It has not been a good year for federal government data security.
In October alone, Russian government hackers breached unclassified computer networks in the White House. They also penetrated the State Department’s unclassified email system. A National Weather Service employee was arrested for downloading classified information about American dams. The next month, the U.S. Postal Service revealed its employee information had also been illegally obtained.
Earlier in the year, The New York Times had revealed Chinese hackers were targeting small, seemingly low-level agencies like the Government Printing Office, which publishes physical editions of federal and Congressional reports. The endless cycle of hack after hack led Nextgov to proclaim 2014 “the year of the breach.”
News on Thursday did not make 2015 seem any better. Citing unnamed administration sources, the Associated Press and The New York Times are reporting that the personal information of some 4 million past and present federal employees was stolen by Chinese hackers. The hack affects more than 1 percent of Americans.
The information was stolen from the Office of Personnel Management (OPM)—the equivalent to the federal government’s human resources department—and the Department of the Interior. It includes, critically, social-security numbers, which prompted the OPM to tell affected employees to go check their credit reports.
Says The Times: “It is unclear whether the breach was related to commercial gain or espionage.” Were it to be used for espionage—which is understood to be more of a possibility with Chinese than with Russian government hackers—it would be a particularly compelling set. Previous reports on OPM data breaches have mentioned that the agency also records who has applied for top-secret security clearances. The dangers to national security posed by the disclosure of such a database are obvious.
The OPM says that it’s improving its security—that it in fact only discovered the breach in the process of upgrading its software to a new system. But if the data of any four million Americans were to fall into the hands of a foreign government, these are precisely the worst ones to whom it could have happened. The disclosure of breaches like these, though, tends to be asymmetric. When Chinese government databases are breached by other governments, it does not make the news in China. The Chinese government is under no compunction to reveal it.
And it’s likely, too, that these kinds of data breaches are only the most visible fights on a vast battlefield of digital espionage. We can see certain breaches because they involve ordinary Americans—but silent and far subtler games of intrigue pass without our knowing.