Was China OPM Hack Fair Game?
Was this simply ordinary intelligence collection? Or something more insidious?
Robert Knake, who just stepped down as Director for Cybersecurity Policy at the National Security Council, makes an interesting point in explaining “Why the US Hasn’t Pinned the OPM Hack on China.”
[U]nder emerging norms for espionage in cyberspace, information on Federal employees is considered a legitimate target.
Assuming the Chinese government was behind the incident, its cyber spies were doing exactly what they were trained to do. They were also doing exactly what we should expect them to do, and what we should be prepared to counter. As General Michael Hayden, former director of both the NSA and the CIAin the Bush Administration put it, “This isn’t shame on China. This is shame on us.”
When the Obama Administration has come out and publicly accused another country for a cyber attack, it hasn’t been for this kind of state-on-state spying. What the Obama Administration has strongly objected to is China’s campaign of economic espionage against American companies. In May of 2014, the Justice Department went as far as to hand down indictments for five Chinese military hackers, accusing them of carrying out a multi-year campaign to steal industrial secrets from U.S. companies for the purpose of sharing that information with Chinese companies.
Director of National Intelligence James Clapper has stated in clear terms that the United States intelligence community does not engage in this kind of spying. To do so would undermine the global marketplace by providing an unfair advantage to state-owned enterprises (of which the United States has none).
Getting China to stop this activity is at the top of our diplomatic agenda. Stopping foreign intelligence services from spying is not. If the Obama Administration had taken the advice of former Ambassador to the United Nations John Bolton, and kicked the Chinese Ambassador out of the country in response to the OPM attack, we would be setting a standard to which we would not wish to be held.
He wonders if that may change:
Over time, we may decide that we need to impose limitations on cyber-spying. The Internet allows for espionage at a scale that was unimaginable during the Cold War. It also allows espionage to be carried out from the safety and comfort of a desk chair, without the personal risks famously taken by spies who operate in the real world. While Americans like Aldrich Ames and Robert Hanssen who sold secrets to the Soviets will spend the rest of their lives in prison, no such penalties can be imposed on the file servers that should not have shared their data with the Chinese. Without these natural limits, state-on-state espionage in cyberspace has few checks.
For now, the judgment of the national security community is that relative gains in intelligence are greater than relative losses. Simply put, we are better off in a world in which we can engage in this kind of spying, accepting that other countries will as well
This is an interesting argument. While embarrassing if caught, it’s long been understood that attempts to figure out the intentions of other state actors through various covert means is fair game. We spy not only on adversaries but also on allies and understand that they’re doing the same to the best of their ability.
The OPM hack is different, though, in that almost none of us* whose records were scooped up are policymakers and, more importantly, none of the information gleaned has any policy bearing whatsoever. Indeed, there’s no real intelligence value to the information on our security clearance forms even for the very highest officials. The only conceivable value, as War on The Rocks editor Ryan Evans notes for the Washington Post, is its potential for identifying assets.
My SF-86 contains my Social Security number, information about my credit history, my job history (including a dispute with a past employer), contact information for my closest friends and family in the United States and abroad, all non-Americans with whom I am close, a list of every foreign official I ever met, every place I lived and people who could verify that I lived there, and much more. If I had ever been arrested or had any history of drug abuse, I would have had to report that, too.
This form provides all sorts of information that could be used to recruit an individual as a spy. In fact, collecting such information is the whole point of the form. The U.S. government wants to assess the vulnerability to recruitment or blackmail of every person given access to classified information. Beijing may now have in its hands the most intimate details of the lives of the human beings responsible for generating and keeping our nation’s most sensitive secrets.
Greed, ego and blackmail are among the most common motivations of those who betray their countries. This bounty of security clearance application forms would provide China with information it could use to cultivate sources on all three of these fronts. It would know who is in debt and financial trouble. It would know about stalled careers and past work disputes, over which individuals may still harbor a grudge. And it would know who has family and friends in Iran, China, Russia or other places who may be vulnerable to threats or appeals for information. It is therefore fitting that one former intelligence official has described this data as the “crown jewels.” Troublingly, there are hints that some of it may already be for sale on the Internet, which could provide any U.S. rival with access to this information.
One can certainly understand China wanting this information. Its collection and, especially, mass dissemination, however strikes me as outside the boundaries of normal intelligence collection—especially in peacetime between nonbelligerents. Indeed, it’s arguably an act of war.
That said, Clapper is certainly right: the real shame here is on OPM and, indeed, the simply horrendous cyber security of the entire Federal government. They’ve managed to simultaneously make the technology frustratingly difficult to use for those simply trying to do our jobs and yet make it laughably porous to our enemies. Evans rightly argues that “It is time for accountability,” including firing senior executives responsible for security as massive penalties against the contractors who let this happen. Sadly, we’ll likely see very little of that.
UPDATE: Via Twitter Evans points to an update from Brian Krebs that casts doubt on the notion that the hackers sold the data:
A database supposedly from a sample of information stolen in the much publicized hack at theOffice of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known asFederal Prison Industries.
Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.
As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.
Much more background at Krebs’ post for those interested. If he’s right, this definitely moves the ball on the OPM hack closer to “just ordinary business.”
*I’ve gotten mass notification that my records are among those caught up in this. Given the number of security clearance applications I’ve filed over the years, it would be shocking, indeed, if I wasn’t.