Espionage Lessons from the OPM Hack

It has almost been a month since the Office of Personnel Management (OPM) infiltration was made public and shockwaves of the hack reverberates in Washington, D.C. and beyond. In response, officials have shut down the E-QIP background investigation system. Security and privacy professionals seem united in their demands that OPM director Katherine Archuleta be held accountable for the security lapses in the organization. Commenter after commenter diagnoses the problems in our systems, institutions, and infrastructure, demanding accountability and change. While we continue to extract negatives from the story of the OPM hack, three lessons emerge that might give us hope for a secure future.

Lesson #1: Security is not assured in digital systems 

The incident should remind us that every networked system is vulnerable. Cyber espionage is a reality and a problem every institution will have to deal with. The events of the last few months only make this clear as the U.S. government officials admitted the State Department was hacked, which then led to an intrusion that even included some of Obama’s personal emails. The Syrian Liberation Army hacked the mil.gov website and public relations portal. Of course, to top it off, records for 4 million (or possibly many more) federal workers were stolen from the OPM, likely by the Chinese. Included in this massive amount of information is the background form that every employee who seeks secret clearance must fill out and includes some of the most intimate details about one’s personal life.

Searching for someone to blame is not really the answer. Rethinking what is available and networked is since the Internet was never designed with security in mind. Yet we continue to trust it with our deepest and darkest secrets. Once the vulnerabilities and the weaknesses of our systems are made clear, we can move forward with fixing the problems and altering the nature of how we share information. The simple conclusion is that we have entered an era of cyber espionage, not necessarily cyber war.

Lesson #2: U.S. human intelligence will need to adapt to the digital age

Some have gone so far as to call the OPM hack a greater national intelligence failurethan the Snowden affair. Make no mistake, the hack was large and comprehensive, but we also must move beyond the spy fantasies that pervade analysis of the OPM hack. The typical story is that this information could be used as a stepping stone to siphon off state secrets. Using cheap and available data mining tools similar to the NSAs’, the opposition could use the information to build a profile of individuals susceptible to blackmail, such as a federal employee with a history of extra-marital affairs and ties with the Chinese nationals, information all in the SF86 form were  stolen. Once identified, these targets could be subject to honeytraps, a threat that MI5 has previously warned about in other contexts.

Whatever the Chinese do with the data, not all is lost. As Knake writes “I don’t think we are giving the CIA enough credit here, but if it’s true, the harm can be mitigated since we know what data was lost.” For example, while it may now be very difficult to establish cover for an agent already working in intelligence system, this does not prevent the intelligence community from hiring new agents or converting current government employees who have not requested security clearance into assets in the future. The U.S. has not lost all of its HUMINT capabilities because of the hack and information leak, but it will need to adapt to take into account OPM-style attacks in the future.

Lesson #3: The main vulnerability to security systems remains external to U.S. government networks

The perpetrators hacked the OPM by stealing the credentials of an outside contractor. There are things being done to increase security in U.S. government systems, yet vulnerability will remain through external contractors with access, like Edward Snowden. This is why it is important do more than monitor systems constantly, we must hunt those who already have access and are using it maliciously, or those that might do in the future, as Richard Bejtlich advises.

The deeper need is to rethink how we store critical information. That the director of the OPM described their systems as a “hackers dream” in November 2014 should give us pause and rethink our reaction to this latest violation and the need for basic cyber hygiene. There is a collective incompetence in the digital security management of the United States that needs to be rooted out. Merely hiring a new computer security manager for the OPM will not fix the deeper problem of failing to understand the security needs of our infrastructure.

At the strategic level, the exploit of OPM’s four million records means very little. It has not and will not change how the United States conducts the business of foreign policy, but the entire intelligence community needs reevaluate how it might conduct its mission. It is important to keep the real issue of cyber espionage in mind as we debate the future of conflict. Our current focus on war in an era of dramatic peace can be counterproductive if we do not first focus on the defense and protecting our networks from exploitation. These continued attacks reinforce the point that our security starts with reforming how we protect information.