In the ever-escalating compendium of cyber incidents and intrusions, an enormous US government breach – perhaps the largest ever – came to light last week with news of a federal hack affecting “nearly every government agency.”
This incident, which exploited a zero-day vulnerability (a flaw in software unknown to the public), exposed and puts at risk the personal information of four million federal employees. Keep in mind, the Wall Street Journal has pointed out, that there are only 4.2 million federal workers in total.
Details of the breach are still emerging, but the hack has been traced to China – although it is not yet clear whether or to what extent the government of China was involved.
However, military officers in China are increasingly known to moonlight as cybersecurity consultants and hackers for hire when off the clock. At the same time, as a matter of strategy, countries are increasingly turning to proxies to do their bidding in order to provide plausible deniability in the event they get caught with their hands in the cookie jar.
First reports are not always accurate, though, and the wisest course is to permit the investigation and the forensics to play out. Further, even if attribution in the fullest sense of the term is established, that will not necessarily elucidate intent.
Was the hack state-sponsored or supported, or did the Chinese government simply turn a blind eye and allow the attack to occur?
Even if state involvement is ultimately not proven, the question of whether and to what extent the information finds its way into the hands of the Chinese security services will remain unresolved.
What is known is that the perpetrators are the same as those in the breach of health insurers Anthem and Premera Blue Cross, which affected 11 million and 80-plus million individuals respectively, according to the New York Times.
Of particular interest in the current case is whether sensitive data including social security numbers were encrypted.
Undoubtedly there will be plenty of time spent examining whether this data theft was the result of sub-par government practices. In this regard, it is not as if another wakeup call was needed. This was, after all, the fourth hack of US government employee information since March 2014.
On the other hand, US government officials are saying that ever-more breaches will come to light moving forward, due to increased US detection capabilities. And US authorities are also emphasizing the bright side of the present case, noting that at least the intrusion was detected.
On the perpetrator’s side of the equation, one wonders about the motivation. If in fact a state actor was involved here, it would seem a bit incongruous (at least at first glance) since the type of information pilfered is the sort that would generally be of greater interest to cybercriminals who seek to profit from identity theft.
The apparent inconsistency resolves itself quickly, however, if one conceives of the case as an exercise in espionage and in particular one of profiling – especially individuals holding security clearances.
Amassing personal information, including a diversity of details about medical and financial histories and performance evaluations, for example, could generate a genuine trove for foreign intelligence services and their proxies to use for their own ends in future — ends such as blackmail, spear-phishing and recruitment.
How to react?
To be clear, there is still much that we do not yet know, and it is crucial that hypothetical scenarios not be dressed up as fact.
Having said that, the possibility of a cyberattack with Chinese state involvement is a disconcerting one, and it should not be dismissed at this stage, especially given the value of the information compromised.
The diplomatic aspect of the incident is as fascinating as it is complex. US-China relations in the cyberdomain operate on many different levels and intersect with the broader military, political and economic spheres.
The present case also comes to light just as the Pentagon has released its latest cyberstrategy, with a particular focus on cyberdeterrence, and just as China has released a new military strategy paper that includes special emphasis on the development and use of cybercapabilities.
So where does this leave us? Assuredly with more questions than answers.
For instance on the US government side, irrespective of “whodunit,” one wonders whether the fundamentals of cybersecurity hygiene, such as encrypted social security numbers, were in place at the time of the breach. Such elements are not in the category of rocket science and, in the event that they may have gone unimplemented, it makes the case for greater public-private partnership and cooperation for the purposes of cybersecurity a tougher sell. Demonstrating poor practices at government agencies diminishes the credibility and perceived capability of the public sector as a reliable partner.
Yet the answer cannot be simply to throw up our arms in frustration and to complacently accept the status quo as the new normal. To the contrary, the US can and should make full use of some of the newest instruments of statecraft that it has added to its toolkit, including this April’s Executive Order entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activity,” which opens the doors for levying economic sanctions against cyberperpetrators.
Complementarily, the country should invoke some of the older, more traditional diplomatic means and methods of advancing US interests. This means working through bilateral and multilateral forums to elaborate and articulate international norms and standards of behavior that will apply to all actors.
From a bilateral perspective, perhaps ironically, later this month, from June 22-24, a high-level delegation from China is scheduled to visit Washington, DC, for the annual US-China Strategic and Economic Dialogue. If both sides are genuinely serious about addressing cybersecurity, this would be a timely and appropriate opportunity to demonstrate their commitment by skipping the pomp and circumstance to address the tough issues.
In short, if indeed this massive hack is the work of a criminal enterprise, then this is China’s opportunity to show that it is serious by conducting a joint investigation with the United States and by prosecuting wherever the facts and evidence lead.
Should China be reluctant to proceed in this manner, then the United States should look to its own legal instruments and invoke and apply them.
In that sense, the case is a litmus test for this country’s policies and practices as well.
Sharon L Cardash is Associate Director, Center for Cyber and Homeland Security at George Washington University.
Frank J Cilluffo is Associate Vice President & Director, Center for Cyber and Homeland Security at George Washington University.