Governments get hacked - it's almost inevitable. The bigger the hack - the more acute the subsequent panic.
On June 4th, 2015, for example, the federal government revealed it had been hit with one of the largest data breaches in its history. A week later, amid great speculation, very little was known for certain. Bob spoke with Robert Knake, Senior Fellow for Cyber Policy at the Council on Foreign Relations, about the predictable pitfalls of the media's rush to cover a massive hack and about what we need to keep in mind for the next one(s).
Ornette Coleman: Jordan
BOB: On June 4th the federal government confirmed that it had been hit by one of the largest security breaches in its history. The target was the Office of Personnel Management, and at least four million current and former federal employees are thought to have had their Social Security numbers and other personal information compromised. This is what we know. We have a pretty good idea that they didn’t get classified information. We have no idea exactly who did it, or why. But there’s been plenty of speculation:
ANCHOR 1: Tonight, we've also learned that the prime suspect is not some nerd in a basement somewhere or a crime syndicate, but a superpower, the People's Republic of China, authorities say.
ANCHOR 2: In the Washington Post this morning the headline is: “China compiling Americans' data.” The story says China is building a massive database of Americans' personal information….
ANCHOR 3: Security experts tell us this is just the latest example of an ongoing cyber war with China...
BOB: An overwhelming consensus, very possibly overwhelmingly incorrect, according to Robert Knake, a Senior Fellow for Cyber Policy at the Council on Foreign Relations. Knake takes particular issue with the media’s fixation on “cyber war” between the US and China. He happened to co-author a book on the subject in 2010, but the cyber warfare he imagined looks nothing like hacked personnel files.
KNAKE: When I wrote that book with Richard Clarke, the former cyber adviser to President Bush, we were worried about cyber attacks blowing up pipelines, we were worried about cyber attacks taking down critical infrastructure. That would be cyber war. What we're talking about is espionage, right? The second oldest profession depending on how you count professions, right? This is spying. And spying is traditionally something that is very different from warfare, it can be a part of warfare, but it's not usually considered to be an act of war, simply to spy.
BOB: We believe the attacks came from within China. But could be the government, it could be the People's Liberation Army, could be a bunch of criminals in a storefront in Shanghai.
KNAKE: I think it's safe to say that we know that this attack emanated from China the country. What we don't yet know is whether we've traced this back to the Chinese government. If you look at what China has done to the United States in cyberspace over the last decade, all those cases are far worse than this. Things like stealing the information - the plans for the F35. Things like breaching the National Inventory of Dams database, the database that contains everything that you want to know about the dams in the United States. Those things have already happened. Why would the Chinese take the aggravation of raising another major cyber incident with the United States over information for figuring out whose email accounts do I want to compromise. And so well, where else would this kind of information be useful? If indeed it really is restricted to Social Security numbers, dates of birth, personally identifiable information - that information is also really valuable to criminals. And so it's possible that China is in fact amassing this massive database on every American - the going hypothesis that The Washington Post has run with. But it's also possible that it might just be a criminal group.
BOB: You have observed that the assumptions following any major hack seem to be limited to history. That our imaginations can go no farther. Is that what happens?
KNAKE: Absolutely. There's a whole bunch of assumptions that are made. Every incident that is always the worst possible outcome, and we lose sight of what we actually know and what we actually don't know, right? OPM is confident that they lost four million records.
BOB: That's the Office of Personnel Management.
KNAKE: Personnel Management, right. And they've listed out what they think they lost. The assumption that everybody has jumped to is this means they lost all the clearance information. What you would really want if you were a foreign intelligence operative.
BOB: Because, aha! If someone has a high clearance it means they are exposed to very sensitive information and also, ahaha, they're more blackmail-able if you know every single thing about them that was gathered during the course of their security clearance interviews.
KNAKE: And so that's where a lot of the hysteria around this incident has come from. We don't actually know that that clearance information was taken, right? So, crazy idea here would be to wait and give the story a little bit of time. They've disclosed this breach so that the four million people who had their records stolen will know about that, and they're going to send out letters about that. If in fact the breach is worse than this, at that point, OPM will disclose that fact.
BOB: Robert, with all due respect, what you've just said is just stupid. There are cable hours to be produced! There are talking heads to be booked! There are speculations to be speculated! This will not wait for the information to eventually flow in! We have to guess right now.
KNAKE: So I think one of the things that we've seen that is sort of the generic national security pundit jump into this space. People who don't actually have a lot of background or a lot of knowledge in cybersecurity but it's starting to be kind of this hot issue, and so if you know something about China or you know something about Russia, you're also sort of posing yourself as a cyber expert and offering forth opinions on that subject, and a lot of the time those opinions, when I hear them, I say, wait, this isn't grounded at all. Or wait, you're going off the latest thing you just read on Twitter. And you have no way of knowing if that is in fact true.
BOB: With the endless numbers of security breaches emanating apparently from Russia and China and North Korea and the Sony hacking case, there is this sense of siege. But it's a two way street.
KNAKE: Yes. One of the things that we know now because of the Snowden revelations is that the US has a very active program. And so that's why I think when you look at an incident like this, you may not see that much outrage coming out of federal officials, coming out of the federal government, because it didn't necessarily cross a line that we've put down in the sand, right? So if you look at two incidents where the government has come out and officially attributed them, we've officially said we know who did this and we're pissed about it, those two recent incidents are one, the North Korea hack against Sony, where we said hey, you can't do this, you can't target an American company, you can't try and stifle freedom of speech. And the second time recently is the indictment of the five Chinese People's Liberation Army hackers over a multi-year campaign taking information from US Steel and Westinghouse to benefit Chinese companies, and in that case we not only said it was China, we said here are the five people.
BOB: One of the reasons that perhaps we feel so under siege, if we are returning the favor to foreign countries, we wouldn't know because those foreign countries don't really report their breaches, do they?
KNAKE: There is no move of foot in China or Russia or many other countries around the world to require government agencies to disclose when they've been breached --
BOB: There's no FOIA in North Korea?
KNAKE: [laughs] Exactly. I mean, the second piece of it, right, is that we do have this open media, and so even in cases where the government doesn't come out and say, "we've been breached," there are reporters who are working to find that information out every day.
BOB: One more thing. I'm concerned about what I've read about so far, and what might happen in the future. I'm also a little nervous about what has happened, that I don't know about, either because the government hasn't told me, or because the government doesn't even know yet. Is that a paranoic concern?
KNAKE: You're not giving the government enough credit on this one. There are thousands of people who are working to figure out what the unknown unknowns are. But in each of these cases you need to remember that there's an overall context that you've gotta be aware of. So, in the case of China, it's not just about what's happening in cyberspace, it's about every other piece of the agenda, right? They may want to collect intelligence on us, but they want to do that without totally blowing up their relationship with the United States. They're just as dependent on us as we are on them for trade. Cyber is not something that happens in a vacuum. What happens in cyberspace does not necessarily stay in cyberspace. So, calm down, don't worry, there are a few common sense things that you should be doing to protect yourselves online. But, ultimately at the end of the day, when it comes to these nation state threats, there's very little that you can do about it, it's not actually about you and takeover of your Facebook account.
BOB: Robert, thank you very much.
KNAKE: Thank you.
BOB; Robert Knake is senior fellow for cyber policy at the Council on Foreign Relations. You can find a one page printable version of our Breaking News Consumer's Handbook: Data Breach edition at on the media.org.