If the Chinese government is in fact behind the cyber attack on the Office of Personnel Management (OPM) it would be a “disaster” in terms of counterespionage, says the Atlantic Council’s Jason Healey.
“The kind of information that OPM has is a goldmine for intelligence agencies,” Healey, a Nonresident Senior Fellow in the Atlantic Council’s Cyber Statecraft Initiative, said in an interview.
“For senior government officials, this is particularly worrying on the counterterrorism side,” he said, adding that hackers could use the information they glean from their attack to pinpoint targets at top levels of the US government.
The hackers accessed the records of four million current and former federal employees. The intrusion at OPM occurred last December, but was only detected in April.
A US law enforcement source told the Reuters news agency June 4 that a “foreign entity or government” was believed to be behind the attack on OPM.
In May 2014, the US Justice Department indicted five Chinese People’s Liberation Army officers for hacking into the computers of US companies to steal trade secrets. That action has become a serious point of contention between Washington and Beijing.
Digital forensics experts can easily trace cyber attacks through the hackers’ “fingerprints,” said Healey, who served as Director for Cyber Infrastructure Protection at the White House from 2003 to 2005.
“I suspect the government might know who is behind this based on the fingerprints, and they are just not willing to say,” he said. “But they might not truly know.”
Jason Healey spoke in a phone interview with the New Atlanticist’s Ashish Kumar Sen. Here are excerpts from our interview:
Q: What do we know so far about the OPM hack?
Healey: We know that a Chinese group of hackers successfully penetrated the defense of the Office of Personnel Management (OPM) and gained access to four million records of current and former federal employees. The intrusion happened in December, but OPM only discovered it in April.
Q: Why would the Chinese target OPM?
Healey: What the government is not saying yet is whether or not they believe this was the Chinese state. In previous examples like this, especially where the private sector was involved, they were able to determine this relatively early because each group has its own specific fingerprint. You know if you’ve been robbed by the Oceans 11 gang. They operate very differently from Night Fox.
The digital forensics experts can understand these fingerprints and the specific style. I suspect the government might know who is behind this based on the fingerprints, and they are just not willing to say. But they might not truly know.
Normally, when records get stolen from Home Depot or Target it is by criminal groups and they want to get your personal information to commit fraud. They want to impersonate you. They want to take out credit cards in your name. They want copies of the credit cards that you have so that they can put money in their own pockets.
The information in the OPM databases includes everything about those four million government employees, and I mean everything. So on one hand, if this is the Chinese government, for normal government employees this is maybe actually better than being hit by the criminal groups because we know that the Chinese state is not going to take out credit cards in our names.
However, on the counterespionage side this is a disaster because this would help the Chinese government if it is, in fact, confirmed to be them. They would know so much about you. They may try to impersonate you to gain access to other records. They could try to blackmail you because they know so much about you. For senior government officials, this is particularly worrying on the counterterrorism side.
Q: But if this was the Chinese government, what does it stand to gain from the information?
Healey: We assume that they are doing this to get information to help them collect more information. The kind of information that OPM has is a goldmine for intelligence agencies. Then they can find out not just who is in what position in the US government to start their targeting, but all sorts of private details about them to help answer security questions so that they could impersonate those people, to try to bypass security so they can target them for further intelligence collection.
Q: What was the last major cyber attack in the US linked to the Chinese government?
Healey: There have just been so many. The latest like this was an attack on the health care provider Anthem. Another attack like this was against USIS, which does security clearance. And OPM was hit previously in March 2014.
Lately the Russians have been really accelerating their intrusions, including into the State Department and White House.
Q: There is this sense that government databases are secure. The attack on OPM shatters that belief. Should we be concerned about the security of other more sensitive government databases?
Healey: We would imagine that the US government, as much as they talk about cyber security, ought to have as many bulletproof defenses as you can. But many government defenses are exceptionally poor. The Department of Education, which has student loan information, doesn’t have the money to do the kind of defenses that, for example, the Department of Defense does. The government just doesn’t have the kinds of defenses in a lot of these places that you’d expect and certainly not the level of security that most places in the private sector have. I am much happier with how JP Morgan protects my Social Security number than with how the Social Security Administration protects it.
That said, if this was the Chinese state, they know what they want. They are able to throw tremendous resources into making sure that they can get past very good defenses. I don’t mind so much that the Chinese got into OPM, but the fact that they didn’t get detected for four months, there I think we could have at least expected OPM to have done better, especially since OPM had already been hit before. They should have had better defenses in place to at least catch the intrusion within the first two to four weeks.
Q: How has the government responded to such cyber attacks?
Healey: The government is still struggling a bit on how to tell people about this. The private sector largely solved this issue ten years ago. California passed a law that said if you get hacked or you lose personal information of a California resident you have to tell that California resident that you lost their information. It had to be personally identifiable information—not just the name, but also the Social Security number. It had to be enough pieces of information that became really worrying for privacy reasons.
It is relatively standard if Target or Home Depot loses your information they will buy you at least one year of credit monitoring. They will notify you. There is a process that they have to go through.
The government, however, is still struggling a bit when it comes to doing any kind of notifications. When the OPM got hacked last year they were still trying to figure out how to go through that process and the protections they would offer to people whose information got taken on their watch. We should be keeping an eye on how OPM treats this latest attack.
Q: Why is the US government finding it so difficult to resolve this notification process? Does it not want to appear vulnerable, or is it just a bureaucratic process?
Healey: It is just bureaucratic process. There are a lot of tricky things in there. For example, how sure do we have to be before we tell people? Do we have to be 51 percent sure; do we have to be 80 percent sure; do we only have to be 30 percent sure? A lot of places just don’t have the kinds of detection or enough censors in place to know what got taken. There are some legitimate uncertainties that are very difficult for anybody that has been hacked.
Then you start adding in, if this was China, if this was counterintelligence, everything about counterintelligence gets slapped “secret.” They just throw that cover sheet on it because if it’s counterintelligence you don’t talk about it, because now you’re letting the other guy know you know what they did. Very frequently they just slap counterintelligence on it because they don’t know how to deal with it.
Q: What should people who have been hacked do to better protect themselves following an attack?
Healey: After your personal information has been taken, you should get an offer from whoever lost your information for free credit monitoring. You should make sure you change your passwords and chose especially complex passwords. A lot of my friends who are the real cyber ninjas use “password wallet,” which is an online cloud-based place to store your passwords and it uses fiendishly complex passwords. I use LastPass and it makes my passwords exceptionally difficult to break. You should also keep your computer up to date.
Q: And what should government agencies be doing to better protect themselves?
Healey: The agencies are in a tough position. They don’t have a budget to do security. They have got a difficult Congress to try to work with. What I would offer up to companies, I can’t offer to government. For example, using the cloud can radically simplify resilience and security. That is difficult for a lot of the agencies to try to do. They really have to continue to try to do the basics. The Council on Cybersecurity, which is run by Atlantic Council board member Jane Lute, has a list of Top 20 Security Controls that work for agencies as much as they do for companies.
Ashish Kumar Sen is a staff writer at the Atlantic Council.