The Office of Personnel Management announced last week that the
personal data for 21.5 million people had been stolen. But for national
security professionals and cybersecurity experts, the more troubling
issue is the theft of 1.1 million fingerprints.
Much
of their concern rests with the permanent nature of fingerprints and the
uncertainty about just how the hackers intend to use them. Unlike a
Social Security number, address, or password, fingerprints cannot be
changed—once they are hacked, they're hacked for good. And government
officials have less understanding about what adversaries could do or
want to do with fingerprints, a knowledge gap that undergirds just how
frightening many view the mass lifting of them from OPM.
"It's
probably the biggest counterintelligence threat in my lifetime," said
Jim Penrose, former chief of the Operational Discovery Center at the
National Security Agency and now an executive vice president at the
cybersecurity company Darktrace. "There's no situation we've had like
this before, the compromise of our fingerprints. And it doesn't have any
easy remedy or fix in the world of intelligence."
Though
the idea of hacked fingerprints conjures up troubling scenarios gleaned
from Hollywood's panoply of espionage capers, not much is currently
known about those that OPM said were swiped in the data breach, which
began last year and has been privately linked by officials to China. In
fact, the agency said it didn't even know yet specifically which
personnel have had their prints compromised.
"We do not have that information at this time," said Sam Schumach, an
OPM spokesman, explaining that the agency is still assessing the breach
and has not yet performed a "deep dive" into the data to assess whose
fingerprints are now in the hands of hackers.
Questions
also remain about what the ultimate goal of the OPM hackers is, and the
administration so far continues to refuse to publicly blame China for
the intrusion. Some have likened the breach to an enormous surveillance
operation, one that Beijing conducted in order to build databases on the
ins and out of the U.S. government and to potentially coerce,
blackmail, or bribe officials into divulging closely guarded secrets.
Whatever
the motives, the stolen fingerprints are viewed as a uniquely important
and unprecedented data heist—one that could reap huge rewards for the
hackers for decades to come.
"It's
really horrifying, on so many levels," said Peter Singer, a strategist
at the New America Foundation and a consultant for the military who just
published a book, Ghost Fleet, that imagines what a
cyber-heavy 21st-century war between the U.S., China, and Russia might
look like. "This is different from the other breaches because this is a
cyberattack that was not about intellectual-property theft. It was not
about economic advantage of some sort. This is what we call preparing
the battlefield."
Part
of the worry, cybersecurity experts say, is that fingerprints are part
of an exploding field of biometric data, which the government is
increasingly getting in the business of collecting and storing.
Fingerprints today are used to run background checks, verify identities
at borders, and unlock smartphones, but the technology is expected to
boom in the coming decades in both the public and private sectors.
"There's
a big concern [with the OPM hack] not because of how much we're using
fingerprints currently, but how we're going to expand using the
technology in the next 5-10 years," said Robert Lee, cofounder of Dragos
Security, which develops cybersecurity software.
Also problematic is that there is "no way to reissue a fingerprint,"
Lee said, meaning that once a set is in the hands of a foreign adversary
they are vulnerable as long as that person is working in government.
That
reality could create a squeeze on government for decades to come, as
agencies may be forced to forgo fingerprints for things like two-factor
authentication and instead rely on another biometric, such as facial
recognition or iris scans. But those could also someday be hacked, as
the OPM hack showed that just about anything stored in a government
database can be up for grabs.
One
thing seems clear: The fingerprints of most covert CIA spies working for
the government are likely not affected, because the spy agency manages
it own records apart from OPM. But the records for nearly every other
executive agency, from the NSA to the FBI and anything housed under the
Department of Defense, were laid bare during the hack. And some CIA
agents who have previously worked elsewhere in government where they
were required to submit a security-clearance form to OPM are also
vulnerable.
One
nightmare scenario envisioned by Ramesh Kesanupalli, an expert in
biometrics, is that agents traveling across borders under aliases could
be spotted for their true identities when their prints are scanned.
Kesanupalli also warned that the fingerprints could end up somewhere on
the black market, making biometrics a novel good to be trafficked on the
Internet that could be useful to a buyer for decades.
For
Kesanupalli, the hack may spur the government to start adopting other
biometrics more quickly in lieu of the contaminated fingerprints, noting
that iris scans are not as easily hackable as prints and harder to
forge than facial scans, which can sometimes dupe cameras.
But
fingerprints are likely only going to grow in importance for the
government in the coming years, he said, and that is true for hackers,
too.
"You never know down the line where we are going to use the fingerprints," Kesanupalli said.
Penrose,
the former NSA official, also speculated that most of the stolen
fingerprints were likely digital scans and not the older ink-based
records, which may suggest that the bulk of the prints belong to active
or recent employees. The broader breach affected all employees going
back to 2000, OPM said.
"Jason
Bourne would be in big trouble over this," Penrose said, referencing
the fictional action-movie character played by Matt Damon. "Give him
some new fingerprints."
http://www.nationaljournal.com/tech/opm-hack-fingerprints-china-20150714
No comments:
Post a Comment