Imagining a Cyber Surprise: How Might China Use Stolen OPM Records to Target Trust?

 Editor’s Note: This is the fourth installment in “Off Guard,” a series on surprise in war inspired by a new CSIS study. Read the rest of the series here.

 “What is the quickest way you can destroy an organization?… Mistrust and discord.”
-Col. John Boyd

The cyber attack — both real and imagined — has come a long way since Matthew Broderick nearly caused World War III with a 1200 bit-per-second modem and rotary phone in 1983. In the fictional realm, Broderick’s duel with the War Operation Plan Response computer has given way to the infrastructure fire sale from Live Free or Die Hard and, most recently, the multi-layered sabotage of everything from GPS to stealth fighters in Ghost Fleet. The real world has seen cyber surprises only a step removed from fantasy, with various actors disrupting civil networks and infrastructure, subverting military research projects, and using cyber salvos as a complement to physical military activity.

However, even as authors, screenwriters, and policymakers grapple with the potential fallout from cyber vulnerabilities in the physical realm — the blinding of sensors, degradation of communications networks, or deliberate infrastructure malfunctions — modern cyber attacks are increasingly aiming at the adversary’s less tangible mental and moral capabilities. The starkest example of this was Russia’s interference in the 2016 American presidential election, which significantly damaged those intangibles — faith in social and traditional media, transparency in political campaigning, even confidence in the integrity of the election results themselves — that will take a long time to repair.

I had this in mind, along with Boyd’s words about the best way to destroy an organization, when Mark Cancian invited me to participate in the Center for Strategic and International Studies’ “Coping With Surprise” working group. I decided to explore the impact of a hypothetical “trust attack” directed against Defense Department personnel as the opening salvo to conventional military operations. The recent past shows this type of cyber strike is possible; indeed, it’s a small miracle it hasn’t happened yet. While the federal government has a general framework in the National Cyber Incident Response Plan, the Defense Department’s cyber strategy remains a dangerously ad hoc patchwork of training and processes. This patchwork needs to be unified under a coherent and rapidly executable response framework that could be tailored down to the small-unit level, ensuring the resilience of American servicemembers against attacks targeting the most intimate aspects of their lives.

Envisioning a Chinese Trust Attack

My vignette — entitled “Assassin’s Mace” — is appended to Cancian’s final report. I sought to envision how China might seek to follow up on its 2015 hack of the U.S. Office of Personnel Management (OPM) database. By the time OPM security engineers detected the intrusion, hackers had enjoyed access to the OPM records — including millions of background checks, personnel files, and digital fingerprints — for almost a year. The OPM hack was by no means the first large-scale breach of a protected database, but it was unique in two aspects. First, these records contain by far the most detailed personal information yet accessed by a cyber intruder. Second, the hackers have not yet attempted traditional data exploitation by ransoming it back to the agency or selling it to third parties. These facts suggest the hackers have plans for the data beyond a quick payday. A widespread trust attack on Defense Department personnel would be one of the few things that could justify sitting on a goldmine of exploitable data. Moreover, knowing it could only exploit this information for so long before American countermeasures came into the play, I thought the Chinese government would want to “go big”: attack as many targets as possible at once, generate maximum confusion, and then use that window of confusion to quickly achieve goals it otherwise could not with a smaller attack.

My imagined Chinese cyber attack used the sensitive and detailed OPM records not to disrupt or degrade American military or intelligence systems, but rather to spread fear, mistrust, and discord among the men and women in uniform who operate those systems. During such a strike, hackers would lock out medical records, wipe away financial information, manipulate social media, and spread lies and half-truths about personal misconduct.

How might China shape such an attack? First, it’s difficult to understate the value of the records China stole. Background investigations; personnel files; digital fingerprint images; former addresses; phone numbers; Social Security numbers; lists of family members, dependents, and friends: these are all nuggets of unique information — and in fact, frequently the answer to security questions — that a motivated attacker could turn into keys unlocking virtually any digital account owned by the targeted individual or group. An intruder seeking to impersonate another person could not ask for a more comprehensive data set.

Second, a concerted attack exploiting OPM data would avoid patterns making it obvious an attack was happening. My vignette incorporated many variations. Navy sailors at a strategic port in Japan would find their families’ bank accounts emptied. Others received death threats on their Twitter feeds, with hackers adding further confusion by posing as third parties. I even imagined military spouses having intimate photos blasted across social media (and this was before the latest revelation of military-sourced revenge porn). One man using a phishing scheme managed to hack the login credentials of 250 celebrities to access their most intimate photos. A dedicated team of cyber intruders with the wealth of OPM records at their fingertips would find their phishing expeditions much simpler, and would be able to harm people somewhat more vital to national security.

An attacker could wreak further havoc by locking out digital medical records with ransomware, as North Korea allegedly did in the WannaCry episode last year. That intrusion alone cancelled surgical operations and delayed appointments across the entirety of Britain’s National Health Service. Medical hackers could also steal private records and threaten to sell the material on the dark web. A few well-publicized penetrations of personal devices belonging to senior officials — such as the hack of John Kelly’s cell phone — could spread further fear.

These efforts would strike at the individual level. But as Boyd said, the overall goal is destroying the cohesion of the organization. Thus, an attacker could combine individual confusion with the undermining of key trusted leadership. The best way to do this is to mix lies with the truth. Unfortunately, scandals like Marines United, “Fat Leonard,” and other harassment claims have already sown mistrust in the public mind and amongst the ranks. It’s entirely possible to envision China’s Strategic Support Force using personal information from OPM records to gain access to the accounts of senior leaders and hijacking them to plant and spread incriminating material.

An adept cyber competitor might also seek to weaken America’s alliances. My vignette described the viral dissemination of a YouTube video showing American servicemembers stationed on Okinawa sexually assaulting local citizens. Uniformed Americans have a dark history of sexual misconduct on the island, and the U.S military presence there is fraught with other tensions. Using bots, trolls, voice clones, artificial intelligence, and generative adversarial networks, China could create fake videos to turn the Okinawan population and Japanese government against America. Again, exploiting personal information from OPM records, it does not strain credulity to imagine Chinese hackers accessing a servicemember’s YouTube account, posting an explosive video, and then letting mistrust and confusion poison the relationship. Investigators would doubtless discover the truth eventually; but the point of such an attack, when combined with myriad other cyber strikes, is simply to sow enough mistrust and discord that the organization’s focus turns inward to deal with its own internal friction. In my vignette, the cyber attack on Defense Department personnel would disrupt their personal lives, poison command relationships, and corrupt key alliances to keep them from responding effectively to the opening moves of Chinese conventional operations in the South Pacific.

The attack would undermine individual and organizational morale to the point that the entire Defense Department would be obligated to take an “operational pause” to sort out fact from fiction and let servicemembers get their lives back in order. In the past, when facing a sufficiently severe problem, defense leaders have implemented wide-reaching pauses. Individual commands also often execute stand downs to address critical non-operational problems, like sexual assault or substance abuse. Even if Defense Department leaders did not execute a formal operational pause, the functional effect would be the same: Individuals and units would turn their focus inward to deal with the myriad crises caused by simultaneous widespread cyber attacks.

China would exploit the formal pause or general distraction to flood the South China Sea with conventional forces and pursue long-held national goals, be that securing economic supremacy across southeast Asia’s waterways or isolating Taiwan. A surprise cyber attack targeting the personal lives of American servicemembers would enjoy the dual benefit of not requiring detectable physical preparations, and making moot the question of how effective China’s anti-access/area denial and anti-stealth capabilities really are in combat. Even just a few days of confusion would be enough for conventional Chinese forces to radically alter the balance of power in the South Pacific.

Cyber penetrations are rarely permanent. Over time, experts usually find them and can often trace them with confidence to a particular group or country. Rebooting, wiping, or replacing corrupted hardware is fairly straightforward. Cohesion, morale, and fighting spirit, on the other hand, cannot be rebooted or grabbed off the shelf. A pervasive surprise cyber strike targeting those things closest to home for servicemembers could, without firing a single bullet, have a devastating impact on the American military’s ability to rapidly deploy, while generating lingering fear and mistrust even after counter-cyber efforts revealed the truth.

Not Just a Hypothetical

There are historical precedents for a widespread cyber attack used either to significantly disrupt an adversary’s government as a goal in and of itself, or as a prelude to military action. Russia preceded its invasions of Georgia, Crimea, and Ukraine with a variety of cyber operations. Aside from OPM, adversarial hackers have breached other American government agencies like the National Security Agency and State Department. And the National Health Service attack in Britain demonstrated how hostile organizations can exploit personal information — in this case, medical records. The aforementioned hypotheticals differ only in degree from capabilities attackers already have. And the Chinese government, in its purloined OPM data, enjoys an access key that other entities, like Russia, did not.

I used the OPM hack as my starting point, but Russia’s activities in the 2016 election provided a practical frame of reference. That attack targeted trust and other intangibles like faith in the U.S. political system. Russian operatives directed their attack against a few target sets — social media channels, a political party’s computer systems — and executed it with comparatively modest resources.

Yet Russia’s trust attack did not fully exploit this method’s potential. First, Russia seemed satisfied with spreading confusion and mistrust where it could get easy access, like social media and badly protected private networks. Russian hackers did not penetrate more hardened networks in the financial or defense sectors, possibly because they did not see the need, but more likely because they didn’t have an exploitable access point. Second, Russia did not treat the confusion achieved in the United States as an opportunity to pursue national objectives that required a direct confrontation with America. Russia spread confusion and mistrust as apparent ends in themselves, as noted in the official Intelligence Community Assessment: “Russia’s goals were to undermine public faith in the US democratic process … [to] apply lessons learned … to future influence efforts worldwide, including against US allies and their election processes.”

China, on the other hand, has both the opportunity and need for a maximized trust attack. The opportunity lies in possessing exploitable information that Russia lacked: the OPM database. Its need stems from the fact that any robust pursuit of national objectives in the South China Sea and against Taiwan would put it in direct conflict with American interests. While China has generally eschewed direct confrontation in recent years, we should not dismiss the possibility that China’s leaders might think they could come out ahead in a direct confrontation in their virtual backyard, especially in the wake of a debilitating trust attack against the American military.

Defending Against an Attack on Trust

How can America defend its military personnel against a determined cyber attack? Several measures are already either in place or on the way. The Pentagon’s recent elevation of Cyber Command to combatant command status shows it understands the fundamental need for a dedicated force on this battlefield. However, there is less consensus on what that force should look like. I’d argue this is not an area where the perfect should be made the enemy of the good. Whether cyber warriors are blue-haired civilians, Special Operations Command operators with doctorates in cyber security, or a mix of the two, America’s cyber force needs to be fighting on the virtual battlefield today.

Strategists have identified a growing need for a theory of cyber deterrence on the model of conventional and nuclear deterrence. Some have even suggested borrowing a system implemented in Estonia that essentially crowdsources cyber defense efforts among volunteers.

In their piece on trust attacks, Neal Pollard, Adam Segal, and Matthew Devost argued the United States needed to lead the way in developing protocols for protecting the integrity and trustworthiness of critical information systems. Such recommendations, along with the others listed above, are well and good. However, these measures will be inadequate in the absence of a unifying, DoD-specific framework, practical enough that subordinate units can derive their own cyber defense blueprints. What we need, in short, is a cyber mishap plan.

Mishap plans are familiar to any military aviator. Higher headquarters lay out a general mishap response framework for what immediate actions a unit should take once it determines a mishap has occurred. Subordinate units then tailor those plans to their unique operational circumstances. Units train their members on what actions they must take immediately to first keep the mishap from getting any worse, followed by steps to help the unit bounce back and return to normal operations as quickly as possible. The ready-made mishap plan ensures the squadron’s resiliency should the worst occur.

Yet the Defense Department does not currently offer any specific guidance to help units develop their own cyber mishap plans. Its last cyber strategy document came out in April 2015, before OPM disclosed its breach. Three years later, we still await the Pentagon’s release of a new strategy. And in the interim, the Government Accountability Office found the department had failed to develop a plan to sufficiently support civil authorities in the case of a cyber attack, and to train its staff on effectively implementing their responsibilities under the National Cyber Incident Response Plan. At lower levels, the escapades of Jeff and Tina might be sufficient to train individual members, but they do little to build unit resiliency against a broad cyber attack. A mishap plan gives units the framework for planning and executing the training necessary to build cyber resiliency at the unit level. The Defense Department owes its members a broad-based cyber strategy and response plan, tailored to military members, from which units can develop their own cyber mishap plans.

China, Russia, and others have seen the turmoil generated by using social media and a handful of vulnerable private networks to spread organizational discord. Russia poisoned America’s discourse in a scattershot approach with minimal investment and, in the case of the Democratic National Committee’s email server, a lucky typo. But it did not enjoy the special access that could be gained from a protected personal database like OPM.

A good mishap plan lets its personnel rebound from surprise attacks and prepares them to counter conventional follow-up moves an adversary might attempt during the confusion. As Cancian noted in the final CSIS report, the United States is particularly vulnerable to the surprise attack today because many of its discussions about conflict display a disturbing hubris. “Senior officials,” Cancian notes, “have repeatedly made claims that the U.S. military is not just the best in the world but the best the world has ever known. As with Greek heroes of legend and literature, hubris can lead to downfall.” The American military might enjoy an unmatched level of funding and equipment, but it could all be rendered moot by a cyber attack that bypassed the military’s physical superiority to disrupt its moral capacity to fight. The American government has already experienced disruptive practice runs in the OPM hack and 2016 election; those may be the last warnings we get before an opponent tries the real thing.

Ian T. Brown is a U.S. Marine Corps CH-53E pilot. He has previously discussed the ideas of Col. John Boyd, maneuver warfare, and conflict theory in the Marine Corps Gazette, War on the Rocks, Strategy Bridge, and the Professional Military Education podcast. His forthcoming book from the Marine Corps University Press, A New Conception of War, is a reexamination of the development of maneuver warfare doctrine in the Marine Corps. The opinions expressed here are the author’s alone and do not reflect those of the U.S. Marine Corps, the Department of Defense, or any part of the U.S. Government.

Image: Xinhua