We're learning more and more about just what a mother lode of intelligence information hackers got from raiding the US government's personnel files, and as John Schindler points out, if the hackers are working for the Chinese or Russians, then America is in real trouble.
With each passing day the U.S. government’s big hacking scandal gets worse. Just what did hackers steal from the Office of Personnel Management? Having initially assured the public that the loss was not all that serious, OPM’s data breach now looks very grave. The lack of database encryption appears foolhardy, while OPM ignoring repeated warnings about its cyber vulnerabilities implies severe dysfunction in Washington.
To say nothing of the news that hackers were scouring OPM systems for over a year before they were detected. It’s alarming that intruders got hold of information about every federal worker, particularly because OPM previously conceded that “only” 4 million employees, past and present, had been compromised, including 2.1 million current ones. Each day brings worse details about what stands as the biggest data compromise since Edward Snowden stole1.7 million classified documents and fled to Russia.
Then there’s the worrisome matter of what OPM actually does. A somewhat obscure agency, it’s the federal government’s HR hub and, most important, it’s responsible for conducting 90 percent of federal background investigations, adjudicating some 2 million security clearances every year. If you’ve ever held a clearance with Uncle Sam, there’s a good chance you’re in OPM files somewhere.
And of course the problem is the hack was extensive and allowed reams of information out.
Here’s where things start to get scary. Whoever has OPM’s records knows an astonishing amount about millions of federal workers, members of the military, and security clearance holders. They can now target those Americans for recruitment or influence. After all, they know their vices, every last one—the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side—since all that is recorded in security clearance paperwork. (To get an idea of how detailed this gets, you can see the form, called an SF86, here.) Speaking as a former counterintelligence officer, it really doesn’t get much worse than this.
Do you have friends in foreign countries, perhaps lovers past and present? The hackers know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that, too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
Perhaps the most damaging aspect of this is not merely that millions of people are vulnerable to compromise, through no fault of their own, but that whoever has the documents now so dominates the information battlespace that they can halt actions against them. If they get word that an American counterintelligence officer, in some agency, is on the trail of one of their agents, they can pull out the stops and create mayhem for him or her: Run up debts falsely (they have all the relevant data), perhaps plant dirty money in bank accounts (they have all the financials, too), and thereby cause any curious officials to lose their security clearances. Since that is what would happen.
So yes, this hack was bad. We need to clean up this mess, but the reality is that between this and the Snowden documents, US intelligence is all but in complete tatters in 2015. This is where government is most certainly not working properly, and fixing it will take years of not decades.