What Federal Employees Really Need To Worry About After the Chinese Hack

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.

The NSA likely hacked the USG to frame China

This is a great way to ensure a budget increase and change the subject from illegal mass surveillance. So, there's nothing to worry about!

Re:So you made this giant database of sensitive in

[xxxJonBoyxxx]

>> giant database...never be hacked

"Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."

In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.

Three takeaways

[WillAffleckUW]

As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:

1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.

2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.

3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.

Don't get it.

Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals as to China's involvement:

Officials are still investigating the actors behind the breaches and what the motivations might
have been. Theft of personally identifiable information (PII) may be used for identity theft and
financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
data were taken for espionage rather than for criminal purposes, however, and some have cited
China as the source of the breaches.

and

Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
a process that we’re working through on the policy side. There’s a wide range of people, groups
and nation states out there aggressively attempting to gain access to that data.” Speaking at the
same conference a day later, however, Director of National Intelligence James Clapper identified
China as the “leading suspect” in the attacks. Mr. Clapper expressed grudging admiration for the
alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”

So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?

If the United States chooses to respond in other ways to intrusions from China, experts have
suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
the market dominance of Western information technology firms provide an environment
conducive to Western CNE [computer network exploitation] against China,” notes one scholar of
Chinese cyber issues.

Ah, now I get it.

You want to know why the system is broken?

[MikeRT]

Because even in the face of this, no politician has the guts to propose a bill that would transfer OPM's work to more competent agencies, fire all of its staffers with a 90 day severance package and have GSA sell the agency's assets at public auction. The worst assault on US national security since the Rosenbergs' treason (yes, much much worse than any of the recent leaks) and no one high level is even losing a job, let alone facing indictment. And the best part, no one in Congress seems to think it sufficiently grave to raise that issue.

This is why when people say Donald Trump is a joke and we need serious candidates, I say bullshit. If you're talking foreign policy as a candidate and you don't have a comprehensive answer to this, you aren't serious because this is more serious than Iran getting a nuke or two. This compromises so much of our ability to do black ops.

Re:Top secret data accessable from Internet.

[whitelabrat]

A few scenarios are possible:

1. Some high muckedy muck decided they wanted access to the data for some thingy and squashed the CIO/ISSO when they objected. This happens all the time.
2. Lots of compliance and security theater in place giving a false sense of security. What needed to get done wasn't done.
3. Probably some contractors involved who don't really care except to get paid.
4. Inside job.

Some perspective

[Okian+Warrior]

Just to put recent events in perspective:

1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.

2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.

3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.

4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.

  (*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."

Re:Top secret data accessable from Internet.

[elistan]

An ars article seems to give the clearest view of a rather murky subject. Basically, there appears to have been multiple ways in to the data. Including situations like IT contractors hiring database admins located in places like Argentina and China, at which point it doesn't matter what technical security solutions are put in place since people are explicitly given full access to the data. (I guess technically that falls under the "inside job" scenario?)