Was China OPM Hack Fair Game?
Was this simply ordinary intelligence collection? Or something more insidious?
Robert Knake, who just stepped down as Director for Cybersecurity Policy at the National Security Council, makes an interesting point in explaining “Why the US Hasn’t Pinned the OPM Hack on China.”
[U]nder emerging norms for espionage in cyberspace, information on Federal employees is considered a legitimate target.
Assuming the Chinese government was behind the incident, its cyber spies were doing exactly what they were trained to do. They were also doing exactly what we should expect them to do, and what we should be prepared to counter. As General Michael Hayden, former director of both the NSA and the CIAin the Bush Administration put it, “This isn’t shame on China. This is shame on us.”
When the Obama Administration has come out and publicly accused another country for a cyber attack, it hasn’t been for this kind of state-on-state spying. What the Obama Administration has strongly objected to is China’s campaign of economic espionage against American companies. In May of 2014, the Justice Department went as far as to hand down indictments for five Chinese military hackers, accusing them of carrying out a multi-year campaign to steal industrial secrets from U.S. companies for the purpose of sharing that information with Chinese companies.
Director of National Intelligence James Clapper has stated in clear terms that the United States intelligence community does not engage in this kind of spying. To do so would undermine the global marketplace by providing an unfair advantage to state-owned enterprises (of which the United States has none).
Getting China to stop this activity is at the top of our diplomatic agenda. Stopping foreign intelligence services from spying is not. If the Obama Administration had taken the advice of former Ambassador to the United Nations John Bolton, and kicked the Chinese Ambassador out of the country in response to the OPM attack, we would be setting a standard to which we would not wish to be held.
He wonders if that may change:
Over time, we may decide that we need to impose limitations on cyber-spying. The Internet allows for espionage at a scale that was unimaginable during the Cold War. It also allows espionage to be carried out from the safety and comfort of a desk chair, without the personal risks famously taken by spies who operate in the real world. While Americans like Aldrich Ames and Robert Hanssen who sold secrets to the Soviets will spend the rest of their lives in prison, no such penalties can be imposed on the file servers that should not have shared their data with the Chinese. Without these natural limits, state-on-state espionage in cyberspace has few checks.
For now, the judgment of the national security community is that relative gains in intelligence are greater than relative losses. Simply put, we are better off in a world in which we can engage in this kind of spying, accepting that other countries will as well
This is an interesting argument. While embarrassing if caught, it’s long been understood that attempts to figure out the intentions of other state actors through various covert means is fair game. We spy not only on adversaries but also on allies and understand that they’re doing the same to the best of their ability.
The OPM hack is different, though, in that almost none of us* whose records were scooped up are policymakers and, more importantly, none of the information gleaned has any policy bearing whatsoever. Indeed, there’s no real intelligence value to the information on our security clearance forms even for the very highest officials. The only conceivable value, as War on The Rocks editor Ryan Evans notes for the Washington Post, is its potential for identifying assets.
My SF-86 contains my Social Security number, information about my credit history, my job history (including a dispute with a past employer), contact information for my closest friends and family in the United States and abroad, all non-Americans with whom I am close, a list of every foreign official I ever met, every place I lived and people who could verify that I lived there, and much more. If I had ever been arrested or had any history of drug abuse, I would have had to report that, too.
[…]
This form provides all sorts of information that could be used to recruit an individual as a spy. In fact, collecting such information is the whole point of the form. The U.S. government wants to assess the vulnerability to recruitment or blackmail of every person given access to classified information. Beijing may now have in its hands the most intimate details of the lives of the human beings responsible for generating and keeping our nation’s most sensitive secrets.
Greed, ego and blackmail are among the most common motivations of those who betray their countries. This bounty of security clearance application forms would provide China with information it could use to cultivate sources on all three of these fronts. It would know who is in debt and financial trouble. It would know about stalled careers and past work disputes, over which individuals may still harbor a grudge. And it would know who has family and friends in Iran, China, Russia or other places who may be vulnerable to threats or appeals for information. It is therefore fitting that one former intelligence official has described this data as the “crown jewels.” Troublingly, there are hints that some of it may already be for sale on the Internet, which could provide any U.S. rival with access to this information.
One can certainly understand China wanting this information. Its collection and, especially, mass dissemination, however strikes me as outside the boundaries of normal intelligence collection—especially in peacetime between nonbelligerents. Indeed, it’s arguably an act of war.
That said, Clapper is certainly right: the real shame here is on OPM and, indeed, the simply horrendous cyber security of the entire Federal government. They’ve managed to simultaneously make the technology frustratingly difficult to use for those simply trying to do our jobs and yet make it laughably porous to our enemies. Evans rightly argues that “It is time for accountability,” including firing senior executives responsible for security as massive penalties against the contractors who let this happen. Sadly, we’ll likely see very little of that.
UPDATE: Via Twitter Evans points to an update from Brian Krebs that casts doubt on the notion that the hackers sold the data:
A database supposedly from a sample of information stolen in the much publicized hack at theOffice of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known asFederal Prison Industries.
Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.
As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.
Much more background at Krebs’ post for those interested. If he’s right, this definitely moves the ball on the OPM hack closer to “just ordinary business.”
____________
*I’ve gotten mass notification that my records are among those caught up in this. Given the number of security clearance applications I’ve filed over the years, it would be shocking, indeed, if I wasn’t.
“Indeed, it’s arguably an act of war.”
That puts the USA in the position of committing acts of war against every country on Earth every day of the year.
I don’t know what you do about this. Yes, they could do better encryption but in this age of supper computers the best encryption can be broken. This information could be put on isolated servers but this defeats the advantages of information availability to those who need it. The hackers in most cases are smarter than those who try to build firewalls and in most cases the hackers see it as a challenging game. This problem is not confined to the government. The infrastructure is probably even more vulnerable as are the banks and other businesses. The solution is probably to assume you will be hacked and come up with a plan to mitigate the damage.
@Barry: Again, I think this is of a whole different piece than ordinary intelligence collection. Hacking into the Pentagon or NSA to try to figure out state secrets, weapons technology, future plans, and the like is absolutely fair game and the duty of state leaders to accomplish to the extent possible. Stealing the personal and highly sensitive information of ordinary employees and distributing them to the highest bidder isn’t that.
@Ron Beasley: Agreed. Not keeping all the pieces in one place would be a good start.
Which is a very big assumption and there has been almost no evidence provided to support it.
In fact, while there are a lot of reasons to believe that some Chinese person(s) may be involved it’s unlikely it was a government sanctioned job.
There are a whole lot of officials grandstanding on how bad OPM was in protecting their systems; however, not a lot of discussion on how much money and technology it takes to protect those systems.
Other than taking them off line, it is very difficult, especially those systems that are old and virtually obsolete. I read one article discussing systems that were written decades ago in COBOL.
To layer on security measures is a balancing act between security and utility. More important it takes money and Congress is loathe to allocate on mundane and boring things like infrastructure.
@James Joyner: The problem is if the information is networked there is “no one place'”
I think the bigger question is whether or not OPP is fair game.
You down wit’ OPP? Treach and Vin Rock were.
Unlike China, where the state owns some companies, we live here in the good old US of A where some companies own the state.
@Ron Beasley:
Well, when you make the vault easier to open, you have to expect more people will want to try opening it. That’s the basic trade-off of all security. I imagine there are isolated networks that contain very sensitive information in both the corporate and public sector if only because it makes perfect sense to limit information availability when the whole point is that information shouldn’t be available, for whatever reason.
@Scott:
Spot on.
I’ve been involved in similar situations where an enterprise is utterly dependent on systems that are unprotected and practically unupdateable. Oftentimes, you can’t isolate and protect the data without shutting down operations for months. There is no easy fix. Maybe you can figure out what are the essential processes and operations and yank that stuff out into a new system. Maybe if you’re lucky.
Is this a failure of management? Surely, yes. Is this a failure of properly managing risk? My God, yes. The situation should have been dealt with sooner before it became a catastrophic risk. I cannot absolve them of their responsibility, but I can easily understand how the situation came to be.
Infrastructure spending is a hard sell. Infrastructure spending does not increase revenue nor win market share. Infrastructure spending is definitely not sexy. I have long been an advocate of dedicated, sacrosanct budgeting for just this sort of stuff. It’s glory-free, baseline, protect the bottom-line stuff.
I’ve never worked a government job, but you would think getting infrastructure projects off the ground would be somehow easier. Unless it’s the IRS, government is not really in the Making Dollars business (well, I guess the US Mint is in the business of making dollars, literally.) One would think that network, data, and application security would be an easier sell.
I have to sign confidentiality agreements, but you would be shocked. Your friendly nation-wide bank likely has systems in use today that are older than I am that they inherited four mergers ago that has band-aids on top of band-aids on top of…, you get the picture.
@Ron Beasley: Mostly it’s a matter of time. You have time limits for designing and building security systems. There’s no real time limit on cracking those security systems. So hackers can poke at your system for years before finding a flaw which they can then exploit into bigger things.
There was gross incompetence at OPM. One of the contractors who was entrusted with root access was not only a Chinese national, but he was telecommuting from mainland China. The most basic sense of security would have prevented such a vulnerability.
And it would not be fair to blame Obama for this failure. As noted, it’s institutional.
But what is Obama’s responsibility to handle the situation, and here we see that he, as is accustomed to do so, is failing.
Every time any type of mess like this erupts, we see one common theme: there is no accountability for incompetence or malfeasance. No one is ever fired for their screwups.
That isn’t to say that people aren’t fired. Whistleblowers get fired. People who screw up get reprimanded, demoted, reassigned, or allowed to resign with full benefits and honors.
That’s the Obama style of management. The greatest offense, the sole capital crime, is embarrassing the boss. Everything else can and is forgiven.