Hacked federal personnel files could turn employees into foreign spies

June 5, 2015
A Department of Homeland Security worker listen to U.S. President Barack Obama talk at the National Cybersecurity and Communications Integration Center in Arlington

A Department of Homeland Security worker listens to President Barack Obama talk at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, January 13, 2015. REUTERS/Larry Downing

Did the most-recent breach of U.S. government personnel files significantly compromise American security? Yes. Could a foreign government make use of such information to spy on the United States? Oh my, yes.

China-based hackers are suspected of breaking into the computer networks of the United States Office of Personnel Management, the human resources department for the entire federal government. They allegedly stole personnel and security clearance information for at least 4 million federal workers.

The current attack was not the first. Last summer the same office revealed an intrusion in which hackers targeted the files of tens of thousands who had applied for top-secret security clearances. The Office of Personnel Management conducts more than 90 percent of all federal background investigations, including those required by the Department of Defense and 100 other federal agencies.

Why all that information on federal employees is a goldmine on steroids for a foreign intelligence service is directly related to what is in the file of someone with a security clearance.

Most everyone seeking a clearance starts by completing Standard Form 86, Questionnaire for National Security Positions, an extensive biographical and social contact questionnaire.

Investigators, armed with the questionnaire info and whatever data government records searches uncover, then conduct field interviews. The investigator will visit an applicant’s hometown, her second-to-last-boss, her neighbors, her parents and almost certainly the local police force to ask questions in person. As part of the clearance process, an applicant will sign the mother of all waivers, which gives the government permission to do all this as intrusively as the government cares to do. The feds want to know everything possible about a potential employee who is due to be given the government’s secrets to hold. This is old-fashioned shoe-leather cop work, knocking on doors, eye-balling people who say they knew the applicant, turning the skepticism meter up to 11.

Things like an old college roommate who moved back home to Tehran, or that weird uncle who still holds a foreign passport, will be of interest. Some history of gambling, drug or alcohol misuse? Infidelity? A tendency to not get along with bosses? Significant debt? Anything at all hidden among those skeletons in the closet?

The probe is looking for vulnerabilities, pure and simple. That’s the scary “why this matters” part of the China-based hack into American government personnel files.

U.S. spy agencies, like every spy agency, know people can be manipulated and compromised by their vulnerabilities. If someone applying for a federal position has too many of them, or even one of particular sensitivity, she or he may be too risky to expose to classified information.

That’s because, unlike almost everything you see in the movies, the most important intelligence work is still conducted the same way it has been since the beginning of time. Identify a person with access to the information needed, learn everything you can about her, then get close to her. Was she on her college tennis team? Funny thing, the spy who’s wooing her likes tennis, too! Information like that is very likely in the files taken from the Office of Personnel Management.

Specifically, a hostile intelligence agency is looking for a target’s vulnerabilities. They then use that information to approach the targeted person with a pitch — give us what we want in return for something you want.

For example, if you learn a military intelligence officer has money problems and a daughter turning college age, the pitch could be money for secrets. A recent divorce? Perhaps some female companionship is desired, or maybe nothing more than a sympathetic new foreign friend to have a few friendly beers with, and really talk over problems.

That kind of information is very likely in the files taken from the Office of Personnel Management. The more tailored the approach a foreign agent can make, the more likely the chance of success.

Unlike in the movies, blackmail is a last resort. Those same vulnerabilities that dictate the pitch are, of course, ripe fodder for blackmail. (“Tell us the location of the code room or we’ll show these photos of your new female friend to the press.”) In real life, however, a blackmailed person will try whatever she or he can to get out of the trap. Guilt overwhelms and confession is good for the soul.

A friendly approach based on mutual interests and goals (Your handler is a nice guy, with a family you’ve met. You golf together. You need money, they “loan” you money. You gossip about work, they like the details.) has the potential to last for many productive years of cooperative espionage.

So much of what a foreign intelligence service needs to know to create those relationships and identify those vulnerabilities is in the hacked files, neatly typed and in alphabetical order. Never mind the huff and puff you’ll be hearing about identity theft, phishing and credit reports.

National security is why this hack is a big, big deal.

8 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Is there any possible reason why this information wouldn’t be stored in an encrypted format.

Who the hell is running this operation?

Posted by EndlessIke | Report as abusive

Thank you. I feel so much better now.

Posted by jantsch | Report as abusive

Most likely, in my opinion, a foreign government would find someone to help with obtaining a scholarship rather than pay directly. And, would not make a direct deal for information but use the “personal information” which with today’s technologies is extensive, which grocery store preferred (groceries and a bottle of wine, [2 liters]?), Friday visit to Starbucks in the morning, cash spent on gambling so the wife does not know, and that sort of stuff, bank records showing every dime spent using atm with the times the purchase made. Insurance companies already gather this type information when defending large claims. Even assisting putting drugs like ecstacy in food and videoing the results to the embarrassment of the subject. [Try going to the police about that one!] Yep, holy sh@#! They are out there and looking for a way, indirectly to obtain your information to get government information!

Posted by ThomasShaf | Report as abusive

Most likely, in my opinion, a foreign government would find someone to help with obtaining a scholarship rather than pay directly. And, would not make a direct deal for information but use the “personal information” which with today’s technologies is extensive, which grocery store preferred (groceries and a bottle of wine, [2 liters]?), Friday visit to Starbucks in the morning, cash spent on gambling so the wife does not know, and that sort of stuff, bank records showing every dime spent using atm with the times the purchase made. Insurance companies already gather this type information when defending large claims. Even assisting putting drugs like ecstacy in food and videoing the results to the embarrassment of the subject. [Try going to the police about that one!] Yep, holy sh@#! They are out there and looking for a way, indirectly to obtain your information to get government information!

Posted by ThomasShaf | Report as abusive

In a way, citizenship in a country is like being a shareholder in a corporation, owning one share. (By the way, the price of a share of Berkshire Hathaway Inc. today is $211,795.56, by the way.)

As a citizen, I have one share in America. But because both parties refuse to defend America’s borders, dropping the gates, allowing unfettered immigration, my one share has become irretrievably diluted.

When our own president has do so much to destroy us, why should American citizens worry about the Chinese hackers?

Posted by AdamSmith | Report as abusive

or maybe, just maybe we let the Chinese have data that looks like the real deal but fake enough to be traceable back to the source? Naaaaa…

Posted by BadChicken | Report as abusive

SPYING SHOULD BE LEGAL

Everyone spies all the time including our government on its own citizens, so why not just acknowledge that we like to know and so do others, period? As someone with a Top Secret Clearance before retiring I can tell you that the Chinese have several centuries of sifting through these files before finding anything the least bit interesting. I realize China is an old civilization and considers time to be on its side but still. Let’s relax. If the USg spent more time trying to understand foreign cultures by learning their language, reading their newspapers and otherwise being less insular instead of chasing spies we would all be better off and spying once legalized would become a minor activity.

Identity theft is the biggest worry in all this not spy type intelligence. On this latter we should look for a deal with all international partners to police cyber crime. This too would be much easier if the crimes were limited to things like identity theft and disruption of service among other things and not the stealing of secrets that everyone knows.

Posted by St.Juste | Report as abusive

There are not enough Federal employees awake at their desk to be a risk to anyone. The bigger risk is that foreigners create fake employees who will get paid without anyone in the States noticing. That already happens without hacking…

Posted by neelsn | Report as abusive