You Want to Commit Espionage with Hacked Personal Data?

This post was originally published at WeMeantWell.com.

Did the most-recent, recent, breach of United States government personnel files significantly compromise American security? Yes. Could a foreign government make use of such information to spy on the United States? Oh my, yes.

China-based hackers are suspected of breaking into the computer networks of the United States Office of Personnel Management (OPM), the human resources department for the entire federal government. They allegedly stole personnel and security clearance information for at least four million federal workers. The current attack was not the first. Last summer the same office announced an intrusion in which hackers targeted the files of tens of thousands of those who had applied for top-secret security clearances; the Office of Personnel Management conducts more than 90 percent of federal background investigations, including all those needed by the Department of Defense and 100 other federal agencies.

Why all that information on federal employees is a gold mine on steroids for a foreign intelligence service is directly related to what is in the file of someone with a security clearance.

Most everyone seeking a clearance starts by completing Standard Form 86, Questionnaire for National Security Positions, form SF-86, an extensive biographical and social contact questionnaire.

Investigators, armed with the questionnaire info and whatever data government records searches uncover, then conduct field interviews. The investigator will visit an applicant’s home town, her second-to-last-boss, her neighbors, her parents and almost certainly the local police force and ask questions in person. As part of theclearance process, an applicant will sign the Mother of All Waivers, giving the government permission to do all this as intrusively as the government cares to do; the feds really want to get to know a potential employee who will hold the government’s secrets. This is old fashioned shoe-leather cop work, knocking on doors, eye balling people who say they knew the applicant, turning the skepticism meter up to 11.

Things like an old college roommate who moved back home to Tehran, or that weird uncle who still holds a foreign passport, will be of interest. Some history of gambling, drug or alcohol misuse? Infidelity? A tendency to not get along with bosses? Significant debt? Anything at all hidden among those skeletons in the closet?

The probe is looking for vulnerabilities, pure and simple. And that’s the scary “why this really matters” part of the China-based hack into American government personnel files.

America’s spy agencies, like every spy agency, know people are manipulated and compromised by their vulnerabilities. If someone applying for a federal position has too many of them, or even one of particular sensitivity, s/he may be too risky to expose to classified information.

And that’s because unlike almost everything you see in the movies, the most important intelligence work is done the same way it has been done since the beginning of time. Identify a person with access to the information needed (“Qualifying an agent;” a Colonel will know rocket specifications, a file clerk internal embassy phone numbers, for example.) Learn everything you can about that person. Was she on her college tennis team? Funny thing, your intelligence officer likes tennis, too! Stuff like that is very likely in the files taken from the Office of Personnel Management.

But specifically, a hostile intelligence agency is looking for a target’s vulnerabilities. They then use that information to approach the target person with a pitch – give us the information in return for something.

For example, if you learn a military intelligence officer has money problems and a daughter turning college age, the pitch could be money for secrets. A recent divorce? Perhaps some female companionship is desired, or maybe nothing more than a sympathetic new foreign friend to have a few friendly beers with, and really talk over problems. That kind of information is very likely in the files taken from the Office of Personnel Management. And information is power; the more tailored the approach, the more likely the chance of success.

Also unlike in the movies, blackmail is a last resort. Those same vulnerabilities that dictate the pitch are of course ripe fodder for blackmail (“Tell us the location of the code room or we’ll show these photos of your new female friend to the press.”) However, in real life, a blackmailed person will try whatever s/he can do to get out of the trap. Guilt overwhelms and confession is good for the soul. A friendly approach based on mutual interests and goals (Your handler is a nice guy, with a family you’ve met. You golf together. You need money, they “loan” you money. You gossip about work, they like the details) has the potential to last for many productive years of cooperative espionage.

So much of what a foreign intelligence service needs to know to create those relationships and identify those vulnerabilities is in those hacked files, neatly typed and in alphabetical order. Never mind the huff and puff you’ll be hearing about identity theft, phishing and credit reports.

Espionage is why this hack is a big, big deal.

Image is Creative Commons Licensed Photo from Digitale Gesellschaft.

Obama Administration Expanded Warrantless Surveillance to Target ‘Malicious Cyber Activity’

Defense Department Photo

Documents from NSA whistleblower Edward Snowden show warrantless surveillance was expanded by President Barack Obama’s administration to target “malicious cyber activity.”

After Congress legalized the warrantless wiretapping with the FISA Amendments Act in 2008, non-US citizens could be targeted abroad. The administration developed a new policy for cybersecurity and took steps that would make the difference between a spy and criminal nearly non-existent.

According to a report from the New York Times and ProPublica, the White House National Security Council decided in May 2009 that “reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical.”

The NSA proposed that the government use the warrantless surveillance program for cybersecurity about the same time.

In May and July 2012, the Justice Department signed off on searches of “cybersignatures” and Internet addresses. The approval was tied to previously granted authority to spy on foreign governments obtained from the Foreign Intelligence Surveillance Court. However, the NSA soon grew frustrated with the limits this imposed on them.

“That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power,” the report indicates. “That rule, the NSA soon complained, left a ‘huge collection gap against cyberthreats to the nation’ because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.”

Before the year was over, the NSA pressed the secret surveillance court for permission to use the warrantless wiretapping program for “cybersecurity purposes.”

As this happened, the FBI’s authority to target Internet data and use it for its criminal and “national security” investigations expanded.

…[T]he FBI in 2011 had obtained a new kind of wiretap order from the secret surveillance court for cybersecurity investigations, permitting it to target Internet data flowing to or from specific Internet addresses linked to certain governments.

To carry out the orders, the FBI negotiated in 2012 to use the NSA’s system for monitoring Internet traffic crossing “chokepoints operated by U.S. providers through which international communications enter and leave the United States,” according to a 2012 NSA document. The NSA would send the intercepted traffic to the bureau’s “cyberdata repository” in Quantico, Virginia…

The newly claimed authority is but another example of an expansion of executive power the Obama administration arrogated to itself without any public debate whatsoever. (more…)