In June of this year the Office of Personnel Management (OPM), an independent agency of the U.S. Government that serves as its human resources department, reported that their system servers had been hacked at least twice by an unknown outside source. Since its discovery, the fallout is wreaking havoc for U.S. counterintelligence.
An OPM forensic investigation discovered that the two breaches had occurred in early December 2014 and May of 2015. The process by which the hackers actually penetrated the OPM server was by obtaining log in credentials used by Key Point Government Solutions, A Colorado based contractor that OPM uses to conduct background investigations for jobs that require a security clearance. After a lengthy internal investigation, Key Point GS was cleared of any wrong doing, although to this day, no reasonable explanation has been offered as to how the log in credentials were actually compromised.
The stolen records contained sensitive personal information for all currently employed and retired federal employees, including at least some members of the U.S. Intelligence Community. This information included social security numbers, residency, employment and educational histories; “information about immediate family and other personal and business acquaintances”; health, criminal and financial histories and “other details” of some 20 million government employees.
It was soon discovered these “other details” would include over a million stolen fingerprints of government employees. But just like the initial report of stolen records, this number, too, grew to a staggering 5.6 million fingerprints.
Directior of National Intelligence James Clapper, during his testimony to the Senate Armed Services Committee, declined to call this incident an attack, but rather “A form of theft or political espionage.”
One of the most immediate concerns for affected individuals is that the stolen fingerprints of intelligence personnel could be used to identify those in a foreign countries traveling under a false identity. Other concerns included the high probability that cyber-thieves could create new identities by swapping out fingerprint data of legitimate employees with that of an impostor. And lastly, and without a doubt the most concerning possibility; these prints could be used in combination with other forms of stolen identification to create biometric key cards to access secure government facilities.
As proof of the counterintelligence threat, CIA pulled its officers from the U.S. Embassy in Beijing as a “precautionary measure”. Due to the content of the information contained in the hacks, which included sensitive background information of Embassy personnel, the Chinese, through a process of simple deduction of comparing embassy personnel records, could have easily identified who was a CIA officer.
One of the keys for a cyber-espionage operation like the OPM hack to be successful is to have another operation that can yield “comparison data”. This is exactly what happened when the same Chinese hackers that were responsible for OPM hacked into United Airlines. United is the hub airline out of Dulles International and, consequently, the main airline used by the CIA out of Langley, VA. When Bloomberg initially broke this story in July, all the “dots” had not been fully connected yet as to the CIA connection. But intelligence officials have now realized that the potent combination of information the Chinese obtained from OPM and United, will make the kind of work the CIA does very difficult for the foreseeable future.
Despite successful cyber-espionage operations around the world, America’s cyber-defenses are woefully inadequate for the task at hand. During the initial IT investigation of the OPM breach, it was discovered that despite frequent warnings to upgrade their operating system security, the OPM was still using the 1960’s era programming language, COBOL. It is because of this fact alone that any security upgrades within OPM or any other U.S. Government agencies as a whole are almost impossible until a complete software and hardware transition is made to a more modern technology that is suitable to protecting sensitive Government information.
One can argue that the biggest fallout of the OPM hack to date has been the U.S. Government’s realization that the type of cyber-warfare waged by our enemies, regardless if it is theft, espionage, or malicious attacks (like the one initiated by ISIS on the US Military’s Central Command Twitter Feed), the U.S. Government’s cyber infrastructure isn’t ready for this type of warfare.
One of the main reasons is that the focus of the NSA and US Cyber Command over the past decade has been primarily offensive cyber attacks, like 2010’s U.S.-Israeli Stuxnet “strike” on Iranian nuclear centrifuges. This attack not only showcased America’s cyber prowess to our enemies, but also showed America’s willingness to exploit the “cyber-kinetic” form of fifth dimension warfare; or to put it plainly, a cyber attack which yields physical destruction on our enemies’ infrastructure, in this case, the destruction of nuclear centrifuges.
But a large majority of cyber-attacks launched against the U.S. in the last five years were “retaliatory” cyber attacks. For example, the 2012 attacks against U.S. banks by Iran were in large part retaliation for Stuxnet. Consider all the cyber-attacks on the U.S. by North Korea, Russia and China just in the last five years alone and the likelihood these were all “unprovoked” cyber attacks by nations just looking to “stir up trouble” becomes a very slim prospect indeed. But make no mistake – we are, and have been for some time, in a cyber cold war with these nations.
As far as officially blaming China and holding them responsible for the attack, the Obama administration has decided to refrain from such actions and consequently has officially declined to say whether a “retaliatory” strike would be made. Many cyber-experts believe the reason for this laid back response from the U.S. is due to the distinct possibility that by accusing China, the U.S. would be forced to expose the nefarious details of their own cyber-attacks and espionage activities. In other words, people that live in glass houses should not throw stones.
Ultimately, the damage that was done by the OPM hack may never be completely known simply because the sheer AMOUNT of data that was stolen cannot be completely quantified. As the Director of National Intelligence, James Clapper was quoted as saying about the repercussions: “Unfortunately, this is a gift that’s going to keep on giving for years.”