The OPM hack: Much worse than anyone in government will let on

The catastrophic hack of federal employee records is even worse than previously reported.  Originally, it was acknowledged by the Office of Personnel Management that about 14 million current and former federal employees had the most intimate details of their lives hacked by China, rather than the 4 million originally claimed by the administration.  This tragedy has been compounded by the revelation that almost everyone who has received a security clearance by the government – military, intelligence, and diplomats – has had the most closely held secrets of his or her life revealed to the Chinese.

Associated Press:

Deeply personal information submitted by U.S. intelligence and military personnel for security clearances - mental illnesses, drug and alcohol use, past arrests, bankruptcies and more - is in the hands of hackers linked to China, officials say.

In describing a cyberbreach of federal records dramatically worse than first acknowledged, authorities point to Standard Form 86, which applicants are required to complete. Applicants also must list contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant are required.

In a statement, the White House said that on June 8, investigators concluded there was "a high degree of confidence that ... systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated."

"This tells the Chinese the identities of almost everybody who has got a United States security clearance," said Joel Brenner, a former top U.S. counterintelligence official. "That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."

The Office of Personnel Management, which was the target of the hack, did not respond to requests for comment. OPM spokesman Samuel Schumach and Jackie Koszczuk, the director of communications, have consistently said there was no evidence that security clearance information had been compromised.

The White House statement said the hack into the security clearance database was separate from the breach of federal personnel data announced last week - a breach that is itself appearing far worse than first believed. It could not be learned whether the security database breach happened when an OPM contractor was hacked in 2013, an attack that was discovered last year. Members of Congress received classified briefings about that breach in September, but there was no public mention of security clearance information being exposed.

J. David Fox, president of the American Federation of Government Employees, said, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."

Some are calling this our "Cyber Pearl Harbor," and given what we know so far, it's hard to argue with that characterization.  What an unmitigated disaster for millions of federal employees.  Every American should be outraged that this has happened and demand that steps be taken to better defend ourselves from these attacks.

So how do we respond to this aggression?  The problem is that anything we might do could be met with an even more dangerous hack by the Chinese, perhaps targeting our power grid or something equally vulnerable.  And besides, rules for this new kind of warfare have yet to be written:

"Insofar as this is espionage - which is to say insofar as it was not the hackers coming in and actually changing data, or destroying a database, or doing damage versus stealing information - we've always made quite clear that all governments engage in espionage," Ken Lieberthal, an expert in U.S.-China relations at the Brookings Institution, told CBS News. "We're limited in any kind of retaliatory measures we can take because presumably we're doing the same thing to them."

The U.S. may just be "better at not getting caught," he said.

Presumably, our hackers are just as talented as their hackers, and their systems, if not just as vulnerable as ours, can be accessed with time and patience.  In the arms race between cyber security experts and the hackers, the hackers have shown themselves to be able to stay one step ahead.  That situation is likely to continue for the foreseeable future, which makes every American vulnerable.

Not a pleasant thought.

The catastrophic hack of federal employee records is even worse than previously reported.  Originally, it was acknowledged by the Office of Personnel Management that about 14 million current and former federal employees had the most intimate details of their lives hacked by China, rather than the 4 million originally claimed by the administration.  This tragedy has been compounded by the revelation that almost everyone who has received a security clearance by the government – military, intelligence, and diplomats – has had the most closely held secrets of his or her life revealed to the Chinese.

Associated Press:

Deeply personal information submitted by U.S. intelligence and military personnel for security clearances - mental illnesses, drug and alcohol use, past arrests, bankruptcies and more - is in the hands of hackers linked to China, officials say.

In describing a cyberbreach of federal records dramatically worse than first acknowledged, authorities point to Standard Form 86, which applicants are required to complete. Applicants also must list contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant are required.

In a statement, the White House said that on June 8, investigators concluded there was "a high degree of confidence that ... systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated."

"This tells the Chinese the identities of almost everybody who has got a United States security clearance," said Joel Brenner, a former top U.S. counterintelligence official. "That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."

The Office of Personnel Management, which was the target of the hack, did not respond to requests for comment. OPM spokesman Samuel Schumach and Jackie Koszczuk, the director of communications, have consistently said there was no evidence that security clearance information had been compromised.

The White House statement said the hack into the security clearance database was separate from the breach of federal personnel data announced last week - a breach that is itself appearing far worse than first believed. It could not be learned whether the security database breach happened when an OPM contractor was hacked in 2013, an attack that was discovered last year. Members of Congress received classified briefings about that breach in September, but there was no public mention of security clearance information being exposed.

J. David Fox, president of the American Federation of Government Employees, said, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."

Some are calling this our "Cyber Pearl Harbor," and given what we know so far, it's hard to argue with that characterization.  What an unmitigated disaster for millions of federal employees.  Every American should be outraged that this has happened and demand that steps be taken to better defend ourselves from these attacks.

So how do we respond to this aggression?  The problem is that anything we might do could be met with an even more dangerous hack by the Chinese, perhaps targeting our power grid or something equally vulnerable.  And besides, rules for this new kind of warfare have yet to be written:

"Insofar as this is espionage - which is to say insofar as it was not the hackers coming in and actually changing data, or destroying a database, or doing damage versus stealing information - we've always made quite clear that all governments engage in espionage," Ken Lieberthal, an expert in U.S.-China relations at the Brookings Institution, told CBS News. "We're limited in any kind of retaliatory measures we can take because presumably we're doing the same thing to them."

The U.S. may just be "better at not getting caught," he said.

Presumably, our hackers are just as talented as their hackers, and their systems, if not just as vulnerable as ours, can be accessed with time and patience.  In the arms race between cyber security experts and the hackers, the hackers have shown themselves to be able to stay one step ahead.  That situation is likely to continue for the foreseeable future, which makes every American vulnerable.

Not a pleasant thought.