The United States government is a hacker’s paradise.
The Obama administration announced last week that hackers had stolen the personal information of more than four million past and present federal employees from the Office of Personnel Management. Analysts estimate that the data breach might affect roughly one percent of all Americans; it has already been described by the New York Times as the largest breach of federal data in history.
The Times report comes after a particularly embarrassing few months for the U.S. government’s cybersecurity posture: In October of 2014, Russian hackers breached unclassified White House computer networks, before moving on to the State Department. The recent China attacks, though unrelated, add insult to injury: The New York Times reports that the OPM issued a memo in November (in the midst of the holiday hack-a-rama) that called the agency’s computer security systems a "Chinese hacker’s dream" and begged officials to patch the problems. But it turned out they were warning of vulnerabilities that had already been compromised; the Times reports that Chinese hackers had already stolen tens of thousands of files on security clearances and were actually preparing for last week's breach.
"Hackers in China apparently figured [the vulnerabilities] out months before the report was published," the Times reports. In the summer of 2014, government officials had detected a breach specifically targeting the agency's clearance records. While minimally protected, those records contain information that could easily allow hackers to access "email or other accounts belonging to those entrusted with the nation’s secrets," according to the Times. Still, the OPM vulnerabilities went unfixed.
The apparent ease with which Russian and Chinese hackers were able to breach American databases serves as yet another reminder that hacking is the new normal.
This could be just the beginning for China’s political and corporate cyber espionage. According to the Washington Post, analysts suspect that China is deploying hackers to build "massive databases of Americans’ personal information" in order to gather intelligence, explore other potential vulnerabilities, and turn vulnerable officials into potential government moles. The group behind the OPM breach is reportedly the same one responsible for February's hack of health insurer Anthem, which may have included almost 80 millions consumers. The apparent ease with which Russian and Chinese hackers were able to breach American databases serves as yet another reminder that hacking is the new normal.
These humiliations come as citizens are more anxious than ever about the threat of foreign hackers. A massive cyberattack allegedly perpetrated by North Korean hackers against Sony Pictures—and the resulting kerfuffle over the release of The Interview—brought the specter of international hacking from think tank theory to the dinner table reality. Many average citizens see a massive cyberattack as inevitable: A 2014 Pew Research Center poll found that 61 percent of respondents anticipated a nationwide breach of epic proportions by 2025.
And this isn’t just paranoia. Everyday Americans face the risk of cyberattack more than ever before. According to a different Pew survey from last year, more than 18 percent of adults have had important personal information stolen, including Social Security numbers and banking information, on the Internet. And as Pacific Standard’s Francie Diep reported earlier this year, "criminals created 317 million new pieces of malicious software and targeted five out of six large companies for email attacks, an increase of 40 percent over 2013."
The ongoing humiliation of the U.S. national security establishment at the hands of foreign hackers raises the question: If hacking is the new normal, when does a cyberattack qualify as an act of war? Astonishingly, the answer is still unclear. "Everyone agrees that certain cyber operations are clearly not armed attacks, for example, cyber espionage," Michael N. Schmitt, director of the Stock Center for the Study of International Law at the United States Naval War College, told Pacific Standard in February. "In between that [and uses of military force] ... the law is not clear enough. Shutting down the national economy is probably an act of war, but short of that, we’re not certain."
This uncertainty is just the tip of the iceberg when it comes to the government's skewed approach to hacking. A blistering federal oversight report on the Department of Homeland Security's cybersecurity programs deemed DHS efforts "unlikely" to protect both citizens and government from attacks. Simply put, America's cybersecurity apparatus is staffed by hapless bureaucrats, despite President Obama's posturing on cyberattacks. The report condemned the systemic weaknesses in the government's security systems as a critical threat to national security.
With vague rules and a convoluted bureaucracy, the government seems to be phoning it in when it comes to modern cyberwarfare. But one thing is clear: With hacking of both civilian and government data on the rise, the U.S. government may want to consider updating its security infrastructure, and taking cyber security as seriously as its citizens—and the rest of the world—do.