Bulk Collection Is All Fun and Games Until Office of Personnel Management Gets Hacked

Reuters reports that, contrary to initial reports, the Office of Personnel Management hack revealed earlier this week did compromise the security clearance and background check information in the data, meaning the hack will be far more valuable as intelligence to set up phishing and other further spying efforts. The hack is believed to have been perpetrated by Chinese hackers, though it is unclear thus far whether or not they are part of the government.

Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks.

[snip]

A total of 2.1 million current U.S. government workers were affected, according to a source familiar with the FBI-led investigation into the incident.

Accusations by U.S. government sources of a Chinese role in the cyber attack, including possible state sponsorship, could further strain ties between Washington and Beijing. Tensions are already heightened over Chinese assertiveness in pursuit of territorial claims in the South China Sea.

The same report notes that the hack may be linked to the hack of similar scope of Anthem earlier this year.

This is, as a lot of the current and former government employees I follow on Twitter are realizing this morning, a devastating hack, one which will have repercussions both in the private lives of those whose data has been hacked as well as generally for America’s national security, because the data in the OPM servers offers a road map for further espionage targeting.

It is also something the US does all the time — and not just against official government employees of adversary nations, but also against civilian or quasi civilian telecom targets, as well as employees of corporations of interest.

This WaPo piece quotes a number of cybersecurity people suggesting several recent major hacks are being used to pull together large data repositories — similar to in purpose but at this point just a mere shadow of what we do using bulk collection and XKeyscore. But it tries to suggest the Chinese collection of bulk data is worse because, “in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.”

The US Intelligence Community let us have a debate over a mere fraction of the bulk data being collected by the NSA — that collected domestically to target Americans. But for the stuff targeting foreigners on a far greater scale, President Obama proclaimed we would continue collecting in bulk but limit its use to all the major purposes we were already using it for before we ever got around to debating the Section 215 dragnet.

(1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;

(2) threats to the United States and its interests from terrorism;

(3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;

(4) cybersecurity threats;

(5) threats to U.S. or allied Armed Forces or other U.S or allied personnel;

(6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

That scope goes well beyond the scope of those affected in this OPM hack.

Once the government does whatever it can to protect the millions compromised by this hack, I hope it will provide an opportunity to do two things: focus on actual cyber-defense, rather than an offensive approach that itself entails and therefore legitimates precisely this kind of bulk collection, and reflect on whether the world we’ve built, in which millions of innocent people get swept up in spying because it’s easy to do so, is really one we want to pursue. Ideally, such reflection might lead to some norm-setting that sharply limits the kinds of targets who can be bulk collected (though OPM would solidly fit in any imaginable such limits).

China has, unsurprisingly, now adopted our approach, even if it would take a decade for it to catch up in ability to bulk collect from most nodes. And that’s going to suck for a lot of government and private sector employees who will be made targets as a result.

But that’s the world and the rules we chose to create.

Update: See this NYT piece for just how shoddy the security on OPM’s servers was. We’ve been arguing for years about ways to better respond to criminal hackers and neglecting really really basic steps needed to prevent our adversaries from adopting the same approach we use.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

23 replies
  1. bevin says:

    “The hack is believed to have been perpetrated by Chinese hackers,”
    Given the fact that rather more than a quarter of humanity is Chinese, I suppose that there is a real possibility that this belief is reasonable.
    What I can’t understand is how the government, which has already paved the way for this ‘hack’ can complain about it since without its facilitating the business, through insisting on ‘back doors’ being left open, it is unlikely to have occurred.
    Then there is the reaction from the ‘victims’ who must be aware that the US government-the one which as citizens and employees they ought to fear most- already has this information and, very likely, hands it out to corporate and police interests as a matter of course.
    But no doubt they, like so many of us, are obsessed by Cold War myths suggesting that foreigners (especially those of east Asian appearance) are constantly threatening all that is held dear.
    It is unfortunate that the racist and warmongering smear against China is not treated more sceptically.
    Has Pyongyang’s innocence been established? Is Putin already off the hook? Are Iranian used car dealers all cleared? Does not Hezbollah’s massive presence in Latin America call for a full examination of the suspicious absence of evidence?

  2. orionATL says:

    before getting all excited i would have to know precisely how this information could actually be used against institutions (dod,doj,dotreas,etc) or against individual gov employees by chinese, russian, albanian, drugga, bulgerian, nkors, etc.

    what are they going to do with my info ? make up passports ? detain me in beijing when i visit my grandma ? use my gov credit card ? blackmail me about working for a criminal enterprise like parts of the u.s. gov ?

    aren’t the most “important” personnel docs held seperately by nsa, fbi, cia, dod’s analysts&throatslitters, etc. ?

    this may be the brinks heist of hacking, but i will be skeptical that is so until i understand the actual, paid consequences.

    this executive announcement is occurring much too close to strong public criticism of executive spying not to have its provinance and its precise consequences audited and specified.

    • emptywheel says:

      Phishing and blackmail are a whole lot easier when you have a lot of personal data on people, especially when it also comes with signals about how much interesting data a person has access to.

      As I’ve noted on twitter, we ourselves use bulk collection to find spies (AKA informants), presumably by picking people in the right place who have derogatory information that can be used against them. The same principle applies here.

      • orionATL says:

        thanks. i am, as always, informed by what i read here (and the lesser amount i actually comprehend :)) ). i understood from reading here that we blackmail informants and spies (like al-awlaki maybe) which is how i came to mention blackmail re the chinamen (or whomever).

        the most important to me point is to understand in detail what personal info was taken, when exactly, and how and if it might be misused, exactly. right now there’s way too much room for fiction writing, as with the original screenplay the admin released about the slaying of bin-laddin.

        the anthem info could have been a lot more useful for blackmail, but the kinds of behaviors (substance use, various abuses, etc) anthem keeps most careful tabs on (thanks to federal law) was allegedly not compromised.

        all of this sudden disclosure seems a bit too neat and even if an entirely non-self-serving, merits the strongest criticism of the obama administration of the same kind incited by the severely bungled introduction of the phenomenally important affordable care act.

  3. wallace says:

    Meanwhile, OPM retirees LOL while fondly remembering storing records on paper to which only spies with cameras could access. Yeah, the digital “revolution”. Gottcha. The world will regret it one day.

  4. orionATL says:

    reuters : “the fbi has launched an investigation and has vowed to bring the perpetrators to account.”

    oh my. that is funny.

    would this be an investigation like the anthrax caper, the boston bombing, the wtc airplanes pilots and crew, aaron swarz, the saudis in florida associated with the wtc bombing, etc., etc., etc.

    how can the fbi spare the expert it personnel needed, given its fully committed efforts to spy on every last american living ?

  5. jerryy says:

    .
    There are culprits not really being talked about. Jim Comey, et al.
    .
    This needs to not just be laid at their feet or hung around their necks, but glued, nailed and bolted to them.
    .
    We need widespread use of the strongest encryption possible being used for data protection. The administration’s approach is to put millions and millions of people’s lives in real risk rather than use other techniques for investigation. Or more simply, they would rather hang ten innocents than miss the opportunity to trip up a possible, possible jaywalker.
    .
    Encrypting is not an absolute, it is closer to the car stereo protection approach. When car stereos became popular, thieves suddenly came out of the woodwork to steal them. Putting car alarms into play did not even slow the thieves down. The car stereo manufacturers got together and came up with some techniques to make stolen units worthless. Theft rates dropped dramatically. Again, this is not an absolute fix, but it is way better than what we have.
    .

    • phred says:

      Amen.
      .
      Comey needs to be FIRED.
      .
      Alexander should be ARRESTED.
      .
      These corrupt incompetent hacks should NEVER have been put in charge of national security. They are a disgrace to the country. And given the sensitive nature of the hack, they really really need to be prosecuted for UNDERMINING national security rather than enhancing it as their job descriptions require.
      .
      Encrypt everything. All of the time.

  6. orionATL says:

    now i know what happened to poor ol’ pervert denny hastert. he wouldn’t play ball with the chinamen so they turned him oved to the fbi. there is a reciprocal agreement between the cbi and our fbi – you knew that didn’t you.

  7. bloopie2 says:

    “Federal prosecutors in Calif. ask judge to overturn decision requiring search warrant to access cell tower records” per Mike Scarcella. Query: Why do they keep those records in the first place? I don’t think they need them for billing. If they got rid of them, the cops couldn’t access them.

    • emptywheel says:

      Different hack. Read the NYT link in the update and you’ll see not only didn’t they fix they problems, they blew off an IG report on them.

      • orionATL says:

        yeah, i realized that later. i aways work backwards from my own thoughts; creates strange comments.

        i’d like to see an empty copy of the form(s) stolen from opm. i was thinking of the federal security clearance application i filled out (before the current era). i think i can confidently recall two sections, because they were such a bite to collect the info for, that woud be of partcular interest to a snoop –

        1) all the places by specific address that you have ever lived, from childhood.

        2) all the jobs (or education or other “sabaticals”) you have ever held.

        gaps were NOT appreciated.

  8. phred says:

    And while I’m busy being grumpy, one other thing that really really needs to be emphasized in all of this that I have not yet seen mentioned is the overuse of classification, which then leads to millions more people needing background checks and clearances than any rational system would require. It’s completely idiotic.
    .
    So now you have a lot of people with all sorts of information that’s been stolen that conveniently saves the hackers a lot of effort if they are busy jumping on the two hop bandwagon. Background checks and clearances require all sorts of information, including info on family and friends. Then there are things like one’s finances and certain personal habits (depending on the level of clearance).
    .
    Does anyone know whether OPM had records on covert agents/contractors? Because if they did, well golly that would be handy for a foreign government to know.
    .
    Over the last two years I have been struck by all of the ways the feds can’t manage any kind of consistency when it comes to IT security. On the one hand you have agencies (with more or less success) doing what they can to increase computer/IT/data security, while at the same time you have other agencies such as the NSA actively working to undermine those efforts. Kafka-esque does not begin to do justice to the absurdity of the situation.

    • Ryan says:

      http://www.fas.org/sgp/library/quist2/chap_7.html

      And while I’m busy being grumpy, one other thing that really really needs to be emphasized in all of this that I have not yet seen mentioned is the overuse of classification, which then leads to millions more people needing background checks and clearances than any rational system would require. It’s completely idiotic.

      “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.

      It seems like most top secret information stolen by Snowden isn’t that… exceptionally grave. What harm has it actually done? Everything seems so business as usual.

      • phred says:

        The problem goes way way beyond “Top Secret”, there is a vast galaxy of classifications that in turn lead to myriad clearances. In my opinion the majority of clearances are unnecessary, because the relevant information is unnecessarily classified. Limiting classification would reduce the number of background checks that need to be performed.
        .
        Government agencies are not known for being on the cutting edge of IT, much less IT security, which is part of what makes the efforts of the NSA and FBI to undermine security so infuriating. These agencies need all the help they can get. Instead they are often required by Congress to hire contractors of variable competence (often the lowest bidder) resulting in a patchwork of security procedures across the agencies.
        .
        Now having successfully hacked OPM, one can then use information stolen to try to exploit the IT systems of pretty much any agency at will. There are all sorts of things hackers might be looking for from covert agents to technological data to trade secrets to (as EW has suggested) identifying susceptible people who might be in a position to spy for you.
        .
        We have known for a very long time that our IT capabilities across federal agencies are inadequate. We are continually harangued about how scary the world is and the endless threats we are subjected to, such that we need to violate the Constitution on a daily basis. And yet, in spite of all of that, the Executive and Legislative branches have spectacularly failed to bring our IT infrastructure up to speed.
        .
        There are a lot of people who should be fired over the OPM hack. There are some people who should be prosecuted (including Keith Alexander). Further, the chairs of the congressional committees responsible for appropriations and oversight of federal agencies efforts to secure their IT systems ought to be forced to resign in the faint hope that more competent members of Congress will take the job more seriously than their predecessors.
        .
        This stuff is no joke. Too much of our lives have moved into the digital realm for security to be treated as the afterthought that it is currently, whether it is financial information, health information, personal information of all sorts, but also intellectual property, trade secrets, national security information. I firmly believe we over-classify by orders of magnitude, but that’s not to say that there is no need for protecting data and keeping some information private.
        .
        You simply cannot have Comey and Alexander screaming fire in the theater on the one hand, and then be totally cavalier about IT security on the other. People should be fired, but I have no doubt that nothing substantive will be done and Congress will as usual miss the point entirely and will instead make every effort to further erode secure digital systems worldwide.

        • Ryan says:

          If you’d read the entire book, you’d come to an interesting Appendix:

          Appendix G.
          CLASSIFICATION DURATION BASED ON THE
          PROBABILITY OF UNAUTHORIZED DISCLOSURE
          OF THE CLASSIFIED INFORMATION

          The probability of a deliberate unauthorized disclosure of classified information to an adversary government (PDD) is a linear function of the number of persons who know that information. That is, if ten persons know the information, then the probability of that information being deliberately disclosed is ten times the probability of that information being deliberately disclosed when only one person knows the information.

          When you connect something to the internet, it has roughly a million times more likelyhood of being disclosed.

          Part of the current government’s problem is that they abandoned all classification and dissemination rules.

          It’s a giant leaky hose! All you have to do is get a bucket and be in the right place.

  9. Ryan says:

    Why does the database need to be accessed over the internet?

    Not only that, but why isn’t it on a secure wide area network, like FBINET or SIPRNET?

    Well… the British shot an admiral from time to time to encourage the others.

  10. phred says:

    I realize this thread is winding down (if not already dead), but not being a twitterer, I just wanted to comment on the link to:
    http://www.databreachtoday.com/interviews/dissecting-opm-breach-i-2732#.VXR20g0UOU8.twitter
    .
    In which, “Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, says the Office of Personnel Management neglected to take several basic steps that might have helped to prevent a breach that may have exposed the personally identifiable information of 4 million current and former government workers.”
    .
    So far so good, but then towards the end…
    “Weatherford is a principal at the security consultancy The Chertoff Group.”
    .
    Oh. Dear. God. If there was ever a group with a talent for selling crappy, yet expensive!, solutions, The Chertoff Group has to be at the top of the list.
    .
    I am depressed.

    • orionATL says:

      ditto.

      it’s hard not to be depressed when fools and ghouls and quick-buck artists are running or pushing our gov.

      other side of the opm story ? congress was kicking opm’s butt – hard – about the number of uncompleted security clearances languishing at opm.

      recipe for success: cut their budget, cut their staff, kick their butt, sit back and wait for successes to unfold.

  11. Rich says:

    So what!
    Each individual has more to fear from OPM abuse and misuse of their personnel files than any hyped imaginary injury via Chinese hackers.
    All these big actors in Gov’t operate off gossip, innuendo, blacklisting, and defamatory screed that never makes into anyone’s OPM file.
    What IS the point of being The Big Cheese, someone like Comey, if you can’t pick and choose your subordinates based upon personal preference and connections.
    It’s a diversion folks

  12. chris l says:

    A bunch of background on what OPM collects for non-clearance (i.e. low risk positions) employees and contractors is available here: http://www.hspd12jpl.org/reference.html the form filled out by people in “low risk” positions are SF85, those in “public trust” positions are SF85P, and for clearances it’s SF86 (not on the web site). OPM then collects additional information from national databases for SF85 people, the same plus some interviews for SF85P, and all that plus interviews and sometimes polygraph for SF86.

Comments are closed.