-
Why the Chinese Stole 5.56 Million USG Employee Fingerprints
Why would anyone want to steal the fingerprints of Federal government employees? Not for identity theft; it is all about biometric espionage.
Earlier this summer the United States suffered one of the worst data breaches in history, when someone (maybe the Chinese, maybe the Russians) broke into the Office of Personnel Management’s computers.The Office of Personnel Management is the primary Human Resources office for the Federal government. Because it is the Federal government, a lot of the files have to do with security clearances, many for employees in sensitive or even clandestine positions. The government has been a bit coy about which agencies’ data was breached, but has made clear it included the Department of Defense.
For many employees, the data breach is primarily of intelligence concern in that it exposes their personal vulnerabilities, things like debt, past problems with booze or drugs, the kind of stuff that makes it easier to manipulate and recruit someone.
And there is a lot of fodder for a foreign intelligence service to work with – the hack affected a staggering 21.5 million federal employees and their families, a full seven percent of the entire United States population (which also tells you something about the size of the government workforce.)
But what about those fingerprints? The Office of Personnel Management now admits it lost an estimated 5.6 million fingerprint records. Why would a foreign adversary want fingerprints?
To establish someone’s identity, of course. And through that, negate the enormous and very expensive efforts America’s undercover folks go to to create alternate identities.
It works a lot like in the movies. Peter Parker joins the Central Intelligence Agency fresh out of college. A cover life is constructed for him under a new name, or several covers under several names. This takes time, and money, and a fine sense of detail, especially when it is expected that a person have all sorts of information about himself already on Facebook and the like. A 25-year-old without Facebook or LinkedIn? Hmm.Peter is drilled on each back story so he can switch between being Peter or Paul or Pat seamlessly. His appearance can be changed, and so, with false passports, “Peter” can travel as a businessperson to China in June, “Paul” can be the tourist who visits in late July and “Pat” the guy finally assigned to a new job at the embassy come August. That stuff has been going on with spies since the beginning of time.
It worked. Or at least it used to work.
The science of biometrics changed the game. New technologies like facial recognition, vocal prints and iris scans allow unique indicators to be collected and stored digitally. Once one matches an iris scan from Peter with one collected from Paul, they know they are the same person. Peter can only ever enter China under one name, albeit with the option of it being a false one. But he must be consistent and stick to the one. His clandestine usefulness is thus very limited.The concept has worried American intelligence for some time, particularly because the United States overtly collects biometric information on every person entering the United States and understands the value as well as anyone. The Central Intelligence Agency even produced a defensive how-to manual for its undercover people.
Nonetheless, the Office of Personnel Management downplayed the danger posed by stolen fingerprint records, saying the ability to misuse the data is currently limited. “An inter-agency working group with expertise in this area… will review the potential ways adversaries could misuse fingerprint data now and in the future,” it said.
Such reassurances aside, the problem of biometrics reaches much further than just within one country. What about for an intelligence officer who travels among various nations?Biometrics collected when Peter/Paul/Pat crosses an international border can be shared among allied nations, or sold to less friendly ones. Oh – the Peter from China is the same person known as Paul in Vietnam.
If not shared between friends, broad-based biometric data can also be collected via a link up with immigration authorities, either by agreement or via computer hack, say at major hubs like Frankfurt, Dubai or Narita. One news source reported a former intelligence service employee as saying “Just before I left, they were gearing up to make a request for CIA officers to recruit foreigners with access to immigration databases.”
But all that is a lot of work just to collect the information, can involve delicate deals with other nations and must be followed by even more work to sift through a very large haystack looking for a few suspicious government employees. Wouldn’t it be easier if someone were to hand you a 5.56 million record library of fingerprints, all known Federal employees, all organized by real names, and all accompanied by biographical and work data?
It is entirely plausible the offices inside the American intelligence community which focus on altering or disguising fingerprints just saw their budgets increase, with a little note saying “With thanks to the Office of Personnel Management hack.”That is why the new information on the fingerprint hack is so significant.
Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.
You Want to Commit Espionage with Hacked Personnel Data?
Did the most-recent, recent, breach of United States government personnel files significantly compromise American security? Yes. Could a foreign government make use of such information to spy on the United States? Oh my, yes.
China-based hackers are suspected of breaking into the computer networks of the United States Office of Personnel Management (OPM), the human resources department for the entire federal government. They allegedly stole personnel and security clearance information for at least four million federal workers. The current attack was not the first. Last summer the same office announced an intrusion in which hackers targeted the files of tens of thousands of those who had applied for top-secret security clearances; the Office of Personnel Management conducts more than 90 percent of federal background investigations, including all those needed by the Department of Defense and 100 other federal agencies.
Why all that information on federal employees is a gold mine on steroids for a foreign intelligence service is directly related to what is in the file of someone with a security clearance.
Most everyone seeking a clearance starts by completing Standard Form 86, Questionnaire for National Security Positions, form SF-86, an extensive biographical and social contact questionnaire.
Investigators, armed with the questionnaire info and whatever data government records searches uncover, then conduct field interviews. The investigator will visit an applicant’s home town, her second-to-last-boss, her neighbors, her parents and almost certainly the local police force and ask questions in person. As part of the clearance process, an applicant will sign the Mother of All Waivers, giving the government permission to do all this as intrusively as the government cares to do; the feds really want to get to know a potential employee who will hold the government’s secrets. This is old fashioned shoe-leather cop work, knocking on doors, eye balling people who say they knew the applicant, turning the skepticism meter up to 11.
Things like an old college roommate who moved back home to Tehran, or that weird uncle who still holds a foreign passport, will be of interest. Some history of gambling, drug or alcohol misuse? Infidelity? A tendency to not get along with bosses? Significant debt? Anything at all hidden among those skeletons in the closet?
The probe is looking for vulnerabilities, pure and simple. And that’s the scary “why this really matters” part of the China-based hack into American government personnel files.
America’s spy agencies, like every spy agency, know people are manipulated and compromised by their vulnerabilities. If someone applying for a federal position has too many of them, or even one of particular sensitivity, s/he may be too risky to expose to classified information.And that’s because unlike almost everything you see in the movies, the most important intelligence work is done the same way it has been done since the beginning of time. Identify a person with access to the information needed (“Qualifying an agent;” a Colonel will know rocket specifications, a file clerk internal embassy phone numbers, for example.) Learn everything you can about that person. Was she on her college tennis team? Funny thing, your intelligence officer likes tennis, too! Stuff like that is very likely in the files taken from the Office of Personnel Management.
But specifically, a hostile intelligence agency is looking for a target’s vulnerabilities. They then use that information to approach the target person with a pitch – give us the information in return for something.
For example, if you learn a military intelligence officer has money problems and a daughter turning college age, the pitch could be money for secrets. A recent divorce? Perhaps some female companionship is desired, or maybe nothing more than a sympathetic new foreign friend to have a few friendly beers with, and really talk over problems. That kind of information is very likely in the files taken from the Office of Personnel Management. And information is power; the more tailored the approach, the more likely the chance of success.
Also unlike in the movies, blackmail is a last resort. Those same vulnerabilities that dictate the pitch are of course ripe fodder for blackmail (“Tell us the location of the code room or we’ll show these photos of your new female friend to the press.”) However, in real life, a blackmailed person will try whatever s/he can do to get out of the trap. Guilt overwhelms and confession is good for the soul. A friendly approach based on mutual interests and goals (Your handler is a nice guy, with a family you’ve met. You golf together. You need money, they “loan” you money. You gossip about work, they like the details) has the potential to last for many productive years of cooperative espionage.
So much of what a foreign intelligence service needs to know to create those relationships and identify those vulnerabilities is in those hacked files, neatly typed and in alphabetical order. Never mind the huff and puff you’ll be hearing about identity theft, phishing and credit reports.Espionage is why this hack is a big, big deal.
Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.
It’s Good to Be in the Foreign Service (State Dept)
OK, sure, once in awhile I have complained here about working for the State Department as a Foreign Service Officer (FSO), especially in the garden zones of Iraq, Afghanistan and Pakistan, where some 1600 FSO positions exist.
I need to cut back my complaining.
Federal employees deployed to Iraq, Afghanistan or Pakistan who are not in the Foreign Service are losing numerous travel, medical and leave benefits because those benefits were not renewed by Congress after they expired October 1. This can include government colleagues from Treasury, Justice, Agriculture and more.
The following benefits, which are available to Foreign Service officers, will no longer be available to non-Foreign Service personnel posted in Iraq, Afghanistan or Pakistan, according to the Office of Personnel Management (OPM):
• Reimbursement of travel costs when going home on leave (State estimates $21,000 per year for the cost of these breaks).
• Reimbursement of travel costs when obtaining necessary medical care when such care is not available locally.
• Reimbursement of travel costs when evacuating family members who are in imminent danger.
• Reimbursement of travel costs when transporting furniture and other personal effects when moving to another duty station. State estimates this cost at $25,000; USAID estimates it at $48,983.
• Mandatory leave for employees who have returned home after a three-year deployment. Agencies also will no longer have the option to offer leave to employees who had served in a war zone for 18 months.
• Medical examinations, mental health care, inoculations, vaccinations and other preventative care.
• A death gratuity equal to one year’s salary when an employee dies of injuries sustained while supporting military operations.
The death gratuity expiration will only affect federal employees making more than $100,000, since the Labor Department in 2009 finalized regulations authorizing a $100,000 death gratuity when a civilian employee dies of injuries incurred while supporting a combat operation.
Those benefits that expired were originally extended to non-Foreign Service personnel in a 2006 war supplemental bill. OPM issued a notice Oct. 7 reminding agencies those benefits had expired. The proposed 2012 Defense authorization bill, which Congress is still considering, does not contain an extension of those benefits.
This will not improve morale on Team America.
Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.
Buy Peter’s Books on Amazon!
