” Rosenzweig said. The U.S. “should get over the idea that the government is any better at [cybersecurity] than the rest of the world.”