As suspected or feared, the foreign hacking of U.S. government personnel data is far more expansive — and devastating — than originally admitted. This, no doubt, is why U.S. Rep. Michael McCaul, R-Texas, called it “the most significant breach of federal networks in U.S. history.”
Initially estimated at affecting 4 million current or former government workers, the damage could be up to 14 million or more — including military and intelligence employees.
That shifted the comparison from annoying private-sector hacks like a Target or Home Depot to something that could endanger lives. …
What this hack apparently exposed was virtually every Standard Form 86 filled out by current and former government employees.
This 127-page form demands an applicant’s personal information, as well as details of relations, friends and current and former professional contacts.
Losing control of this information is potentially far more devastating than a stolen Social Security number, although millions of those are now in foreign hands, too.
It takes little imagination to see Chinese hackers using such breached data to track down relatives of U.S. officials abroad or scraping up evidence of love affairs or drug abuse that could be used to blackmail Americans in the field or possibly reveal covert operatives.
Officially, China has denied involvement.
“The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target,” said retired Gen. Michael Hayden, a former CIA and NSA director. “This isn’t shame on China. This is shame on us.”
Indeed, the government was told of Office of Personnel Management’s systemic vulnerability eight years ago and apparently did little about it. According to an Ars Technica report, OPM had no IT staff until 2013.
It also had little idea about the scale of the data on its servers or how it was organized. Malware injected onto its network probably did its dirty work for a year or longer and reportedly was discovered only by chance during a product demonstration.
Some critics have labeled the hack as America’s cyber Pearl Harbor, and parallels to pre-Dec. 7, 1941, complacency are daunting.
What’s stolen is lost — and will endanger U.S. personnel for years — but the government must use this massive failure as a guide to better allocate resources and target security spending. Cyber-threats like this one will only intensify; so, too, must U.S. defenses.