27 January 2017

What Is the Adversary Likely to Do with the Clearance Records for 20 Million Americans

By Sina Beaghley, Joshua Mendelsohn, David Stebbins

Almost three years after the hacking of the Office of Personnel Management, 20 million Americans — 7 percent of the U.S. population — who were the victims of the hack should remain vigilant.

Lowering your digital guard could still be dangerous, since the adversary may still know you well and could act against you at any time. In September, a report from the House Committee on Oversight and Government Reform said the massive data breach of security clearance records will likely jeopardize U.S. national security for more than a generation.

To defend against future attempts to use stolen data against the United States and its people, the United States should continually assess the priorities of the adversary who likely perpetrated the attack to evaluate how the compromised data is most likely to be used. And it should be developing robust countermeasures now, as similar but more sophisticated attacks are surely coming.

The OPM breach is very concerning for both national security and individual privacy. Former National Security Agency senior counsel Joel Brenner said the material contained in the breach is a “gold mine for a foreign intelligence service.”

The hackers who broke into the OPM security clearance database likely have in their possession highly detailed, comprehensive personal information about the majority of Americans who are serving as the custodians of America's secrets. According to the OPM website, OPM conducts more than 90 percent of the government's background investigations for more than 100 federal agencies. The stolen material, now in the hands of the hackers, likely has a high degree of accuracy and veracity because it is illegal to knowingly falsify or conceal material in the submission of these forms.

In addition to containing a wealth of personally identifiable information — such as Social Security numbers, passport numbers, birthdates, birthplaces and multiple modes of contact information — the information contained in the breach likely contains detailed information about the victims' residential, employment, travel, educational, criminal, financial, addiction and mental health history as well as detailed information on spouses, cohabitants, other family members and foreign contacts. The breach also likely included background investigator notes derived from interviews of the individuals listed on the forms.

While the U.S. government has stopped short of officially attributing the attack to a specific country or actor, Director of National Intelligence James Clapper said in June 2015 that China is the leading suspect.

Whether China or another nation, a state-actor in possession of the OPM data could present a significant threat to U.S. national security.

Whether China or another nation, a state-actor in possession of the OPM data could present a significant threat to U.S. national security. The severity of that threat depends on two factors: the extent of the adversary's capability to derive insight and targeting information from the data, and the extent to which they are motivated to inflict harm.

It is true that there is considerable personal information already available on the internet and in the public sphere regarding many government employees. However, the level of detail, veracity, and the potential to aggregate this data with all other available data makes the potential for harm much greater because the data from the OPM breach serves as a force-multiplier. It also could help incubate innovative new strategies for using big data against an adversary, which could make the potential risks from the stolen data even greater over time.

The use of the information by the state actor adversary that took it would be shaped by its priorities and objectives. Such an actor likely would seek to leverage the information to further its domestic control against dissidents, to enhance its foreign intelligence, and to improve its position in the global military and economic order.

The information in the data would provide the state actor with opportunity to help alter its position vis-a-vis the United States, because the data can potentially enhance any of the nation's efforts to nullify knowledge gaps, provide new opportunities for forging alliances, bolster regional strategic advantages, and map out routes for potential influence in the United States.

The success of the hack, and the ease with which it seemingly occurred, likely reinforced the perpetrator's faith in such a model of intelligence acquisition — and the faith of other potential future perpetrators as well.

Americans should be prepared. Those whose information was compromised in the breach should be vigilant for suspicious behavior, and maintain that vigilance for years to come. Victims can request their background investigation records from OPM to provide an idea of the extent and detail of information that was compromised.

With regard to email in particular, if in doubt that an email is legitimately from a trusted person, victims should contact the person and ask to be sure.

Finally, victims should ensure that family members whose identities may have been included in the information they provided to OPM are aware that they too should be vigilant against suspicious behavior. These actions won't be failsafe to protect against all the likely follow-on actions by the actor responsible, but they may help mitigate some measure of future damage.

The OPM breach presents a deep concern that more, increasingly sophisticated hacks are likely. The United States and its people should continue to take steps to mitigate the damage and to be prepared for the next assault.

Sina Marie Beaghley is a senior international/defense policy analyst at the nonprofit, nonpartisan RAND Corporation. Previously, she was the director for intelligence and information security issues on the National Security Council staff and a member of the White House Disclosures Task Force.

Joshua Mendelsohn is an associate behavioral/social scientist at the RAND Corporation. Part social scientist, part programmer, part data scientist, he specializes in applying computationally intensive methods to large, difficult data, in order to derive insights on complex human systems.

David Stebbins is a project associate at the RAND Corporation currently working on studies related to intelligence, emerging technology trends, and security cooperation.

No comments: