The stage and podium are seen set up before the start of CIA Director John Brennan's news conference at CIA headquarters in Langley, Va., Thursday, Dec. 11, 2014.

The stage and podium are seen set up before the start of CIA Director John Brennan's news conference at CIA headquarters in Langley, Va., Thursday, Dec. 11, 2014. Pablo Martinez Monsivais/AP

Keep Calm and Spy On: Why the OPM Hack Won't Bring Down US Intelligence

For starters, there are very few known cases in which blackmail was involved in getting government employees to give up classified information.

I finally got my letter from the Office of Personnel Management (OPM). What a relief. I was worried my credibility as a commentator would be damaged if my data wasn’t stolen. Imagine how Dan Rather would have felt had he not received Anthrax.

In any case, in the weeks since the story broke, OPM has yet to change their story. The official number is still 4.2 million and the data that was lost is still, according to my letter, “your name, social security number, date and place of birth, and current or former address.” News outlets, however, are putting the number as high as 18 million and are reporting that the Electronic Questionnaires for Investigations Processing (EQIP) system that contains information collected on form SF-86 was compromised. That would be worse than just the loss of employee personally identifiable information. It would include information on employees and contractors as well as their friends and families.

Ian Bremmer is worried about the impact on U.S. human intelligence. He even posted a comment on CFR’s Facebook page about it in response to my last piece. I’m not as concerned. Here’s why:

1. We know about it

Intelligence is about decision advantage and relative gains. If the Chinese had stolen this information without us finding out, we would be truly screwed. It might take us years to piece together why they seemed to have so much more information on us. But this is a GI Joe moment: knowing is half the battle. Because we know what they took we can mitigate the losses. Who knows, we might even find a way to use it to our advantage. Welcome to the wilderness of mirrors.

2. The CIA is pretty good at what they do

The big concern is that the information stolen from OPM could be used to identify U.S. intelligence operatives and the people they meet with. Under this theory, being bandied about in the blogosphere, if the Chinese had a complete list of all federal employees, including those who work at the State Department but excluding those who work in the intelligence community, they could identify CIA case officers under official cover who don’t have State Department employment records and didn’t fill out SF-86s with OPM. If the Chinese then knew which of their officials were meeting with these case officers, they could roll up our network in China.

(See also: China Is the Leading Suspect in OPM Hack, US Says)

That’s a pretty scary scenario. Is it true? I don’t know. I have a lot of respect for the CIA. It’s filled with smart, dedicated public servants that are the best in the world at what they do. And there is nothing, absolutely nothing, the CIA protects more than its sources and methods. If it’s really possible that China now owns our human intelligence network, that’s really bad. But let me take General Hayden’s comment a step further. If it is indeed true that CIA case officer covers’ could be blown by hacking into an OPM database, it’s not shame on China and it’s not even shame on OPM; it’s shame on CIA.  Anything that the twitterati can figure out in a week is something CIA counterintelligence should have addressed long ago. This kind of data is the digital equivalent of pocket litter.

Again, I don’t think we are giving the CIA enough credit here, but if it’s true, the harm can be mitigated since we know what data was lost. It might mean a lot of case officers will be riding desk duty for the rest of their careers. Luckily, this data couldn’t expose any No Official Cover case officers. We will end up relying more on signals intelligence and open source intelligence. Who knows, it might even lead to more work for the Eurasia Group. In short, we can manage the losses.

3. Password resets were already weak

The data could certainly be used for password reset. Even more advanced systems that don’t rely on answers the user provides but pull data from public records could be accessed with the information in the SF-86. But let’s not pretend that password systems were secure before this data was lost. We’ve needed to kill off the password for twenty years. The National Strategy for Trusted Identities in Cyberspace is aimed at doing just that. Most major consumer online services are now offering two-factor authentication. I’ve never run into an online password reset process at a Federal agency for anything critical, but any system using them should put stronger controls in place.

4. Spearphishing is already pretty effective

Could the information be used to target spearphishing e-mails? Sure, when targeting someone with a spearphishing e-mail, the more information, the better. On the other hand, spearphishing is already pretty effective—it’s the threat vector for most significant cyber incidents and LinkedIn and Facebook make it pretty easy. It’s also a problem that some companies are effectively managing through a combination of user training (PhishMe, Wombat Security) and next generation threat detection (Palo Alto Networks, Fidelis, FireEye). At most, access to this data will make a bad problem worse.

5. Blackmail is an overstated threat

There are too many would-be spy novelists in Washington, D.C. conjuring up fanciful scenarios in which information in the EQIP database could be used to blackmail government employees. There are two things to keep in mind when considering blackmail scenarios.

First, there are very few known cases in which blackmail was involved in getting government employees to give up classified information. As far as we know, Edward Snowden and Chelsea Manning were both motivated politically. Aldrich Ames and Robert Hanssen were both financially motivated. The lone case I am aware of in which blackmail was involved since World War II was that of Clayton Lonetree, a Marine stationed at the U.S. embassy in Moscow. The details of Lonetree’s case make for fun reading—he was seduced by a KGB agent named “Violetta Seina” and caught in a honeypot. But the harm he did was, according to the then-commandant of the Marine Corps, “minimal.” He was released from prison after serving only nine years.

Second, one of the main policy justifications for the security clearance process is to mitigate the possibility of blackmail. In part, by collecting the information, the Federal government ensures that foreign spies can’t threaten clearance holders’ jobs with it. Let’s say you admit to past drug use on your SF-86. If you are still granted a clearance, no one can threaten to tell the government about your past drug use.

While the clearance process does capture information on finances and even romantic affairs, problems in these areas quickly get your application rejected. There is no benefit of the doubt. With about 5.5 million clearance holders today, the system most certainly isn’t infallible. But a foreign intelligence agency is going to have a much harder time identifying cases where security investigators made a mistake than the U.S. government in what I am guessing is a massive review currently underway.

This post appears courtesy of CFR.org.

NEXT STORY: Special Report: Beyond Guantanamo

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.