The massive breach of government databases storing sensitive information on millions of current and former federal employees is growing more worrisome, with China having access to files that include names, Social Security numbers, personal financial data and other sensitive information.
China could decide to use the data for its own purposes, sell it to the highest bidder purely for profit, or to sell it to a foreign enemy of the United States, national security experts told WND.
The breach at the Office of Personnel Management is considered the largest cyber attack ever to successfully reach inside of a U.S. government computer network.
Some 4.2 million federal employees had their personal information compromised and possibly stolen by the Chinese government, the OPM reported earlier this month.
And now a second breach is being disclosed, which could be even more devastating.
At a hearing Tuesday before the Senate subcommittee on financial services and general government, OPM Director Katherine Archuleta said she was not yet prepared to say how many people were compromised in the second breach. Some media outlets reported that as many as another 10 million Americans could have had their IDs stolen.
“This separate breach continues to be investigated by OPM and our investigative partners,” Archuleta said at Tuesday’s hearing. “There was a high degree of compromise related to current, former and prospective government employees and any of those for whom a federal background investigation may have been conducted.”
Terrorist enemies could purchase the data
Lt. Gen. (Ret.) William “Jerry” Boykin, now serving as executive director of the Family Research Council, said the prospect of military or civilian leaders having their personal information sold to terrorists is a very real threat that must be taken seriously.
“First of all you have to ask yourself what could an individual citizen in America do with your personally identifiable information?” Boykin told WND. “Stolen identities are big business and very problematic and the Chinese could use that for the same thing a criminal would, don’t kid yourself.”
He said China could steal the IDs from the OPM database and then sell them to Iran, ISIS or some other foreign enemy.
“I think that’s a very real possibility, particularly given that they have been major supporters of Iran,” he said. “Now, the other thing is, keep in mind that many of these government officials who’ve had their identities stolen are high-profile people that have enemies. And those enemies may be ISIS or Hezbollah or al-Qaida. But the fact their identity has been compromised would not take even a teenager very long to look up tax records and determine where these people live and that could put them in physical danger.
“You can’t downplay that or underestimate it in today’s world where we know the terrorists are motivated to go after high-profile people,” he added. “Once they compromise your identity, it doesn’t take them very long to find out where you live. OPM probably has the largest database of civilian government employees. Also military, and possibly some contractors.”
U.S. Sen. John Boozman, R-Ark., chairman of the subcommittee on financial services and general government, said Tuesday’s hearing on the breach was “one of the most important hearings we’ve had this year, and we will be following up to make sure the recommendations are being followed.”
The hearing continued behind closed doors Tuesday afternoon as the talks moved to classified information.
Archuleta refused to take “personal responsibility” for the breach, saying she inherited decades-old problems of aging computer networks and mismanagement at OPM. She said the agency is now in the middle of a massive systems upgrade, converting data in old “legacy” networks over to modern systems. This is a process that will take another 18 to 24 months to complete.
She said the blame should be shifted to the attackers.
“Government and non-government entities are under constant threats,” from criminals and from other governments, she said. But the Chinese government was never named in Tuesday’s hearing as the culprit.
“Unfortunately, these attacks will not stop. They will increase,” Archuleta said, adding that her goal is to modernize and better confront emerging cyber threats.
In June 2014, OPM began to completely redesign its current network.
“We implemented new firewalls and limited privileged access,” she said. “We are also working on further encryption.”
She said the attack was detected by new cyber security tools placed on the older networks, but it was not detected until a year after it had occurred. She also conceded that this particular attack could not have been prevented by encryption.
In fact, even a couple of the agency’s newer systems got hacked.
“OPM immediately contacted DHS and the FBI and initiated an investigation to determine the scope of the intrusion,” she said. “In early June, OPM informed Congress and the public that notification would be sent to affected individuals June 8 through June 19. We are continuing to learn more about the compromised data.”
About 4.2 million federal employee across all branches of government whose records were submitted to OPM were compromised and possibly stolen, she said. Later in May, the inner agency response team concluded additional systems were likely compromised.
“But for the fact that OPM implemented more stringent security tools, we would never have known that the breach occurred,” Archuleta said.
OPM “clearly has a great deal of work to do to secure its modernization project,” said Michael Esser, assistant inspector general for audits with OPM.
Other federal agencies just as vulnerable
In a chilling warning, Esser told the congressional committee that “most” other agencies in the federal government are facing the same issues of having to upgrade to more modern systems while at the same time learning to use protective tools against hackers who are able to penetrate even the newest systems.
Michele Bachmann, a former Republican congresswoman from Minnesota who served on the intelligence committee, said China’s breach of the system could yield a windfall of sensitive data that could have multiple uses.
“Any opportunist could use sensitive, potentially embarrassing information to blackmail, extort or steal from an individual or commit any manner of abuses,” Bachmann told WND.
“Repeatedly during the Obamacare debate, many of us warned loudly and often that Healthcare.gov could be the portal for misuse of the most personal information any American has,” she said. “We learn from experts that sites have links, meaning one government site may allow entry into another.”
Poison pills lurking?
The Chinese are far and away the most prolific global hackers, Bachmann said.
“They use the information to advance their economy, national defenses and military, but they also may sell it, and they are capable of leaving cyber poison pills behind in the database they’ve hacked,” she said. “As much as electronic record keeping is a blessing, unfortunately it can also prove to be a tragic undoing.”
Bachmann, like Boykin, said one of the most frightening scenarios would be if China decided to sell its bag full of personal data on military and law enforcement personnel to a terrorist organization such as ISIS.
Rep. Devin Nunes, R-Calif., chairman of the House Intelligence Committee, appeared on CBS’ “Face the Nation” Sunday and said America is dealing with “the highest threat level we have ever faced in this country.” He was referring to the unknown numbers of Americans who have left the country to fight for ISIS. They will return at some point as hardened terrorists looking to carry out attacks.
ISIS is also the richest terrorist organization in the world, with access to much of Iraq’s oil wealth. It could easily afford to pay a handsome price for stolen data.
Jack Langer, press secretary for Nunes, said the intelligence chairman was speaking strictly of the young people who get radicalized and leave the country to fight for ISIS and the threat that they pose to Western countries on their return.
“Obviously the OPM hack has engendered widespread concern across the U.S. government but I don’t think that was what he was expressing in his comments on the show,” Langer told WND. “That (OPM hack) is a separate, major concern of the congressman at this time.”
Esser said his office issued a special “flash alert audit” on June 17, warning of OPM’s vulnerabilities to hackers. The urgency was meant “to bring to your immediate attention serious concerns we have” that require “immediate action.”
“There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications,” the audit said.
Discovery in April of the first breach that happened a year ago, gave China 12 months to sift through the data and decide what was most valuable and worthy of stealing.
The second breach penetrated a computer system that stores background data for security clearances on millions more federal workers and prospective federal employees.
OPM has a long history of systemic failures to protect its own network, Esser said. Three primary areas of concern were identified in audits over the last three years:
1. Information security governance. OPM has managed its security clearances for years in decentralized manner and this has had a negative impact on security, Esser said. By 2014 steps taken to centralize resulted in many improvements. However it is still impacted by the many years of decentralized control over who enters the system, he said.
2. Assessment, to ensure it meets security needs, is lacking, and problems with system authorizations reappeared. OPM recently put new authorizations on hold while it implements its modernization.
3. Use of technical security controls. OPM has implemented a variety of them to make system more secure. “While this is a positive step we found they weren’t all being used properly. And without a comprehensive list of (computer) assets, they can’t be adequately protected. Many are old legacy systems that are very vulnerable. But some are modern and could be better secured,” Esser said