Part of the reason I am a bit blasé about the Office of Personnel Management hack, is if the Chinese government is indeed behind it, it’s not by any stretch the most dastardly thing they have done in cyberspace. It’s just the most recent one that we know about. It’s getting a lot of press because personally identifiable information (PII) was compromised.
The Obama administration has decided to eat its own dog food on disclosure, and is abiding by its own legislative proposal that would require companies to disclose a breach like this. OPM has disclosed what investigators reasonably believe intruders took. That information includes names, social security numbers, date and place of birth, and current and former addresses according to the OPM FAQ. It may also include job assignments, training records and benefit information.
According to the same FAQ, here’s no indication that information related to contractors or family members was compromised. That strongly suggests that, at this point, the investigation has not concluded that security clearance data or the associated investigative files were taken. Given that OPM is following the administration’s draft data breach legislation, I fully expect that if the investigation concludes this data was lost, OPM will disclose it. Stay tuned.
This breach has crossed streams with a breach a year ago that did involve investigative files. David Sanger and Julie Hirschfeld Davis at the New York Times do a good job of untangling these two incidents in their recent article. It takes some close reading to understand that the headline, “Hackers May Have Obtained Names of Chinese With Ties to U.S. Government”, isn’t about this incident but the hack of an OPM contractor a year ago.
So, based on what we know now, this incident is a big loss of PII but it’s not that big a loss of information of intelligence value. We may find out later that the hackers also got their hands on the SF-86s—the forms you fill out when you apply for a security clearance. I am fully confident that if the investigation uncovers those losses, there will be a second statement from OPM and an offer for credit monitoring for contractors and family members.
To put all of this in perspective, here are five Chinese hacks that are worse than the breach at OPM based on a list of significant cyber incidents compiled by the Center for Strategic and International Studies:
- February 2013. DHS says that between December 2011 and June 2012, cyber criminals targeted twenty-three gas pipeline companies and stole information that could be used for sabotage purposes. Forensic data suggests the probes originated in China. Why it’s worse: Espionage is one thing, sabotage is another. This incident crosses into what might be called “preparation of the battlefield”—laying the groundwork for military operations. In this incident, the hackers targeted an entire sector. They weren’t going after business data or stealing designs. The worst you can do with PII? Gain account access. The worst you can do with this info? Blow up pipelines.
March 2015. Canadian researchers say Chinese hackers attacked U.S. hosting site GitHub. GitHub said the attack involved “a wide combination of attack vectors” and used new techniques to involve unsuspecting web users in the flood of traffic to the site. According to the researchers, the attack targeted pages for two GitHub users—GreatFire and the New York Times’ Chinese mirror site—both of which circumvent China’s firewall.
Why it’s worse: This incident gets closer to the line North Korea crossed—interfering with our right to free speech. We haven’t quite articulated a norm in this area, but the International Strategy for Cyberspace comes close. In this case, China targeted GitHub because it was hosting pages for organizations that circumvent its Great Firewall. It may be time we put out a Monroe Doctrine for cyberspace, which would, make clear that trying to stifle freedom of speech in this country crosses a red line. We could go further and make it official policy to bring dissidents from other countries under this veil of protection. Taking a page from the Kennedy doctrine, the United States could declare that it will pay any price, bear any burden, host any website and defeat any denial of service attack in the cause of Internet freedom.
- October 2011. Networks of forty-eight companies in the chemical, defense, and other industries were penetrated for at least six months by a hacker looking for intellectual property. Some of the attacks are attributed to computers in Hebei, China. Why it’s worse: This campaign was carried out on a massive scale. It’s information that’s of direct value and it crosses the line from espionage to downright theft by targeting intellectual property.
- January 2010. Google announced that a sophisticated attack had penetrated its networks, along with the networks of more than thirty other U.S. companies. The goal of the penetrations, which Google ascribed to China, was to collect technology, gain access to activist Gmail accounts and to Google’s Gaea password management system. Why it’s worse: Like the October 2011 incident, this campaign was done at scale and sucked many of our technical giants dry. The hackers also appear to have targeted dissidents, crossing not one but two lines (though many believe the targeting of dissidents was a red herring).
- February 2012. Media reports say that Chinese hackers stole classified information about the technologies onboard F-35 Joint Strike Fighters. Why it’s worse: Under current norms, military technology is fair game but this one is devastating if true. The hack targeted classified information on one of our most advanced weapons platforms. The info could save the Chinese decades in research and development. Worse, it could be used to find vulnerabilities that could be exploited in combat—think the pilot episode of Battlestar Gallactica.