The latest big computer hack, apparently launched from China, strikes straight to the heart of the federal government. Both the network and data of the Office of Personnel Management (OPM) have been badly compromised. More than 4 million sets of detailed Personally Identifiable Information (PII), all belonging to present or former federal employees, have been taken. It’s identity theft on a massive scale. Current and ex-federal employees may have trouble sleeping for quite some time. An even bigger worry, however, are the national-security problems the hackers may create.
OPM’s first announcements said that only basic information was lost. But even “basic” information is pretty significant stuff, including names, positions, pay scales, Social Security numbers, and more. That alone should be considered a failure of security. And it could get much worse. Though the first report said security-clearance information was not compromised, we don’t yet know if that is true.
While the initial announcements claimed it was the work of Chinese hackers, they couldn’t say whether it was a state-sponsored intelligence operation or “merely” a criminal enterprise. Cyber-intrusion attribution (determining “who did it”) is very difficult in the best of circumstances. And when the activity comes from China, it’s almost impossible to know for sure whether the hacking is being done by the government, a group of criminals, criminals working for the government, or the government helping friendly criminals. Many specialists in Chinese studies will tell you that it hardly makes any realistic difference, as those lines are regularly blurred.
China and Russia are America’s two biggest and most dangerous cyber adversaries. Of the two, Russia is a bit more sophisticated, particularly with regard to cyber-attacks and spying. Beijing is not that far behind Moscow, however, and the Chinese dedicate a great many more people and other assets to their cyber activities. Both excel at the offensive side of things, which is easier and requires less code to do.
As far as offensive capability goes, America is a match for either Russia or Beijing. And America’s defenses are good, but not perfect. Defending a complex network is a 24/7–365 effort. Attacks and spying have to “slip through” only occasionally to be successful. Russia and China are clever and capable, and both have very strong cyber-criminal allies. This is a dynamic battle that the U.S. has to keep fighting over a long, long term.
As for the latest attack, Americans should be very concerned that we still don’t know the full truth. Is what has been announced really the extent of it, or are other federal agencies affected? The Department of Homeland Security’s Computer Emergency Response Team (U.S. CERT) had been called in to check OPM’s system. To their credit, they found the intrusion. Now they need to check everywhere else. This could be a much wider problem than we now believe.
Additionally, many of the affected employees have high-level security clearances. Can their identities be spoofed? Can some be influenced through this data theft into “helping” Beijing? Both these dangers must be watched and mitigated. Frankly, doing that will take more than issuing a new credit card, replacing money lost in an account, or offering a credit-monitoring service.
Yes, our government spokesmen have all assured us that no security-clearance information was taken. But the records that have been compromised are very detailed, with information going back to the subjects’ childhoods. Are Uncle Sam’s “assurances” accurate, or just wishful thinking?
In the past, when private-sector firms such as Target, Sony, and Anthem Insurance have suffered data breaches, some politicians have called for harsh punishment of the “negligent” firms. They seem to think that if you fine private companies often and severely enough, they’ll secure themselves. One hopes that those lawmakers now understand that they have a log in their own governmental eye. OPM is a premier federal agency with access to help from the Department of Homeland Security. If OPM can’t defend itself, is beating up on commercial companies really the right thing to do?
Clearly, putting the federal government in charge of cybersecurity through regulatory rule-making and enforcement is not the answer. There are no silver bullets (yet), either technical or procedural. The best that can be done is to build the best relationships we can between the government and the private sector, share threat information, share best practices, and lower the risk as much as we can.
In the face of a very dynamic threat, fueled by very skilled adversaries, the key question is not “How could this happen?” Far better to ask: “How can we minimize the occasions of it, and the damage it does to our citizens and infrastructure?” This will not be the last major data breach — for the feds or in the private sector. What matters is that every time this happens, we learn from the experience, we share what we’ve learned, and we work together to get better at defending ourselves from the cyber-bad-guys.- Steven Bucci is director of the Heritage Foundation’s Allison Center for Foreign and National Security Policy.
Originally appeared in National Review