According to a recent report, “Chinese hackers are using information gained from the breaches of the U.S. Office of Personnel Management, as well as intrusions into the Anthem and CareFirst BlueCross BlueShield health insurance networks, to build a complete profile of federal employees.”
For Cold War vets who dealt with the intelligence struggles between the United States and the former Soviet Union, this is no surprise. In fact, the popular TV series “The Americans” is not far off the mark in many of its episodes.
The Soviets quickly figured out that, in America most information about our people was held in or by the private sector (especially insurance companies) as well as by many routine state and federal government agencies — so they penetrated these, just as the Chinese have done. In those days, however, the Sovs used deeply buried human agents to manually collect and skim information, some within government agencies themselves.
This made their assessments of various individuals much easier as they were able to assemble detailed dossiers on those they were most interested in They were also able to extrapolate and interpret the information and identify agents operating with false identities or under some kind of cover — official or otherwise.
The Chinese have done this same thing electronically — and hit the “motherload” of sensitive personal information: The 21.5 million U.S. persons who have ever applied for security clearances — that’s 21.5 million.
Specifically, “the most sensitive information stolen in the OPM breach was lifted from what is known as the Standard Form 86, or SF-86. The 127-page security clearance application is essentially a road map to your life. It contains highly detailed information on everything from where an applicant lived and worked, to personal references, family members, friends and associates, as well as drug history and intimate health information.”
So, some Chinese intelligence officer anywhere in the world can open my SF-86 and learn all about me: Where I have lived my entire life, my relatives, friends, co-workers, neighbors, children, marriages, work experience and personal health history.
The Chinese agent would learn, for example, that I was stationed in Taiwan from 1973-1975 and worked with a number of Chinese officials in various branches of the government of Chiang Kai-shek and the KMT political party — as well as all of my social, university and other professional contacts there.
Even before they stole the OPM data, the Chinese were very good at correlating this kind of data manually — to the extent that in the 1980s, when I was on the Nuclear & Space Talks (NST) Delegation, I attended an embassy social event in Geneva and was approached by a Chinese “diplomat” who clearly knew I had been in Taiwan. To the extent that the Chinese will share this information with others, my entire personal dossier will be for sale or trade — along with 21.5 million others.
How do we stop this information bleeding? That is, before the Chinese and Russians know more about each of us than the IRS, OPM and the Social Security Administration combined.
Better question: Why aren’t we testing our critical cyber infrastructures with carefully managed stress so weaknesses can be identified and fixed before they are discovered and exploited? This is especially important since many of these infrastructures are part of our private sector, while in the rest of the world they are mostly government-centric — and defended by active measures.
We may be ready to try this concept because of an innovative and bipartisan proposal from Republican Sen. Susan Collins of Maine. The Collins amendment [S-1828], is a step in the right direction because it enables the Department of Homeland Security (DHS) to:
• “[O]perat[e] consolidated intrusion detection, prevention, or other protective capabilities and use of associated countermeasures for the purpose of protecting agency information and information systems from information security threats”
• “[D]evelop and conduct targeted risk assessments and operational evaluations for agency information and information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments”
This approach could be expanded and extended to our critical cyber infrastructures — public and private — assuming a well thought-out legislative and regulatory structure was in place. If so, a “managed cyber stress” activity might proceed as follows:
• The DHS secretary, in accordance with carefully drafted and privacy sensitive implementing directives, would promulgate a generic list of facilities, activities and industries that were determined to be “critical infrastructure.” This could include, for example, ports, inland waterways, pipelines, railroads, airspace controls, electric power grids and nuclear power plants.
• The DHS secretary would then liaison with these key facilities (including their regulatory agencies) to establish a cooperative cyber security relationship with them.
• The DHS secretary could then direct that one or more of these key sectors be placed under “managed cyber stress” to determine exploitable cyber weaknesses.
• Interagency government teams — perhaps with contractor support — would carry out the actual stress testing.
• Because the main purpose for the stress testing would be to discover exploitable cyber weaknesses, there would need to be attorney general-approved procedures if other discoveries were made, e.g., criminal or regulatory violations. Such procedures are common in other federal regulatory structures.
• After the stress testing, there would be a comprehensive technical dialogue with the tested facility, as well as periodic follow-ups to insure that identified weaknesses were corrected.
• Reports on the stress testing (and status of technical follow-ups) would be made to relevant Congressional oversight committees.
Until we establish such a program, we remain at very high risk for catastrophic cyber-induced penetrations and crashes of, for example, our power grids. So, why not take the legislative and regulatory steps necessary to prevent it?
• Daniel Gallington served in senior national security positions in the Office of the Secretary of Defense, the Department of Justice and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.