The real reason the US is vulnerable to security hacks from China and beyond
To be effective, a counterespionage program has to mesh cybersecurity with other company operations
By Bruce Wimmer, CPP Posted on 18 June 2015
Two weeks ago, major news media outlets reported on what many then termed “shocking” news – that computer hackers, believed to be based in China, had apparently breached data bases that included federal personnel records from the US Office of Personnel Management (OPM). The initial OPM response was typical of a cyber response plan for a data breach where personal information, which can be used to establish false financial information for credit and tax purposes, is compromised. More than 4 million current and former employees were initially instructed to do things like change passwords, check credit reports and credit card and banking statements.
As the investigation got underway, additional information surfaced in the media. The latest reports from the Washington Post indicate that the hackers may well have also gained access to sensitive background information for security clearances. This latest announcement came after OPM had disclosed other personnel system information was compromised. But this was not your usual criminal theft of financial related information. Now the hackers potentially have decades of personal information such as investment records, children and relatives’ names, divorce or other personal information, foreign work history, foreign trips taken, past residences, details of neighbors, financial and criminal histories and even listed foreign contacts.
Most experts agree that this did was not a traditional hack to steal financial information, military secrets or even commercial cyber espionage. Instead, this information would be valuable for assessing and recruiting spies within government or even business – since many of these employees have moved to the private sector. Spy agencies would relish having this level of personal information on millions of individuals. The information could even potentially be used to punish individuals in China who have unreported contacts with government/military employees in the United States.
While the media seemed surprised, this information highlights the way cyber-security and other security countermeasures to protect companies, or even governments, from spying are intertwined. Unfortunately, in business and in government, the IT security and physical or other security measures are all too often in separate organizational “silos” (functional divisions such as IT, Security, Legal, Facilities and Human Resources), and they often do not function as one synthesized operation. It is important that security approaches, to be as effective as possible, cut across these functional silos. This principle warranted several chapters in my recent Elsevier book: Business Espionage: Risks, Threats and Countermeasures. I point out that China is the most active country in the world when it comes to espionage, and the separation between government and a business is often blurred in China as in many other countries. Anyone with a good espionage program will exploit the seams between IT and other security elements. From a countermeasure standpoint, the important thing is that businesses (and governments) have a comprehensive program where cyber security and other security measures are pro-actively and preventatively intermeshed on a daily basis. The instant there is a possible attack detected in one arena, all other elements are alerted and they prepare for other types of attack.
Cybersecurity, for example, too often fails to take into account the potential insider threat and primarily focuses on the outside threats. As soon as there are attempts to break into an IT system, the entire enterprise should know about it because it has implications for all aspects of the enterprise security. If physical security is not ramped up, they may not be adequately ready to stop simultaneous social engineering efforts to get access to the IT server room or IT systems that are internal and thus already behind some firewalls. Physical security failures can allow passwords to be compromised or enable phishing attacks to succeed.
Likewise, as in this examples, spies can get information from some enterprise systems that IT might evaluate as not “classified” and thus not a big concern. But that unclassified information might be put together with information obtained by cleaning staff from a desk or by spies conducting a trash cover. This combined information suddenly compromises a sensitive program or, as in this case, unclassified personal information enables the spies to target an employee and then get inside sensitive information by exploiting known weaknesses or issues. This is exactly what has counterintelligence officials concerned about this OPM personal data being compromised.
The key to protecting information is a comprehensive, risk-based counterespionage program that truly meshes IT security and physical or other security measures and constantly re-evaluates the ever changing threats, vulnerabilities and assets/consequences. It also includes an educated and aware workforce and a fusion-center approach to dealing with all threats and reports. The ideal objective is to not need a response because your proactive program thwarted all attacks. But if that fails and you do need a response, you want that response to be a quick and comprehensive response – not one that takes weeks so that disjointed information gradually leaks out to the media and the final impact is even more adverse than the attack itself.
Elsevier Connect Contributor
Bruce Wimmer is a security consultant who has been involved in counterespionage for more than 43 years. He authored the recently released Elsevier book Business Espionage: Risk, Threats and Countermeasures. Bruce has lived and worked in a dozen countries around the world including the People’s Republic of China, Taiwan, Japan, Germany and the UK. He was a counterespionage specialist for the US Air Force, where he served for nearly 22 years, and now has spent almost an equal amount of time in the private sector helping both large and small international businesses deal with business spying threats around the world.