Fight the hysteria about the hack of OPM’s files. It’s probably not a big threat.

Summary:  We’re told the OPM hack will have horrific consequences for America. Just as we have been told so many times since WWII, almost always falsely. I expect this too will prove to be a wet firecracker. Here are the reasons why, obvious things few journalists have told you. {1st of 2 posts today.}

China cyberattack
Know fear, America, that you might be easily ruled. Graphic from Third Certainty.

Contents

  1. OPM, our latest bout of hysteria
  2. An alternative forecast
  3. Why so much hysteria so often?
  4. Other posts about the OPM hack
  5. For More Information

(1)  OPM, our latest bout of hysteria

We were confidently told that the revelations of Private Chelsea Manning would cause countless deaths of American soldiers (example). But they never materialized. US authorities confidently predicted even more horrendous results from Edward Snowden‘s revelations. Again, nothing big happened (unfortunately, that “nothing big” includes reforms of the NSA). These are just the most recent in the long list of scary stories the government has told us since WWII.

The latest nighttime story concerns the hack of the Office of Personnel Management database (see the posts at the end for details). A wide range of information has been stolen on tens of millions of Americans, as the OPM announced on July 9

Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints.

What could someone do with this treasure trove? Anonymous government officials, private experts, and amateurs have let their imaginations run wild. Both Left and Right go wild, predicting horrific results. See how fear-mongering brings America together. Here’s my favorite, from Naked Capitalism on July 27.

“I believe [the Office of Personnel Management hack was an] infobomb has done catastrophic damage to US security.  How?  Big data + bots (made smarter via AI) will be able to turn this data into a decisive instrument of warfare” [Global Guerillas]. “[W]ant that guy on the button to stand down? Call him up with a threat to his family.”

It’s a decisive weapon of warfare! Circle July 27 on your calendar and count the days until Armageddon. It’s something to pass the days waiting for attacks by ISIS from their secret base in Mexico (perhaps they’re waiting to attack after the Ebola epidemic weakens us).

"Hacking of America" on NBC News
Fear-mongering on NBC News.

(2)  A different prediction

My guess is that on this day next year we’ll add the OPM hack to the list of hysteria outbreaks in America which had little or no serious results. There are some good reasons to expect this outcome.

(a)  For most of us this information has probably already been stolen; for many of us it has been stolen several times. The New York Times provides a calculator of exposure to some recent data breaches: How Many Times Has Your Personal Information Been Exposed to Hackers? How has this affected you? Probably not at all. How have all these thefts affected corporate America? Minimally.

Stealing millions of people’s basic information is easy for experts, but the swag has little value. Identify theft is complex, and cannot be scaled to hit thousands or millions of people.

(b)  Some of this information could be used for blackmail. However jobs and security clearances are not at risk since the information is from the government’s personnel files. How many people will commit treason to keep this information from their family? Or, if the family already knows it, keep it from the public?

(c)  Each attempt at blackmail increases the risk of exposure for the agents involved and for the guilty organization or nation. Proving the source of a cybertheft done by professionals is difficult or impossible (see these posts by several experts), despite the confident claims by US officials. Catching someone using the information is easier. The perpetrators should expect a fast and painful US response if the potential blackmail victim calls the FBI. What could China get that’s worth the disruption of trade to their largest customer?

Update: Cyber-security expert Marcus Ranum confirms this analysis, with more detail, In the comment section below.

Fear dark, use light

(3)  Why so much hysteria so often?

The easy answer: feeding our fears to the point of hysteria pays. It’s the best clickbait for the media (desperate for clicks in a world with so much excess content). It’s the most effective way to influence American public opinion.

For a deeper insight ask why we respond so strongly to fear, even when based on lies. I believe our future depends on our ability to more clearly see the world, to remember those who have proven wrong in the past, and especially to gain some skepticism about what we’re told.

(4)  Other posts about the OPM hack

 

Learn

(5)  For More Information

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about cybersecurity and cyberwar, about our many fears, and especially these about bouts of hysteria in America…

To learn more about this vital subject, here are some useful sources…

5 thoughts on “Fight the hysteria about the hack of OPM’s files. It’s probably not a big threat.

  1. I think you’re right; nothing will happen.

    The biggest threat I can see from it is that it might confirm data that, presumably, any reasonably competent intelligence service would already have. That’s valuable but of relatively little value. So, taking the OPM data one could infer a lot about staffing levels in the various branches of the intelligence community and sketch out an org chart based on pay grades and numbers of staff at various grades. That’s hardly apocalyptic. And it’s something that could be inferred by observing cell phone traffic in the vicinity of Starbucks’ near many of those agencies – and then some; I’d be surprised if foreign intelligence agencies haven’t got their own equivalent of a “stinger” and their own equivalent of an open source intelligence collection program. All the collections from which could be easily confirmed by an insider or two.

    Turning from “what is valuable to an adversary” to “what is valuable in general” we can learn a fair bit from this. We can learn that US Government agencies remain completely incompetent at cybersecurity. We can learn that the strategic mistake of out-sourcing technology management to civilian contractors is a significant blunder. It’s good for the profiteers who arranged it, but it’s terrible because it has resulted in a cataclysmic brain-drain to the private sector. Let me be clear about this: not understanding that information about classification and job posting was in OPM files is a “newbie” mistake; it’s failure to understand transitive trust. It’s the kind of thing that (if NSA wasn’t spending all their time hacking the rest of the world) NSA would be expected to be going around teaching federal agencies not to do. It is EXACTLY why I have said before that “the best defense is a strong defense” – while the NSA has been out throwing stones, the rest of the federal government has been cheerfully building glass houses.

    So, who can learn from this?? The Chinese: little. The US: a lot. But that’s not going to happen. Because the finger-pointing to make the problem the wicked Chinese will conceal the fact that federal IT is incompetent. Never believe in a conspiracy when a plausible explanation is a cover-up to conceal incompetence.

    1. Marcus,

      Thank you for that evaluation from a cyber-security expert’s perspective.

      More broadly, most intel is of little value. Intel agencies tend to be like squirrels collecting nut-like objects, few of which are of any use — but the shiny ones are prized even if uneatable.

    2. More broadly, most intel is of little value. Intel agencies tend to be like squirrels collecting nut-like objects, few of which are of any use

      Well, that’s a crucial point everyone in Washington wants to ignore: in order to use intelligence effectively, you need the political or military top-cover to make it valuable, and you need a strategic objective that is advanced through its use.

      I’ve been trying to point out why “cyberwar” is so much B.S., for that reason, for over a decade: if you are able to collapse someone’s website, or even their entire economy, so what? You have to be able to survive the repercussions and exploit the weakness. Do the morons in Washington think that China is going to attack the US? Well, they probably do because that’s the culture of paranoia and fear in Fantasy Kingdom on the Potomac.

      But the Chinese are rational enough to know that they have their own problems, and their economic interests are largely aligned with the US’. All this bellicose B.S. is probably fairly puzzling since it leads nowhere, improves no position, does not defend or attack, and is apparently little more than screaming “I am weak and stupid!” to the world at large.

  2. I appreciate your article and skepticism, but I suspect you don’t understand or remember how the financial system works. Athentication to banks is based on the very same information that was hacked. This means that anyone with that information could impersonate government officials and quite possible clean out their bank accounts, even if bit by bit.

    This kind of fraud is known as identity theft and has been hailed as high risk for a long time. Not sure on stats, but my bet is that its quite serious. Even if exaggerated by fear mongerours.

    1. Juan,

      You are mistaken on several levels.

      After 37 years in the financial industry I’ve sent and received thousands of wire transfers, some in the tens of millions of dollars. Modern authentication systems assume full knowledge of the target’s personal information. I’ve seen cases where the criminals have hacked the victims emails so as to imitate the style of their communications and reference specific information from them — along with very convincing cover stories (“I’m traveling in Europe and lost my money, and desperately need $XXX right now.”). I know 2 senior people fired immediately for believing such stories.

      Anybody relying on the kind of information hacked from OPM to authentic large outgoing money transfers has long been out of business. We no longer even rely on written instructions as verification, as they are too easily faked.

Leave a Reply