Hacks happen. It seems like it's almost every month that some large corporation flubs their computer security, and lets hackers make off with data on millions of users. But what happens when it's not a corporation, but the US government?

For weeks now, the news coming out of the Office of Personnel Management (OPM) has been getting steadily worse. The OPM, a little-discussed government office that stores records on employees, has been the subject of a hack of truly historic proportions.

The exact numbers have been challenging to get a handle on. When the hack was first announced, investigators were assured that the breach was discovered promptly using the government's EINSTEIN internal security program, and it affected the records of around four million employees.

Since then, it's become clear that the hack was discovered accidentally, long after it occurred - and the actual number affected is more like twenty-one million.

Unfortunately, computer security can tend to be confusing and dry. Despite all the reporting, many of you still may not have a good understanding of what was taken, how it happened, or how it affects you. I'm going to make an effort to break it down and answer some basic questions about the issue.

How Did The Hack Happen?

There have been signs that this sort of thing was likely for a while. The Snowden leak revealed just how bad federal computer security can be, even within the theoretically expert NSA. The situation at the OPM was even worse. The open had no security employees at all until 2013. They'd been repeatedly warned that their security practices were vulnerable to intrusion.

The picture of incompetence is completed by reports that the incursion was discovered during a sales presentation by a company called CyTech Services, who found the malware while demonstrating their security scanning tool. It's not clear how long hackers had access to the system, but 'years' is a plausible guess.

1594411528_1512b1aad5_z

Unfortunately, this is far from an isolated incident among government agencies, and that shouldn't surprise you. Look at the incentives: if Target is hacked, they lose millions of dollars in lawsuits and lost sales. The company takes a hit, and their competitors eat up market share. If a government office makes the same mistake, very little actually happens. They fire a few sacrificial lambs and try to look solemn during the hearings, and wait a few weeks for the 24-hour news cycle to get distracted by something shiny.

There's very little practical incentive to change, and very few laws exist regarding cybersecurity. Of the few laws there are (like FISMA, the Federal Information Security Management Act), most aren't followed closely. Around 75% of the OPM's computer systems did not comply with that law.

This is a situation that is bad and getting worse. The Government Accountability Office reported in April that the number of security breaches at federal agencies skyrocketed from 5,500 in 2006 to more than 67,000 in 2014. In an interview with Re/code, Gregy Wilshusen, the author of the report, says this is because agencies often have crippling flaws in their internal security procedures, and often don't fix vulnerabilities once they're uncovered.

“When we evaluate these agencies, we often find that their internal testing procedures involve nothing more than interviewing the people involved, and not testing the systems themselves [...] We consistently found that vulnerabilities that we identify as part of our testing and audit procedures are not being found or fixed by the agencies because they have inadequate or incomplete testing procedures.”

What Was Taken?

keychainlogin

Another point of confusion has to do with the nature of the information the hackers had access to. The truth is that it's pretty diverse, because several databases were accessed. The information includes social security numbers for just about everyone - which presents a huge threat of identity theft all by itself. It also includes 1.1 million finger print records, which endangers any system that relies on biometrics.

Most alarmingly, among the records stolen were millions of reports obtained during background checks and security clearance applications. I've participated in a number of background checks, as an alarming number of my old college friends now work for the US federal government. These background checks dig deep. They talk to your family, your friends, and your roommates to verify your entire life biography. They're looking for any hints of disloyalty, or involvement with a foreign power, as well as anything that could possibly be used to blackmail you: addiction, infidelity, gambling, secret homosexuality, that kind of thing.

In other words, if you're looking to blackmail a federal employee, this is pretty much a dream come true. The background check system has shut down in the wake of the hack, and it's not clear when it'll be operational again.

There's also the larger concern that the attackers had access to these systems for a long time.

Who's Affected?

Twenty-one million is a big number. The range of those directly affected spans current and former federal employees, as well as those who applied for a security clearance and were turned down. Indirectly, anyone close to a federal employee (think family, spouses, and friends) could be impacted if their information was noted in the background check.

If you think you might be affected by this, the OPM is offering some basic identity-theft protection resources in the wake of the incident. If you're among those directly compromised, you should get an email, as the OPM figures out exactly who was affected.

However, these protections only account for identity theft and other fairly basic attacks using the data. For more subtle stuff, like extortion, there's a limit to what the government can do. The protection only lacks 18 months - a patient hacker could easily sit on the information for that long.

081203-N-2147L-390

What Will the Data Be Used For?

Lastly, we have the million-dollar question. Who took the data, and what are they planning to do with it? The answer is that, unfortunately, we don't really know. Investigators have pointed their fingers at China, but we haven't seen any concrete evidence released to back this up. Even then, it's not clear whether we're talking about Chinese freelancers, the Chinese government, or something in between.

So, without knowing the attackers or their motives, what could be done with this data?

Right off the bat, some obvious options present themselves. Social security numbers are not easily changed, and each one can be used in a potentially profitable identity theft. Selling these for a few dollars each, over time, could net a healthy nine-figure payday for the hackers, with nearly no effort.

Capturing the Flag

Then there's nastier options. Let's say you're a foreign power and you come into contact with this information. All you need to do is find a federal employee with access to a critical system, who you have some dirt on via the hack. Maybe the first one is willing to let their infidelity/addiction/sexuality become public to protect their country. But you have millions of possible targets. Sooner or later, you're going to run out of patriots. This is the real threat, from a national security perspective - though even a freelance hacker could use this to extort money or favors from millions of innocent people.

Security expert Bruce Schneier (who we spoke to on issues of privacy and trust) has speculated that there's an additional risk that the attackers could have tampered with the contents of the database during the time they had access to it. It's not clear that we'd be able to tell the database had been modified. They could, for example, potentially have given security clearance to foreign spies, which is a frightening thought.

What Can We Do?

Unfortunately, this is probably not the last hack of its kind. The kind of lax security procedures we see in the OPM are not uncommon in government agencies of its size. What happens if the next hack turns off electricity to half the country? What about air-traffic control? These aren't ridiculous scenarios. We have already used malware to attack infrastructure; recall the Stuxnet virus, likely the work of the NSA, which we used to physically destroy Iranian nuclear centrifuges?

Our natural infrastructure is embarrassingly vulnerable, and deeply crucial. That's a situation that's not sustainable. And, as we read about this hack (and the next one), it's important to remind ourselves that this is not an issue that goes away when the news cycle gets distracted, or when a few employees are fired. This is a systemic rot, one that's going to keep hurting us, over and over, until we actually fix it.

Were you affected by the hack? Worried about low standards of computer security? Let us know in the comments!  

Image credits: Defcon ConferenceCrypto Card Two FactorUS Navy CyberDefenseCredit Card Theft, Keith Alexander