We Have Our Cyber Pearl Harbor
Insert your preferred expletive here: Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, saying that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged. J. David Cox, president of the American Federal of Government Employees, said in a letter to OPM director Katherine Archuleta that based on OPM's internal briefings, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees." The OPM data file contains the records of non-military, non-intelligence executive branch employees, which covers most federal civilian employees but not, for example, members of Congress and their staffs. The union believes the hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; and age, gender and race data, he said. People have been warning about a "cyber Pearl Harbor" for a long time, from 1991 through Richard Clarke's time in the Clinton and Bush White Houses to Leon Panetta in 2012, NSA director Mike Rogers in February. . . . Is this it? If getting the personnel files on every government employee isn't a cyber Pearl Harbor, what is? For anyone thinking this isn't a big deal, I refer you to former NSA guy John Schindler, writing at 20 Committee: The other day I explained in detail how the mega-hack of the Office of Personnel Management's internal servers looks like a genuine disaster for the U.S. Government, a setback that will have long-lasting and painful counterintelligence consequences. In particular I explained what the four million Americans whose records have been purloined may be in for: Whoever now holds OPM's records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86, here). Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that's in the other side's possession now. The bad news keeps piling up with this story, including reports that OPM records may have appeared, for sale, on the "darknet." Moreover, OPM seems to have initially low-balled just how serious the breach actually was. Even more disturbing, if predictable, is a new report in the New York Times that case "investigators believe that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation." We can safely replace "may" in that quote with "almost certainly did" since for Chinese intelligence that would be some of the most valuable information in any of those millions of OPM files. Armed with lists of Chinese citizens worldwide who are in "close and continuing contact" (to cite security clearance lingo) with American officials, Beijing can now seek to exploit those ties for espionage purposes. An unnamed defense contractor who writes under the pseudonym "ibreakthings" writes: The OPM hack was just the start and it won't be the last. Cyber warfare does not necessarily mean a power plant being shut down nor does it mean someone defaces a website. It means using one's network against them for whatever purpose the adversary desires. I am involved in testing security measures (i.e. Red Team) and I see it during every assessment. Sometimes we don't get the network from the outside but we get someone inside the building who can facilitate access to the correct computer. Other times the cyber team I partner with hacks a security manager's terminal and puts me on the access roster. Then I'm in and unquestionable because I'm "cleared". But most satisfying and disturbing is when I'm able to give the cyber team access and see the damage they can do. Notional planes have been shot down because they were able to collect battle plans on the network. Ships have been sunk. The scenario above where we moved numbers around on supply requests? All the time . . . but we also do it to operational planners. Instead of a strike package of 10 aircraft, you get 4 because of maintenance issues. Obama's comment on the OPM hack Monday: This is going to be a big project and we're going to have to keep on doing it, because both state and non-state actors are sending everything they've got at trying to breach these systems. In some cases, it's non-state actors who are engaging in criminal activity and potential theft. In the case of state actors, they're probing for intelligence or, in some cases, trying to bring down systems in pursuit of their various foreign policy objectives. In either case, we're going to have to be much more aggressive, much more attentive than we have been. Are you feeling the fury? Yeah. Rick Wilson makes the case that everyone in the entire country should be furious about this, in his usually insightful, delightfully profane way. Among his important points: The Chinese assume (correctly) that we'll do nothing. Fundamentally unserious county right now. Broken from top to bottom. Serious candidates would treat this seriously. Serious reporters would lay into this story. Serious elected leaders would act. A serious President would engage in covert and overt actions to punish and deter the Chinese. We had our "cyber Pearl Harbor," and it's competing for attention in the news cycle with Obama attending the congressional baseball game. (The Washington Post's story on this is deep within the A section.) How did we reach the point where an event like this is something an administration can simply wait out until public interest moves on? "Stay calm! All is well!" Walker-Rubio? Rubio-Walker? Walkerio? Finally, a sign two camps in the GOP primary might actually try to be nice to each other going forward: [Scott] Walker, 47, isn't expected to formally enter the race until early July, after his state has completed a two-year budget plan. Still, he's apparently given some consideration and had discussions already about a potential running mate, with the focus on Rubio. "I've actually had quite a few people, grassroots supporters, donors, and others who have made that suggestion," he said when asked about a Walker-Rubio ticket. "For now, you know, Marco is a quality candidate," Walker said. "He's going to be formidable in this race as things progress. And if we were to get in, we'd be as well, and we'll see where things take us." Walker said both he and Rubio often hear the suggestion that they should combine forces, potentially even before the first nomination voting in Iowa in February 2016, as a way to stand out amid a crowded field. "We'd just probably have to arm-wrestle over who would be at the top of the ticket," he said. Some who have talked privately to Walker about a possible pairing with Rubio say they have been surprised by how seriously the Wisconsin governor seems to be taking the prospect. At this phase of presidential campaign, the norm would be for a White House hopeful to summarily dismiss such a move, in public and in private. Walker said he likes governors and their executive experience better than senators as potential presidents and vice presidents, but that Rubio stands out. "I do like Marco Rubio," he said. "I think he and I have similar thoughts on national defense and foreign policy." ADDENDA: The Atlantic declares that on the metric system, I "blustered" "with perhaps a touch of humor." Gee, thanks for that concession. Of course, they also said there are good reasons to take Lincoln Chafee's bid seriously. Katie Jerkovich, TAFKARP*, wrote up a short item on my chat in Silicon Valley. * The Artist Formerly Known as "Red Pickle." |
Comments
Post a Comment