The Washington PostDemocracy Dies in Darkness

Manipulation of feds’ personal data is a major danger in OPM cyber-heist

Federal Diary

William “Bill” Evanina, the director of the National Counterintelligence and Security Center. (ODNI Public Affairs)

The Office of Personnel Management (OPM) data breach shows us how espionage is done in the digital world.

It’s not only about the theft of information, it’s also about the potential manipulation of personal data. Records can be changed to make a federal employee appear less trustworthy or possibly destroyed to make a person disappear, at least in the computer files.

Meanwhile, about 22 million federal workers, contractors, job applicants and their families, whose information was stolen, are still waiting for some relief, if only in the form of the services the government promised after the two breaches were announced in June.

Almost all of the victims had their security clearance background investigation information stolen. They haven’t been officially notified yet, nor have they been told how they will get the services, including identity restoration support, identity theft insurance, credit monitoring and fraud monitoring.

Even the promised call center is still a promise.

[Weeks later, services for cybertheft victims still a work in progress]

News on that front is expected next week when the Obama administration plans to announce the outside contractor that will provide the services. “If you are affected, you will not be able to receive personalized information until notifications begin and the call center is opened,” according to OPM.

Federal employees will just have to hope the thieves, allegedly Chinese government operatives, don’t open bogus accounts at Wal-Mart. They probably have far more serious use for the data than that.

[Following the OPM data breach, Uncle Sam needs to step up recruitment of cyber talent]

In addition to stealing OPM’s records, the cyberthieves could have destroyed or corrupted data, making it suspect and useless.

“The breach itself is issue A,” said William “Bill” Evanina, director of the federal National Counterintelligence and Security Center. But what the thieves do with the information is another question.

“Certainly we are concerned about the destruction of data versus the theft of data,” he said. “It’s a different type of bad situation.” Destroyed or altered records would make a security clearance hard to keep or get.

James Clapper, the director of national intelligence, told MSNBC last month “the next type of attack will involve deletion or manipulation of data as opposed to perhaps stealing it or denying service.” Jani Antikainen and Pasi Eronen, in an article on the Overt Action Web site, said that could result in the government not trusting its own personnel data, and therefore not its people.

Nothing is worse than the loss of trust.

“Suddenly, cleared personnel would have different relatives and some suspicious names in their ‘who do you know’ networks,” they wrote. “These unauthorized changes would thus deliver a massive blow to the trustworthiness of all data in the system….maliciously manipulating official forms and records on a large scale would turn them toxic and into a source of great mistrust.”

Clapper’s office has warned employees they could be hit by various social engineering tools “bad actors” could use “to gain your trust and extract further information or manipulate you to take actions you would not otherwise take.”

The social engineering tools include phishing (for example, using an e-mail attachment to install malicious software), social media deception and human targeting.

Using data gathered in the cybertheft could provide thieves the information needed to get close to a government worker with a security clearance. Under human targeting, ODNI warned that employees “may unexpectedly meet someone at a venue of interest, such as a conference or child’s school event, who shares your interests or views and establishes an ongoing relationship.  Your new friend may test you by getting you to do seemingly small ‘favors’ for them or getting you to talk about trivial work-related information.  Over time, trivial information may lead them to information that is of interest.”

Similarly, ODNI said using social media deception “attackers may create a fake profile to befriend their victims while posing as a former acquaintance, job recruiter, or someone with a shared interest. Using a fake online persona, an attacker may try and get their victims to reveal more information about themselves or their employers.”

While dangers from the breach for intelligence community workers posted abroad have “the highest risk equation,” Evanina said “they also have the best training to prevent nefarious activity against them. It’s the individuals who don’t have that solid background and training that we’re most concerned with, initially, to provide them with awareness training of what can happen from a foreign intelligence service to them and what to look out for.”

Using stolen personal information to compromise intelligence community members is always a worry.

“That’s a concern we take seriously,” he said.

And one that will linger for a long time.

“This is not something we need to have our employees be worried about until Christmas, then it will go away,” Evanina said. “This is an enduring threat.”