Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Federal Employees Really Need To Worry About After the Chinese Hack

Posted by samzenpus on from the who's-to-blame dept.

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.

13 of 123 comments (clear)

  1. So you made this giant database of sensitive info by weilawei · · Score: 4, Insightful

    And then expected it would never be hacked?

    Bravo.

  2. spying: good when we do it, bad when they do it? by Anonymous Coward · · Score: 5, Insightful

    build a database of U.S. government employees

    So waitaminnit... let me get this straight.

    Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?

    Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?

    I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.

  3. Fingerprints can't be reissued by grumpy_old_grandpa · · Score: 3, Insightful

    Fingerprints can't be reissued

    No shit sherlock.

    At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.

  4. Multi-factor is the only right way by grilled-cheese · · Score: 3, Insightful
    Proper authentication is made up of at least two of the following:
    • Something you know (Password)
    • Something you have (Smartcard)
    • Something you are (Fingerprints)
    1. Re:Multi-factor is the only right way by Reason58 · · Score: 4, Insightful

      Going to have to disagree. Fingerprints (all biometrics) are identification, not authentication. Just like a SSN, if you cannot change it then it is not a secret.

  5. Leverage by Anonymous Coward · · Score: 4, Insightful

    What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.

  6. So where is the rending of garments? by sjames · · Score: 5, Insightful

    Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.

    The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".

    1. Re:So where is the rending of garments? by sjames · · Score: 3, Insightful

      And meanwhile, Snowden's release had a strong element of public interest to it. There is no public interest in OPM's screw up.

  7. Re:I'm from the Chinese Government by Fire_Wraith · · Score: 3, Insightful

    Great! Since you already have admin access to my network, can you fix up the issues from our last server migration? Outlook keeps cutting in and out during the day, and we'd really appreciate it if you could fix that while you're busy copying all our files.

    Also, can we contact you later if we need copies of your copies as backups? Thanks!

  8. SF86 implications by OffTheLip · · Score: 4, Insightful

    If the number of affected users, via SF86 forms, is as large as reported the implications are enormous. These clearance request forms contain detailed information about the applicant, extended family, references, etc. Fingerprints just ice the cake.

  9. Re:Non-issue by Anonymous Coward · · Score: 2, Insightful

    Covert officers do not travel under diplomatic cover. You're thinking of non-covert officers, i.e. the "official" spies with diplomatic immunity. The only thing covert, if at all, is that they nominally hold some official position with the embassy. Although often it's an intelligence-related position.

    Covert officers have their status as an officer of the U.S. government classified, and they enter countries as tourists or under some other cover. And when arrested they get to sit in prison. Thus, if you have access to the classified database of all government officers, you'll be able to identify a large number of covert officers.

    Which part of "covert" or "cover" was confusing? Maybe you were associating cover with diplomatic immunity. You should be watching The Americans.

    Note that officer and agent are not the same thing. It would be kind of stupid to use as a deep cover spy anybody who actually worked for the U.S. government. But then again, our HUMINT programs are pretty poorly run these days.

  10. Re:You want to know why the system is broken? by Anonymous Coward · · Score: 4, Insightful

    You're assuming, of course, that the gross incompetence displayed by the OPM is somehow exceptional. How quickly we forget that RSA had their most highly sensitive databases cracked by the Chinese, which stored the secret keys to tens of thousands of key fobs used to access highly classified government and contractor offices and databases.

    If there's gross incompetence here, it's the NSA, and specifically NSA leadership. By choosing to stymie and hold back security technology, they're the ones responsible (more than any other single entity) for the horrendously poor choices we have in terms of securing infrastructure. It's not just about algorithms. They've been putting up roadblocks to pervasive use of public-private key smart cards, for example. They do so by suggesting this or that might be illegal; or this or that might lead to a loss of government contracts. They push overly complex standards that they know will never see pervasive adoption.

    The incompetence is that they failed to understand that COTS solutions _must_ be secure. There's simply no way to cultivate and grow a market of secure solutions for the government while sabotaging COTS markets. They're too interconnected. Plus government has to hire the bulk of their IT and engineering staff from the private, COTS-focused job market.

    And the NSA miscalculated how quickly other countries would adopt secure solutions in the U.S. As incompetent as the U.S. government can be, it pales in comparison to the incompetence of Russian, Chinese, and other governments we need to spy on. It doesn't matter how cheap or easy to acquire secure solutions are, if an incompetence bureaucracy would fail to implement properly.

    You're assuming the OPM is uncharacteristically incompetent. But they're almost certainly not. The intelligence agents sabotaged the market in security solutions, so it's entirely predictable that large organizations will fumble the task of securing this information while making it readily available and useable. Remember, the latter is their primary task. Maybe you're a system administration. Sysadmins seem to think their job of "securing" things is accomplished only when things are locked down so tight nobody can actually make use of the information or resources. I'm a programmer, and to me the failure here is the lack of simple and secure solutions.

  11. Double standards by nrasch · · Score: 5, Insightful

    So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).

    But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.