Hackers stole the personally identifying information of more than 20 million people, the Office of Personnel Management (OPM) revealed yesterday, in a breach that threatens to compromise US intelligence capabilities for years to come.
“Presuming these attacks came from China, it’s debilitating to America’s human intelligence capabilities for a generation,” geopolitical expert Ian Bremmer, founder of Eurasia Group, told Business Insider via email.
Every single person who had applied for government security clearance — whether they were federal employees or not — in the last 15 years had their sensitive background information stolen when the database storing their personnel files was breached by Chinese hackers last year.
“If you underwent a background investigation through OPM in 2000 or afterwards … it is highly likely that you are impacted by the incident involving background investigations,” the OPM stated.
OPM reported that the types of compromised data may include 21.5 million Social Security numbers, as well as any information revealed on an SF86 form — a 120-page questionnaire that examines an applicant’s personal history, including their financial records (including gambling addictions and any outstanding debt), drug use, alcoholism, arrests, psychological and emotional health, foreign travel, foreign contacts, and all relatives.
“I’m sure the adversary has my SF-86 now,” FBI Director James Comey said to a Senate panel earlier this week. “My SF-86 lists every place I’ve ever lived since I was 18. Every foreign travel I’ve ever taken. All of my family, [and] their addresses.”
Some fearthe stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad, but not all experts agree that the hack constitutes a severe threat to US intelligence.
“There is no blackmail threat,” Dave Aitel, CEO of cybersecurity company Immunity, Inc., told Business Insider. “If there was any chance you could be blackmailed by a foreign government, the US would not have given you security clearance in the first place.”
“If I sent you my SF86, you’d be pretty bored,” he added.
In any case, the Obama administration has yet to call out the Chinese directly for its role in the hack — even though all evidence points to China as the origin of the attack — likely because the US regularly engages in the same kind of cyber espionage.
“The US has blamed China repeatedly but with little consequence,” Bremmer said. “The US engages in cyber espionage as well, and China finds the practice far too profitable to give up — even as it risks further deterioration of the relationship.”
Aitel agreed. “We may say, ‘hey, cut that out,’ but it is not a red line. If anything, it’s standard government tradition,” he said. “Unlike economic espionage, regular espionage is considered above board and normal.”
In any case, Aitel noted, the breach was “hugely embarrassing” for the US government.
While OPM’s database, which was largely unencrypted and monitored by a security department with little to no IT experience, was especially vulnerable to attack, the breach also reflects the narrowing gap between the cyber capabilities of the US and its adversaries.
“US officials make very clear that Chinese cyberattacks are the most serious challenge in relations between the two countries,” Bremmer said. “The U.S. doesn’t have the kind of lead on cyber that it does on conventional military force.”
The massive breach — discovered by network-forensics company CyTech Services while it was doing a product demo of its new software package, CyFIR, for OPM in early June — was “classic espionage” on an unprecedented scale, a senior administration official told The New York Times last month.
“If there’s compensation, it’s that the U.S. almost surely has the same information on China,” Bremmer said. “But if the Cold War is any guide, Americans won’t be happy with a level playing field.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.