war on the rocks

The 9 Scariest Things That China Could Do with the OPM Security Clearance Data

July 2, 2015

The theft of the SF-86 security clearance records of millions of current, former, and prospective U.S. government employees and contractors from the Office of Personnel Management (OPM) probably has the Chinese government doing a happy dance. This data breach may affect up to 6 percent of the entire U.S. population. What use can the data be to China? Here are nine things that can now be done on an industrial scale.

1. Identify undercover officers. It is unclear if Chinese intelligence could have gained access to information about intelligence agency personnel through OPM. It may not matter much. Some particularly security-conscious agencies do no not process their clearances through OPM, but with a complete list of people whom the OPM has investigated, it is child’s play to identify people who work for those particularly interesting agencies. If the Chinese Ministry of State Security wants to know whether Jane Doe is a CIA officer, it can check whether she shows up in the OPM data. If not, she probably is. This is precisely why the State Department stopped publishing its Biographic Register of Foreign Service Officers in 1974.

2. Neutralize U.S. government officials. If China finds itself vexed by a particularly effective or vocal anti-Chinese policy official, or a particularly aggressive intelligence officer, it could “neutralize” that person by framing him or her for some form of malfeasance that would cost a security clearance or a Senate confirmation. Things like this really happen. Remember when somebody framed Senator Robert Menendez for sexual improprieties? It almost got him arrested by the FBI. A deception operation always works best if it plays to something that the target already suspects.  Hence, China could use the SF-86 data to find the weakest point of a clearance holder — be it money, psychological issues, sex or something else — the one that U.S. security officials would already be most worried about, and then structure their framing around that weakness.

3. Threaten overseas family members. China could use the SF-86s to identify any relatives of cleared Americans who live abroad. They could then threaten those relatives with harm unless the American cooperates. Alternately, China could share selected SF-86 data with other countries so that those countries could harass clearance holders who work there.

4. Harass clearance holders or their families in the United States. Are you a Chinese-American clearance holder in the United States? Chinese intelligence can make your life miserable right here in America. Operations like this are old hat for the Chinese government. For years, it has intimidated Chinese citizens, in both the United States and Australia, whom it identified as members of Falun Gong, as Tibetan activists, or simply as too pro-democracy in their inclinations.

5. Wire you for sound. Now that China knows where you live, its operatives can bug your house just like the KGB did to the chief of the CIA’s Afghan Group in season 3 of The Americans. Think that’s implausible? Russia managed to bug a conference room inside the secured State Department sixteen years ago. China should be able to do the same thing to your relatively unsecured home.

6. Figure out exactly what it takes to get a security clearance. China could do a statistical study of the SF-86s to find out what peccadilloes, degree of foreign contacts, or extent of debt applicants can have and still get clearances.  This would be useful information to Chinese intelligence in its efforts to penetrate the U.S. government by recruiting young people like American student Glenn Shriver even before they have clearances.

7. Publish the data. If China wanted to go this route, it would probably do it through a cutout. The Chinese government could do this either as one big data dump or by publishing a selected list of people they sought to discredit by naming them as CIA or other undercover officers even if they were not actually such. This has happened in the past. In the late 1960s the East German Stasi sponsored the publication of a book called Who’s Who in the CIA. Most of the 3000 people named in the book did not work for the agency, though some did, such as Richard Welch, who was murdered in Athens several years later.

8. Guess passwords. Did your password incorporate your birthdate? The name of your home town? Your wife’s middle name? Congratulations, the Chinese intelligence service now knows those things thanks to the OPM hack. A simple algorithm can generate a password dictionary with decent odds of getting into your system.

9. Spear phish. China now has lots of data to make spear phishing possible. Why wouldn’t you click on the link apparently sent by your mother Edna Jones about the 4th of July parade in downtown Dubuque, where you grew up? If you do, however, you could lose control of your computer. That could be disastrous. Maybe you wrote some notes on your computer for your big briefing at work tomorrow. Or you mentioned your upcoming deployment in an email. Or maybe the Chinese retrieved copies of your love notes to your mistress. Now they have potential blackmail material. Or maybe they scarfed up the password to your online banking account. Now they can steal your money and swoop in to recruit you in your time of financial crisis. Or, if they get you on your unclassified work computer, you’ve got even bigger problems. Ask Sony how they feel about spear phishing.

 

Photo credit: Jeroen Bennink (adapted by WOTR)