Keep Calm and Spy On: Why the OPM Hack Won’t Bring Down US Intelligence

Uploaded on 2015-07-06 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW

opm-hack-3-750px-640x360.jpg

There are very few known cases in which blackmail was involved in getting government employees to give up classified information

1. What we know about it
Intelligence is about decision advantage and relative gains. If the Chinese had stolen this information without us finding out, we would be truly screwed. It might take us years to piece together why they seemed to have so much more information on us. Welcome to the wilderness of mirrors.
2. The CIA is pretty good at what they do
The big concern is that the information stolen from Office of Personnel Management – OPM - could be used to identify US intelligence operatives and the people they meet with. Under this theory, being bandied about in the blogosphere, if the Chinese had a complete list of all federal employees, including those who work at the State Department but excluding those who work in the intelligence community, they could identify CIA case officers under official cover who don’t have State Department employment records and didn’t fill out SF-86s with OPM. If the Chinese then knew which of their officials were meeting with these case officers, they could roll up our network in China.
If it’s really possible that China now owns our human intelligence network, that’s really bad. But let me take General Hayden’s comment a step further. If it is indeed true that CIA case officer cover could be blown, by hacking into an OPM database, it’s not shame on China and it’s not even shame on OPM; it’s shame on CIA.  Anything that the twitterati can figure out in a week is something CIA counterintelligence should have addressed long ago. This kind of data is the digital equivalent of pocket litter.
Again, I don’t think we are giving the CIA enough credit here, but if it’s true, the harm can be mitigated since we know what data was lost. It might mean a lot of case officers will be riding desk duty for the rest of their careers. Luckily, this data couldn’t expose any No Official Cover case officers. We will end up relying more on signals intelligence and open source intelligence. Who knows, it might even lead to more work for the Eurasia Group. In short, we can manage the losses.
3. Password resets were already weak
The data could certainly be used for password reset. Even more advanced systems that don’t rely on answers the user provides but pull data from public records could be accessed with the information in the SF-86. But let’s not pretend that password systems were secure before this data was lost. We’ve needed to kill off the password for twenty years. The National Strategy for Trusted Identities in Cyberspace is aimed at doing just that. Most major consumer online services are now offering two-factor authentication. I’ve never run into an online password reset process at a Federal agency for anything critical, but any system using them should put stronger controls in place.
4. Spearphishing is already pretty effective
Could the information be used to target spearphishing e-mails? Sure, when targeting someone with a spearphishing e-mail, the more information, the better. On the other hand, spearphishing is already pretty effective—it’s the threat vector for most significant cyber incidents and LinkedIn and Facebook make it pretty easy. It’s also a problem that some companies are effectively managing through a combination of user training (PhishMe, Wombat Security) and next generation threat detection (Palo Alto Networks, Fidelis, FireEye). At most, access to this data will make a bad problem worse.
5. Blackmail is an overstated threat
There are too many would-be spy novelists in Washington, D.C. conjuring up fanciful scenarios in which information in the EQIP database could be used to blackmail government employees. There are two things to keep in mind when considering blackmail scenarios.
First, there are very few known cases in which blackmail was involved in getting government employees to give up classified information. As far as we know, Edward Snowden and Chelsea Manning were both motivated politically. Aldrich Ames and Robert Hanssen were both financially motivated. The lone case I am aware of in which blackmail was involved since World War II was that of Clayton Lonetree, a Marine stationed at the US embassy in Moscow. He was seduced by a KGB agent named “Violetta Seina” and caught in a honeypot. But the harm he did was, according to the then-commandant of the Marine Corps, “minimal.” He was released from prison after serving only nine years.
Second, one of the main policy justifications for the security clearance process is to mitigate the possibility of blackmail. In part, by collecting the information, the Federal government ensures that foreign spies can’t threaten clearance holders’ jobs with it. Let’s say you admit to past drug use on your SF-86. If you are still granted a clearance, no one can threaten to tell the government about your past drug use.

While the clearance process does capture information on finances and even romantic affairs, problems in these areas quickly get your application rejected. There is no benefit of the doubt. With about 5.5 million clearance holders today, the system most certainly isn’t infallible. But a foreign intelligence agency is going to have a much harder time identifying cases where security investigators made a mistake than the US government in what I am guessing is a massive review currently underway.
DefenseOne: http://bit.ly/1gjayql

 

« Is The Tech Investment Bubble About To Burst ?
China tightens grip over the Internet »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Libraesva

Libraesva

Libraesva secures email communications for organisations, helping them eliminate email borne threats, preserve email data and provide an environment for their people to communicate safely.

Bloombase

Bloombase

Bloombase is the leading innovator in Next-Generation Data Security solutions for Global 2000-scale organizations

Australian Information Security Association (AISA)

Australian Information Security Association (AISA)

AISA champions the development of a robust information security sector by building professional capacity and advancing the cyber security of the public, business and governments in Australia.

Operational Center for Information Systems Security (COSSI)

Operational Center for Information Systems Security (COSSI)

COSSI is responsible for the detection and mitigation of cyber attacks directed at French Government information systems.

Security Network Munich

Security Network Munich

Security Network Munich brings together leading players in the field of information and cyber security through joint research and innovation projects.

Taqnia Cyber

Taqnia Cyber

Taqnia Cyber specializes in the fields of cyber security, intelligence, operations, and training. It offers its services and consultations to both public and private sectors.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

Yelbridges

Yelbridges

Yelbridges offer high quality IT security & risk management services to mitigate business risks.

Ordr

Ordr

Ordr Systems Control Engine. The first actionable AI-based systems control engine for the hyper-connected enterprise. You’re in control.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

OpenAVN (DefenseArk)

OpenAVN (DefenseArk)

Defending your life online, keeping your data safe and private. We detect digital threats magnitudes faster than the leading antivirus software.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

Quotient

Quotient

Quotient builds digital experiences that empower and inspire the American people by understanding their needs, simplifying complex technical solutions and adapting to how they work, live and learn.

Charm Security

Charm Security

Charm Security is an AI-powered customer security platform that protects organizations and their customers from scams, social engineering, and human-centric fraud.