A password will be e-mailed to you.
Hide from Public

Commentary

The 9 Scariest Things That China Could Do with the OPM Security Clearance Data

July 2, 2015

The theft of the SF-86 security clearance records of millions of current, former, and prospective U.S. government employees and contractors from the Office of Personnel Management (OPM) probably has the Chinese government doing a happy dance. This data breach may affect up to 6 percent of the entire U.S. population. What use can the data be to China? Here are nine things that can now be done on an industrial scale.

1. Identify undercover officers. It is unclear if Chinese intelligence could have gained access to information about intelligence agency personnel through OPM. It may not matter much. Some particularly security-conscious agencies do no not process their clearances through OPM, but with a complete list of people whom the OPM has investigated, it is child’s play to identify people who work for those particularly interesting agencies. If the Chinese Ministry of State Security wants to know whether Jane Doe is a CIA officer, it can check whether she shows up in the OPM data. If not, she probably is. This is precisely why the State Department stopped publishing its Biographic Register of Foreign Service Officers in 1974.

2. Neutralize U.S. government officials. If China finds itself vexed by a particularly effective or vocal anti-Chinese policy official, or a particularly aggressive intelligence officer, it could “neutralize” that person by framing him or her for some form of malfeasance that would cost a security clearance or a Senate confirmation. Things like this really happen. Remember when somebody framed Senator Robert Menendez for sexual improprieties? It almost got him arrested by the FBI. A deception operation always works best if it plays to something that the target already suspects.  Hence, China could use the SF-86 data to find the weakest point of a clearance holder — be it money, psychological issues, sex or something else — the one that U.S. security officials would already be most worried about, and then structure their framing around that weakness.

3. Threaten overseas family members. China could use the SF-86s to identify any relatives of cleared Americans who live abroad. They could then threaten those relatives with harm unless the American cooperates. Alternately, China could share selected SF-86 data with other countries so that those countries could harass clearance holders who work there.

4. Harass clearance holders or their families in the United States. Are you a Chinese-American clearance holder in the United States? Chinese intelligence can make your life miserable right here in America. Operations like this are old hat for the Chinese government. For years, it has intimidated Chinese citizens, in both the United States and Australia, whom it identified as members of Falun Gong, as Tibetan activists, or simply as too pro-democracy in their inclinations.

5. Wire you for sound. Now that China knows where you live, its operatives can bug your house just like the KGB did to the chief of the CIA’s Afghan Group in season 3 of The Americans. Think that’s implausible? Russia managed to bug a conference room inside the secured State Department sixteen years ago. China should be able to do the same thing to your relatively unsecured home.

6. Figure out exactly what it takes to get a security clearance. China could do a statistical study of the SF-86s to find out what peccadilloes, degree of foreign contacts, or extent of debt applicants can have and still get clearances.  This would be useful information to Chinese intelligence in its efforts to penetrate the U.S. government by recruiting young people like American student Glenn Shriver even before they have clearances.

7. Publish the data. If China wanted to go this route, it would probably do it through a cutout. The Chinese government could do this either as one big data dump or by publishing a selected list of people they sought to discredit by naming them as CIA or other undercover officers even if they were not actually such. This has happened in the past. In the late 1960s the East German Stasi sponsored the publication of a book called Who’s Who in the CIA. Most of the 3000 people named in the book did not work for the agency, though some did, such as Richard Welch, who was murdered in Athens several years later.

8. Guess passwords. Did your password incorporate your birthdate? The name of your home town? Your wife’s middle name? Congratulations, the Chinese intelligence service now knows those things thanks to the OPM hack. A simple algorithm can generate a password dictionary with decent odds of getting into your system.

9. Spear phish. China now has lots of data to make spear phishing possible. Why wouldn’t you click on the link apparently sent by your mother Edna Jones about the 4th of July parade in downtown Dubuque, where you grew up? If you do, however, you could lose control of your computer. That could be disastrous. Maybe you wrote some notes on your computer for your big briefing at work tomorrow. Or you mentioned your upcoming deployment in an email. Or maybe the Chinese retrieved copies of your love notes to your mistress. Now they have potential blackmail material. Or maybe they scarfed up the password to your online banking account. Now they can steal your money and swoop in to recruit you in your time of financial crisis. Or, if they get you on your unclassified work computer, you’ve got even bigger problems. Ask Sony how they feel about spear phishing.

 

Photo credit: Jeroen Bennink (adapted by WOTR)

Leave a Reply

You must be logged in to post a comment.

10 thoughts on “The 9 Scariest Things That China Could Do with the OPM Security Clearance Data

  1. #10 – Start dumping personal information from the OPM into the dark web for identity theives to use, so that people are distracted from their jobs as they try to repair their credit history.

    1. 10 (a). Muddy the waters to hide nefarious and questionable financial activity for current clearance holders who are currently working for PRC FIS.

  3. The U.S. should be less focused on what the Chinese took from the OPM database, than what false identities with clearance approvals, were inserted into the OPM databases.

    The Chinese could have, and should have, inserted their agents with fully vetted backgrounds, and security clearance approvals into the OPM databases. so that their agents can receive classified positions in US government sensitive positions.

    We’d never find them. How about positions with “Q” level clearances in the department of Energy? How about access to pipeline management and maintenance positions with the Department of Transportation. How about very sensitive positions within the banking systems of the country.

    Better yet, how about filling positions within the Office of Personnel Management, with vetted ChiCom assets…. then
    ALL future classified hires can be managed by foreign agents… no matter what changes are made to the systems.

    The lists are endless……………..

    1. David: Great point. Didn’t think of that before. The Chinese could have indeed entered people into the database and no one would be the wiser. That’s really scary.

  4. I’m with Travis, far more fun to create suspicious history for us that we didn’t participate in, then let our own various investigative services find it.

    Not much Lifelock is going to do to prevent any of this.

  5. The Title is misleading, as far as I understand, the hack only concerns civilian gov employees, i.e. not military and therefore not everyone who ever had a clearance. Number 8: CIA keeps records separately and are not concerned by the hack.

    1. From the OPM website
      “Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees announced on June 4, OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted.”

      If they hacked in to EQuip….the DoD and contractors use that as well, not just civil service

      So I wouldn’t assume everyone wasn’t impacted by this