Anyone working for the U.S. government who had a secret - financial, sexual, criminal or otherwise - well, it’s no longer secret.
The latest cyber data breaches of the Office of Personnel Management included the background investigation records of almost 20 million people. That stolen information is now in the hands of someone else.
“Some people are calling it one of the biggest intelligence failures ever,” said Richard Stiennon, author of There Will be Cyberwar.
Also recently stolen is all the personal information of some 20 million people who signed up for the Canadian-based online dating service for people who are married or in a committed relationship but want to have an affair.
And so is all the health information of millions of Americans who had signed up for health care through Premera Blue Cross, UCLA Health, and Anthem Inc., the second largest U.S. health insurer.
Not only is the background information of millions of people available, so are their social security numbers, credit card numbers, and email accounts. And if they were engaging in any illicit behavior, that information is out there too.
Analysts say that all that data together is a treasure trove of secret information that can be cross-checked, data-mined, and potentially used to blackmail people and undermine U.S. national security.
Who Has It?
Washington has not directly accused any one state, person or organization of the massive data breaches, and it is not clear if they are all the same actor. In the case of independent hackers, stolen data is often put up for sale on the “dark web” to the highest bidder.
If a state like China was behind the OPM breach, as many analysts believe, it will most likely hold onto the information and exploit it.
“An adversary like China, who knows a person’s weaknesses, can use that to intimidate or influence that person, and start them on a path to recruit them as a spy,” said Bob Gourley, publisher of ThreatBrief.com and co-founder of the cyber security consultancy Cognitio.
Whoever has the information also has a critical understanding of the structure of the U.S. federal government.
“They [now] have a complete database of all the people with security clearances. There have also been previous breaches of military and police organizations, so they’ve identified all of those people as well, So just from the data alone, you know who has got access to what critical information,” explained Stiennon.
That, in turn, opens the door to “spear phishing” - sending an e mail that appears to be from a known individual or business. When the recipient opens the email, the hacker gains access to that person's computer.
“So, say you know somebody who is cleared at the top secret level, and their job is with Lockheed Martin and they are actively working in the radar systems, they could be targets,” said Stiennon, who is also the co-founder of IT-Harvest, an independent analyst firm.
Once inside someone’s computer, a hacker can remotely turn on the computer microphone or camera, as well as navigate through documents and emails and go on to attack other people or data banks which might be connected to the original target.
“Unfortunately, the U.S. government is a poorly defended organization corporate-wide,” Gourley said. “There are pockets of very strong security in places like the FBI, the Secret Service, and most parts of the Department of Defense and the intelligence community. Other than that, the government is very poorly defended.”
Brandon Valeriano, a professor at Glasgow University who writes on cyber conflict, agreed that the U.S. government security infrastructure was “a mess.” But he said that fears about the latest data breaches were overblown.
“We have this sort of James Bond-esque perspective of security, with this idea that we can turn agents and get information about their affairs and make them do things for the government – that is kind of an antiquated notion of how things work,” Valeriano said.
“We see this information as sortable and usable, and it’s really not. This is terabytes of information. This is hundreds of thousands of millions of pages of information that is not readily usable, especially when you’re talking about cross language skills,” he said.
Data For Sale
But Brett Williams, a retired Air Force General who was Director of Operations, U.S. Cyber Command from 2012 to 2014, says information, even if gathered by agents of a government like that of China, can still be sold on the market.
And one of the newer players on that market is the Islamic State extremist group.
“We have to understand that things only two or three years ago were available to the most sophisticated actors or nation-states are routinely available to anybody that wants to go purchase them and knows where to purchase them,” Williams told VOA.
Cyber analysts agree that both private industry and government agencies were aware of all the threats and working to counter them. But the latest breaches show that a lot more had to be done.
“I would say most people still underestimate the probability that they will be hacked, and they underestimate how much it will cost in the end. So getting ahead of that risk assessment process is also very important,” Williams said.