What are the OPM hackers going to do with 1 million fingerprints?
That's an excellent question that national security experts can't answer. And that has them worried sick.
Hacking Social Security numbers and passwords is one thing. But fingerprints are biometrics – they can't be changed and could open doors to hackers that would normally be closed to them.
Though the idea of hacked fingerprints conjures up troubling scenarios gleaned from Hollywood's panoply of espionage capers, not much is currently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by officials to China. In fact, the agency said it didn't even know yet specifically which personnel have had their prints compromised.
"We do not have that information at this time," said Sam Schumach, an OPM spokesman, explaining that the agency is still assessing the breach and has not yet performed a "deep dive" into the data to assess whose fingerprints are now in the hands of hackers.
Questions also remain about what the ultimate goal of the OPM hackers is, and the administration so far continues to refuse to publicly blame China for the intrusion. Some have likened the breach to an enormous surveillance operation, one that Beijing conducted in order to build databases on the ins and out of the U.S. government and to potentially coerce, blackmail, or bribe officials into divulging closely guarded secrets.
Whatever the motives, the stolen fingerprints are viewed as a uniquely important and unprecedented data heist—one that could reap huge rewards for the hackers for decades to come.
"It's really horrifying, on so many levels," said Peter Singer, a strategist at the New America Foundation and a consultant for the military who just published a book, Ghost Fleet, that imagines what a cyber-heavy 21st-century war between the U.S., China, and Russia might look like. "This is different from the other breaches because this is a cyberattack that was not about intellectual-property theft. It was not about economic advantage of some sort. This is what we call preparing the battlefield."
Part of the worry, cybersecurity experts say, is that fingerprints are part of an exploding field of biometric data, which the government is increasingly getting in the business of collecting and storing. Fingerprints today are used to run background checks, verify identities at borders, and unlock smartphones, but the technology is expected to boom in the coming decades in both the public and private sectors.
"There's a big concern [with the OPM hack] not because of how much we're using fingerprints currently, but how we're going to expand using the technology in the next 5-10 years," said Robert Lee, cofounder of Dragos Security, which develops cybersecurity software.
Prepping the battlefield for what? If China is, indeed, behind the hack, what is happening now in the South China Sea, with the Chinese aggressively moving to expand their security perimeter, puts the U.S. and China on a collision course. The moves are extremely worrisome to Japan, the Philippines, and most of Southeast Asia. These are largely American allies who see the U.S. as a counterweight to China. So far, China hasn't stepped over a line that would cause a serious reaction from Washington. But that may change as the Chinese make provocative moves that threaten their neighbors.
In five or ten years, we may have great cause to regret our incompetence and lax security that allowed so much to be divulged to our enemies.