Last week, the Office of Personnel Management announced that the security clearance background information (the dreaded SF-86 form) was compromised. I wrote about it in “Why this security breach is worse than all the others combined” and considered the implications of it.
But this snippet from Arstechnica made me think of something else:
A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root.”
My thinking – and most articles I’ve read – has been what could be taken and mis-used from the hack.
But what if we’ve been thinking of it from the wrong direction?
What if access wasn’t used to leak information but to create and change it?
The implications are terrifying, since this information was compromised:
Any clearances granted may have been based on fabricated information.
Any clearances denied may have been based on fabricated information.
Now foreign governments don’t need to employ time-consuming or expensive signals or human intelligence. It is cheaper, faster, and far more effective to just have their agents apply for the job. If something problematic comes up in the investigation, you simply delete or edit it.
In fact, if they really want to make sure their agent gets the job, they could taint the other candidates to force them to fail.
Other than the OPM investigator(s) directly involved in the case, there would be few people – if anyone – who could notice the changes.
The simplicity is genius.
The FBI agent, Immigrations and Customs Enforcement (ICE) officer, or that janitor at the nuclear power plant may not be the person you believe them to be.
Last time I said “you are screwed,” but now I’ll upgrade that to “we’re all screwed.“
When I was an officer in the Air Force, I funded some university research on deception detection. Basically, we were trying to determine if people would blindly trust what a database told them, even when it made no sense. One of the experiments they did was to inject “ludicrous” data into the military HR system – like a record that said some new recruit had a medal that only generals every get, things like that. Almost universally, no one noticed the aberrant data – they just blindly trusted the computer.
It is impossible to know how much damage could have been caused by any manipulation of the data they have done over the last year that they supposedly had access. And it is almost a guarantee that they have modified data.