A letter shows up in your mailbox from the U.S. government with notification that your personal information has been compromised after a huge hacking incident by a foreign government believed to be China. You’re confused because you’ve never been employed by the federal government. But you are included because you know someone who was a government employee and, in the process of acquiring a security clearance, they provided the names of family, friends, neighbors, and co-workers who now must look over their shoulders and wonder if they, too, will become victims. That would be you.
Think it couldn’t happen? It already has. As former State Department employee Matthew Palmer was quoted as saying in USA Today, “Who is in danger? I listed friends on those forms and my family members. … Are some hackers going to start going after them?”
The hacking of personnel records of million of U.S. government employees is extremely troubling but it seems few are paying attention including the media who would do us all a favor by reporting 24/7 to help make Americans more aware that a catastrophic security breach has taken place.
Of course, we have the conspiracy theory anti-NSA finger-pointers out there claiming it could be domestic malware that was in the system. Add them to the column under “birthers” and “9/11 conspiracy theorists.”
Most know about the destructive strikes by Japan on Pearl Harbor that killed and injured thousands of American servicemen. A number of writers have suggested that this hacking invasion is the cyber version of a Pearl Harbor and opined about the dire situation including USA Today (see Glenn Reynolds: What if Pearl Harbor happened and nobody noticed) and the Richmond Times-Dispatch (see Cypersecurity: Another Pear Harbor?).
Congresswoman Barbara Comstock, who said on Wednesday that her personal information was stolen by the OPM hackers (see Lawmaker says her info hacked in OPM breach), has written a letter to Katherine Archuleta, Director of the U.S. Office of Personnel Management that begins, “We are all justifiably alarmed….” (see OPM Letter).
The Times-Dispatch editorial noted the discovery of the hack and what it included:
… investigators say the intrusion was discovered in mid-April during a presentation at OPM by the Virginia-based company, CyTech. The embedded malware was discovered when the cyber security firm ran a diagnostic study on OPM’s network. Investigators say hackers may have had access to OPM files for more than a year.
J. David Cox, national president of the American Federation of Government Employees, says the breach is far worse than OPM admits. He alleges that the hackers (thought by most U.S. officials to be Chinese) were able to access the OPM’s Central Personnel Data File, which contains 69 different categories of information, including Social Security numbers — as well as security clearance information — on most civilian federal employees and retirees.
The danger to not only federal employees but also everyday Americans is noted, and could be considerably expanded:
Writing for the cyber-security blog, 20 Committee, former National Security Agency analyst John Schindler explained the dangers: “Whoever now holds OPM’s records possesses something like the Holy Grail from a (counter-intelligence) perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side … all that is recorded in security clearance paperwork.”
… How safe are our power grid and our water supplies? What about nuclear stockpiles and transportation systems? How safe are the Hoover Dam and Reagan National Airport?
Reynolds at USA Today was also alarmed at the security breach:
Aside from regular federal personnel records, which provide a royal route to blackmail, intimidation and identity theft for present and retired federal workers, the hackers also stole a trove of military and intelligence records that could be even more valuable. The forms stolen were Standard Form 86, in which employees in sensitive positions list their weaknesses: past arrests, bankruptcies, drug and alcohol problems, etc. The 120 plus pages of questions also include civil lawsuits, divorce information, Social Security numbers, and information on friends, roommates, spouses and relatives.
… this trove of information is perfect for “fourth-generation warfare,” in which conventional strengths are bypassed in favor of targeted attacks on a stronger nation’s weaknesses. With this sort of information, China will find it much easier to recruit agents, blackmail decision-makers and — in the event of a straight-up conflict — strike directly at Americans in the government, all without launching a single missile.
Bottom line: no one can trust the federal government to keep online information safe. Reynolds continued:
But we can learn our lesson, at least. The United States is highly vulnerable to cyberwar, and not very good about defending against it, especially in the lame-and-inept government IT sector, which has not distinguished itself in terms of competence. (Remember HealthCare.gov?)
For the federal government, one lesson is that really important stuff shouldn’t be put online at all. Paper documents have their problems, but at least they can’t be hacked and stolen en masse.
Despite the grave danger to America and her citizens, Corey Bennett at The Hill reported Wednesday evening that the White House was standing behind Archuleta:
The White House on Wednesday stood by Office of Personnel Management (OPM) Director Katherine Archuleta, even as more lawmakers called for her ousting in the wake of the biggest government data breach ever. “The president does have confidence that she is the right person for the job,” spokesman Josh Earnest told reporters. But Archuleta is losing support on Capitol Hill after a poorly-received performance at a Tuesday hearing, and as staffers start receiving notifications that their information is likely stolen. Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, on Wednesday joined the bipartisan coalition of lawmakers looking for Archuleta’s dismissal. “In testimony yesterday … she refused to acknowledge the errors OPM has made or to apologize to the millions of affected Americans,” he said. To read about the White House’s support, click here. To read about why Langevin thinks Archuleta deserves to go, click here.
What an alarming situation and, sadly, it may not be the end of information breach discoveries.