The news about the Office of Personnel Management’s data breach gets worse every day.
As of this writing, Chinese hackers stole over 22 million personnel files from OPM, forcing Director Katherine Archuleta to resign late last week. This data breach’s potential national security damage to U.S. interests is only rivaled by Edward Snowden’s efforts.
But the news could, in fact, be worse. There is a far more disturbing angle to the story that has not been adequately covered, namely:
What if, in addition to stealing OPM’s personnel records, hackers corrupted them as well?
Ars Technica revealed that not only did Chinese hackers access OPM’s federal personnel records using privileged user accounts, but also foreign contractors, including those based in the People’s Republic of China, were granted unobstructed — so-called “root” — access to the OPM databases and their contents. These user privileges would have allowed the perpetrators to access and to modify individual records as they saw fit.
While there is no public evidence — yet — any digital manipulation took place, let’s spell out the consequences of this scenario. If data within OPM’s systems was modified for a longer period of time — at least from 2014, but potentially all the way back to 2012 — these manipulated records could have gone unnoticed. It would be now very hard to identify the manipulated records from those that weren’t.
The speculation above raises several unnerving questions. What if the information now stolen was also sabotaged over time in a way that it would have been viewed as normal OPM operations? What if these changes were made subtly, as the hackers edited and added new personnel records — just like OPM’s system operators do on daily basis?
A few, easily-overlooked changes to carefully selected parts of the SF-86 questionnaire would be made. Suddenly, cleared personnel would have different relatives and some suspicious names in their “who do you know” networks. These unauthorized changes would thus deliver a massive blow to the trustworthiness of all data in the system.
We hope the attackers did not actually do this. Even though it sounds odd, “mere” theft is far preferable to massive data corruption. This is because maliciously manipulating official forms and records on a large scale would turn them toxic and into a source of great mistrust.
If information sabotage is indeed suspected, OPM would be forced to guess when the attack started and which records have been altered. In other words, it would have to determine what information is trustworthy and what is not.
For a nation that runs on information, this would be a truly catastrophic situation.
If America is forced to examine millions of records by hand, it would not only consume enormous resources, but also would potentially cripple some governmental agencies and departments that rely upon personnel with security clearances. This would include the White House, the Defense Department, the Intelligence Community, federal law enforcement, the federal prison system, border enforcement, and large swaths of the commercial and financial regulatory systems. It would be chaos. What a nice early Christmas present for American adversaries such as Russia and China.
More broadly, the OPM case exhibits what failure in organizational risk management looks like on a massive scale. It also shows the failure to anticipate one of the most dangerous dimensions of the cyber domain: the stealthy corruption of nation’s critical information assets and its impact on the shared feeling of trust.
There are ways to avoid this. In addition to identifying and defending critical information systems, governmental agencies and private companies must identify the information critical to their operations. This is the data needed to run their mission-critical services — i.e. in OPM’s case, maintaining personnel records. Once these critical information resources have been identified, measures need to be taken to assure both information integrity and trustworthiness. The potentially damaging changes to information assets should be identified as they are happening, or even before — not afterwards. By then, it’s too late.
Understanding the importance of critical information assets, their trustworthiness, and their up-to-date status is essential to the nation and private corporations. Otherwise the game is lost.
A final terrifying thought: What if America’s financial institutions and their data are corrupted or sabotaged beyond repair? What would be the effect if citizens and companies could not trust the banking system and its integrity anymore?
The global chaos unleashed from such an incident would make the Crash of 1929 look like a walk in the park.