The first reports of the massive penetration of Office of Personnel Management files and security clearance applications — apparently by Chinese hackers most likely working for, or with, that country’s military intelligence apparatus — included grumbles from the affected employees that the administration didn’t handle the situation very well.
Those early grumbles were but the snap responses of a few individual employees the media chose at random. Now that the millions of people potentially affected by the hack have been given a few days to digest the news and consider the Administration’s response, their attitude has soured into what government employees described to BuzzFeed as “collective panic.”
It is interesting that the mainstream press has not exerted itself to collect a wide range of responses. Usually they’re all about the human-interest angle. Every news organization could easily talk to dozens, or hundreds, of federal employees and produce a piece like BuzzFeed’s, but they have not.
Tellingly, only former government employees jeopardized by the hack were willing to go on the record with BuzzFeed. Current employees insisted on remaining anonymous.
One of these anonymous individuals was a homosexual diplomat who works in the Arab world, and now has doubts it will be safe to continue on that career path, since the hackers will know he recently married his same-sex spouse, and such things are viewed dimly in the countries where he has been working.
That is just one of many examples of how sensitive information from the compromised security-clearance applications — which run to 117 pages in length apiece, not including additional supporting documentation and computer files — could be used to raise all kinds of hell for Americans abroad. Another example, reported by Business Insider, concerns a retired military man who disclosed a 20-year affair in his security clearance application. These files are chock-a-block with juicy blackmail information.
Former State Department employee Matthew Palmer went on the record with Buzzfeed to complain about the Administration’s lackluster response to the breach. “I basically vacillate between being really panicked and being really angry at the government that this information was not secured in some better way,” he said, expressing concerns that his family and friends could become secondary targets for the hackers, or whoever they decide to pass that information along to.
Palmer complained that the email sent to federal employees by the Office of Personnel Management on Friday reads like an unprepared agency slapping the “panic button” and sending out a generic list of “stay safe on the Internet” tips, rather than a “specific plan of action.” Even the measures taken to ensure recipients couldn’t forward the email to third parties — like, say, the media — were amateurish.
Another remedial measure announced by the government is 18 months of credit monitoring service and a million-dollar liability policy for identity theft — measures American Federation of Government Employees president J. David Cox found inadequate, as he noted identity thieves are “smart enough to wait 18 months before exploiting the information they took.”
That is assuming petty crime is the goal of this immense and sophisticated hacking operation. There is currently little evidence of such motivations, which is interesting, because the pilfered data would have been worth millions on the black market if sold quickly. Identity theft is a time-sensitive operation. It is important to act before the victims realize their Social Security numbers, credit card numbers, passwords, etc. have been compromised, and take remedial action.
Remember, the data breach actually happened near the end of last year — it was discovered, apparently by accident, in April, and not disclosed to the millions of victims until now. In previous identity-theft hacking operations, such as the big scores pulled off by Russian gangs over the past few years, the stolen data was sold on black-market websites while it was still fresh. That is one of the ways security investigators learned the extent of the crimes – they monitor shadowy criminal data markets carefully. The gang that pulled off the biggest data heist in history does not seem interested in making a few bucks by selling off their wares, or by using the data themselves for financial crime.
Rest assured, that data will be used. The OPM hack represents a once-in-a-generation opportunity for China and its allies, and it will be exploited in a variety of ways. One easy tactic would be leaking damaging information about Americans working overseas to hot-tempered local parties, perhaps along with intel that would assist in targeting them for the forceful expression of those hot tempers. What happens to American diplomatic and intelligence operations if it becomes unsafe for thousands of key personnel to work beyond our borders?
Another possibility, advanced by a senior diplomat who spoke with Business Insider, would be comparing the stolen security clearances with other data sets, such as publicly available lists of officials at U.S. embassies, to “make educated guesses about who might be a spy.” The penumbra of such “negative information” surrounding the data stolen by these hackers is vast. Intelligence operatives value data that disproves theories and rules out possible enemy operatives almost as much as they love information that conclusively identifies spies and their methods.
Former NSA counterintelligence officer John R. Schindler, who previously advanced some valuable insights about the OPM hack on his own blog, wrote a hefty piece for the Daily Beast on Monday in which he argues “China’s hack just wrecked American espionage.”
“Armed with very private information about the personal lives of millions of security clearance holders, foreign intelligence services can blackmail and coerce vulnerable officials,” Schindler warns. “To make matters worse, foreign spies can use data purloined from OPM background investigations to head American mole-hunters off at the pass. For Beltway counterspies, the OPM breach will take decades to set right.”
This is not even the worst fallout from the data breach, in Schindler’s view. He points out that the Chinese and their allies must now be presumed to have cracked many of the invaluable secret methods American intelligence services use to protect their agents, such as the way false identities or “legends” are constructed to protect covert operatives. The data stolen by these hackers will make it “fast and easy” to penetrate these covers and identify our agents.
“For American spies abroad, this can be a matter of life or death, and any personnel sent into countries where they could be targeted for kill or capture — which in the age of the Islamic State is a depressingly long list — need to be deeply concerned about how much the OPM breach has complicated, and perhaps threatened, their lives,” Schindler concludes.
No wonder there is “collective panic” afoot, as millions of federal employees realize the Obama Administration has been caught with its digital pants down again. This crew really cannot be trusted to run any sort of website or database. In the best case scenario, a bit of credit-card theft would be the worst of it. As it stands, however, it appears that it will take years to address all the possible ramifications of the breach for American diplomacy, intelligence, and the personal lives of the affected government employees. At the moment, those employees are left watching the spectacle of the administration following its standard protocols and prioritizing damage control, the deflection of responsibility, and media manipulation above coming clean and addressing its devastating failure.
Update: One recipient of the OPM’s letter to potentially compromised current and former federal employees is columnist Mona Charen, who worked for the Reagan White House. She writes at National Review that her favorite part of the letter is the disclaimer that says, “nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.”
“No, I wouldn’t expect the government to accept liability for screwing up, now or ever,” Charen remarks.