Last week, while people were going on about the white woman who posed as black to get an NAACP job, Hillary Clinton's (latest) campaign relaunch and President Obama's trade-bill debacle in the House, a much bigger story slipped by with much less hoopla: the successful seizure of a vast trove of federal personnel records, reportedly by the Chinese.And then it got worse. "Hackers linked to China have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, U.S. officials said Friday, describing a cyberbreach of federal records dramatically worse than first acknowledged."
And there are lessons in this debacle, if we are willing to learn them.
Aside from regular federal personnel records, which provide a royal route to blackmail, intimidation and identity theft for present and retired federal workers, the hackers also stole a trove of military and intelligence records that could be even more valuable. The forms stolen were Standard Form 86, in which employees in sensitive positions list their weaknesses: past arrests, bankruptcies, drug and alcohol problems, etc. The 120 plus pages of questions also include civil lawsuits, divorce information, Social Security numbers, and information on friends, roommates, spouses and relatives.
The result? About 14 million current and former federal employees are in a state of collective panic over the loss of their information. Former State Department employee Matthew Palmer was quoted as saying, "Who is in danger? I listed friends on those forms and my family members. … Are some hackers going to start going after them?"
Possibly. The U.S. military, even in its current somewhat shrunken state, remains an irresistible force in conventional warfare. But this trove of information is perfect for "fourth-generation warfare," in which conventional strengths are bypassed in favor of targeted attacks on a stronger nation's weaknesses. With this sort of information, China will find it much easier to recruit agents, blackmail decision-makers and — in the event of a straight-up conflict — strike directly at Americans in the government, all without launching a single missile.
That's why experts are calling this security breach a "debacle" and "potentially devastating." Some are even calling it a "cyber Pearl Harbor."
Perhaps that's a bit strong: Unlike the real Pearl Harbor attack, there are no burning and sunken ships full of American sailors. On the other hand, if the Japanese in 1941 could have kept the U.S. from interfering with their Pacific conquests through subtler means than air-dropped torpedoes, they no doubt would have been happy to do so. And that's the situation that China, with cyberattacks such as this one, is trying to bring about.
What do we do? Well, so far the federal government is offering free identity-theft protection to its employees, but that response is like putting a Band-Aid on a severed limb — so pathetic it's not even cosmetic. This isn't like a broken code, where we can just change things around and be almost as good as new. Once out, this information will remain current for years, and there's no easy or effective way of doing much about that.
But we can learn our lesson, at least. The United States is highly vulnerable to cyberwar, and not very good about defending against it, especially in the lame-and-inept government IT sector, which has not distinguished itself in terms of competence. (Remember HealthCare.gov?)
For the federal government, one lesson is that really important stuff shouldn't be put online at all. Paper documents have their problems, but at least they can't be hacked and stolen en masse.
For the rest of us, the lesson is that we should probably think twice before entrusting the federal government with our own information. Because if the feds can't protect their own sensitive data, on behalf of people who work for the federal government, how good a job are they likely to do on behalf of the rest of us mere citizens?
