What Was the Purpose of the OPM Hack?

One of things that makes hacking so unsettling is the asymmetry of the situation: Unlike with a physical theft, the victims sometimes don’t know they’re victims for a long time, and once they find out, it’s hard to tell just how badly they’ve been victimized.

That’s true of the massive data breach revealed Thursday affecting 4 million current and former federal employees. There’s still a great deal that hasn’t been explained about why and how the hack happened, and whose data was compromised. (Angry federal employees took to the Facebook page of the Office of Personnel Management to complain about feeling left in the dark about the attacks.) There are, however, some emerging answers to three key questions: Who did it, why, and how it happened.

Early on, the government fingered Chinese hackers in the leak. Bruce Schneier has written for The Atlantic about the dangers of uncritically accepting initial attributions for attacks. The Chinese government has also rejected the claim, saying that it’s a victim of hacking itself. (That’s probably true—and the U.S. admits that it also hacks foreign governments.) But officials says there are fingerprints of known Chinese hackers. Another they’re pointing at China—rather than, say, Russian organized-crime hackers who have also assaulted American computer systems—is the kind of data taken and what’s been done with it.

“They didn’t go to sell the data, which is what criminal groups usually do,” James Lewis of the Center for Strategic and International Studies told The New York Times. The government and outside experts think that, along with the fact that the leak targeted government employees suggest an elaborate effort to build a huge database of information on federal employees. The data reportedly cover employees going back as far as 1985, and includes information on employees who applied for security clearances.

How did they do it, though? The government has a large, costly, sophisticated, and mostly secret system for protecting its data. But that system is, even according to the government, obsolete. It follows an old protocol of attempting to keep hackers outside, like a fence. Newer systems assume hackers will get through the outside defense and try to stop them once they’re inside.

The U.S. had been warned that it wasn’t ready in an inspector general’s report late last year. By the time the report landed, it was apparently too late, but many of the steps it recommended still haven’t been taken. For example:

In the most egregious case cited by the inspector general, outsiders entering the system were not subjected to “multifactor authentication” — the systems that, for example, require a code that is sent to a cellphone to be entered before giving access to a user. Asked about that in an interview, Donna Seymour, the chief information officer at the Office of Personnel Management, said that installing such gear in the government’s “antiquated environment” was difficult and very time consuming, and that her agency had to perform “triage” to determine how to close the worst vulnerabilities.

The government will now institute two-step verification—a step that longtime Atlantic readers will remember James Fallows exhorting them to take as early as the spring of 2011.

Generally, U.S. systems for data don’t seem to have wrapped themselves in glory concerning the hack. In 2014, then-Attorney General Eric Holder called for rules forcing companies to make disclosures to customers quickly when their information was hacked; it seems the government wouldn’t have met those guidelines. Critics have also wryly noted that a huge incursion into sensitive employee information tends to undermine the government’s claims that its intelligence apparatus can protect huge amounts of personal information swept up in surveillance dragnets. As one former senior official told the Times, “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”