How Much Damage Can the OPM Hackers Do With a Million Fingerprints?

The pilfering of 1.1 million fingerprints is “probably the biggest counterintelligence threat in my lifetime,” one former NSA official said.

Dustin Volz
July 14, 2015, 11:14 a.m.

The Of­fice of Per­son­nel Man­age­ment an­nounced last week that the per­son­al data for 21.5 mil­lion people had been stolen. But for na­tion­al se­cur­ity pro­fes­sion­als and cy­ber­se­cur­ity ex­perts, the more troub­ling is­sue is the theft of 1.1 mil­lion fin­ger­prints.

Much of their con­cern rests with the per­man­ent nature of fin­ger­prints and the un­cer­tainty about just how the hack­ers in­tend to use them. Un­like a So­cial Se­cur­ity num­ber, ad­dress, or pass­word, fin­ger­prints can­not be changed—once they are hacked, they’re hacked for good. And gov­ern­ment of­fi­cials have less un­der­stand­ing about what ad­versar­ies could do or want to do with fin­ger­prints, a know­ledge gap that un­der­girds just how fright­en­ing many view the mass lift­ing of them from OPM.

“It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time,” said Jim Pen­rose, former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace. “There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence.”

(RE­LATED: OPM An­nounces More Than 21 Mil­lion Af­fected by Second Data Breach)

Though the idea of hacked fin­ger­prints con­jures up troub­ling scen­ari­os gleaned from Hol­ly­wood’s panoply of es­pi­on­age capers, not much is cur­rently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by of­fi­cials to China. In fact, the agency said it didn’t even know yet spe­cific­ally which per­son­nel have had their prints com­prom­ised.

“We do not have that in­form­a­tion at this time,” said Sam Schu­mach, an OPM spokes­man, ex­plain­ing that the agency is still as­sess­ing the breach and has not yet per­formed a “deep dive” in­to the data to as­sess whose fin­ger­prints are now in the hands of hack­ers.

Ques­tions also re­main about what the ul­ti­mate goal of the OPM hack­ers is, and the ad­min­is­tra­tion so far con­tin­ues to re­fuse to pub­licly blame China for the in­tru­sion. Some have likened the breach to an enorm­ous sur­veil­lance op­er­a­tion, one that Beijing con­duc­ted in or­der to build data­bases on the ins and out of the U.S. gov­ern­ment and to po­ten­tially co­erce, black­mail, or bribe of­fi­cials in­to di­vul­ging closely guarded secrets.

Whatever the motives, the stolen fin­ger­prints are viewed as a uniquely im­port­ant and un­pre­ced­en­ted data heist—one that could reap huge re­wards for the hack­ers for dec­ades to come.

(RE­LATED: OPM Dir­ect­or Kath­er­ine Archu­leta Quits)

“It’s really hor­ri­fy­ing, on so many levels,” said Peter Sing­er, a strategist at the New Amer­ica Found­a­tion and a con­sult­ant for the mil­it­ary who just pub­lished a book, Ghost Fleet, that ima­gines what a cy­ber-heavy 21st-cen­tury war between the U.S., China, and Rus­sia might look like. “This is dif­fer­ent from the oth­er breaches be­cause this is a cy­ber­at­tack that was not about in­tel­lec­tu­al-prop­erty theft. It was not about eco­nom­ic ad­vant­age of some sort. This is what we call pre­par­ing the bat­tle­field.”

Part of the worry, cy­ber­se­cur­ity ex­perts say, is that fin­ger­prints are part of an ex­plod­ing field of bio­met­ric data, which the gov­ern­ment is in­creas­ingly get­ting in the busi­ness of col­lect­ing and stor­ing. Fin­ger­prints today are used to run back­ground checks, veri­fy iden­tit­ies at bor­ders, and un­lock smart­phones, but the tech­no­logy is ex­pec­ted to boom in the com­ing dec­ades in both the pub­lic and private sec­tors.

“There’s a big con­cern [with the OPM hack] not be­cause of how much we’re us­ing fin­ger­prints cur­rently, but how we’re go­ing to ex­pand us­ing the tech­no­logy in the next 5-10 years,” said Robert Lee, cofounder of Dra­gos Se­cur­ity, which de­vel­ops cy­ber­se­cur­ity soft­ware.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches

Also prob­lem­at­ic is that there is “no way to re­is­sue a fin­ger­print,” Lee said, mean­ing that once a set is in the hands of a for­eign ad­versary they are vul­ner­able as long as that per­son is work­ing in gov­ern­ment.

That real­ity could cre­ate a squeeze on gov­ern­ment for dec­ades to come, as agen­cies may be forced to forgo fin­ger­prints for things like two-factor au­then­tic­a­tion and in­stead rely on an­oth­er bio­met­ric, such as fa­cial re­cog­ni­tion or iris scans. But those could also someday be hacked, as the OPM hack showed that just about any­thing stored in a gov­ern­ment data­base can be up for grabs.

One thing seems clear: The fin­ger­prints of most cov­ert CIA spies work­ing for the gov­ern­ment are likely not af­fected, be­cause the spy agency man­ages it own re­cords apart from OPM. But the re­cords for nearly every oth­er ex­ec­ut­ive agency, from the NSA to the FBI and any­thing housed un­der the De­part­ment of De­fense, were laid bare dur­ing the hack. And some CIA agents who have pre­vi­ously worked else­where in gov­ern­ment where they were re­quired to sub­mit a se­cur­ity-clear­ance form to OPM are also vul­ner­able.

One night­mare scen­ario en­vi­sioned by Ramesh Kes­anupalli, an ex­pert in bio­met­rics, is that agents trav­el­ing across bor­ders un­der ali­ases could be spot­ted for their true iden­tit­ies when their prints are scanned. Kes­anupalli also warned that the fin­ger­prints could end up some­where on the black mar­ket, mak­ing bio­met­rics a nov­el good to be traf­ficked on the In­ter­net that could be use­ful to a buy­er for dec­ades.

For Kes­anupalli, the hack may spur the gov­ern­ment to start ad­opt­ing oth­er bio­met­rics more quickly in lieu of the con­tam­in­ated fin­ger­prints, not­ing that iris scans are not as eas­ily hack­able as prints and harder to forge than fa­cial scans, which can some­times dupe cam­er­as.

But fin­ger­prints are likely only go­ing to grow in im­port­ance for the gov­ern­ment in the com­ing years, he said, and that is true for hack­ers, too.

“You nev­er know down the line where we are go­ing to use the fin­ger­prints,” Kes­anupalli said.

Pen­rose, the former NSA of­fi­cial, also spec­u­lated that most of the stolen fin­ger­prints were likely di­git­al scans and not the older ink-based re­cords, which may sug­gest that the bulk of the prints be­long to act­ive or re­cent em­ploy­ees. The broad­er breach af­fected all em­ploy­ees go­ing back to 2000, OPM said.

“Jason Bourne would be in big trouble over this,” Pen­rose said, ref­er­en­cing the fic­tion­al ac­tion-movie char­ac­ter played by Matt Da­mon. “Give him some new fin­ger­prints.”

What We're Following See More »
PROCEDURES NOT FOLLOWED
Trump Not on Ballot in Minnesota
2 days ago
THE LATEST
MOB RULE?
Trump on Immigration: ‘I Don’t Know, You Tell Me’
2 days ago
THE LATEST

Perhaps Donald Trump can take a plebiscite to solve this whole messy immigration thing. At a Fox News town hall with Sean Hannity last night, Trump essentially admitted he's "stumped," turning to the audience and asking: “Can we go through a process or do you think they have to get out? Tell me, I mean, I don’t know, you tell me.”

Source:
BIG CHANGE FROM WHEN HE SELF-FINANCED
Trump Enriching His Businesses with Donor Money
3 days ago
WHY WE CARE

Donald Trump "nearly quintupled the monthly rent his presidential campaign pays for its headquarters at Trump Tower to $169,758 in July, when he was raising funds from donors, compared with March, when he was self-funding his campaign." A campaign spokesman "said the increased office space was needed to accommodate an anticipated increase in employees," but the campaign's paid staff has actually dipped by about 25 since March. The campaign has also paid his golf courses and restaurants about $260,000 since mid-May.

Source:
QUESTIONS OVER IMMIGRATION POLICY
Trump Cancels Rallies
4 days ago
THE LATEST

Donald Trump probably isn't taking seriously John Oliver's suggestion that he quit the race. But he has canceled or rescheduled rallies amid questions over his stance on immigration. Trump rescheduled a speech on the topic that he was set to give later this week. Plus, he's also nixed planned rallies in Oregon and Las Vegas this month.

Source:
‘STRATEGY AND MESSAGING’
Sean Hannity Is Also Advising Trump
5 days ago
THE LATEST

Donald Trump's Fox News brain trust keeps growing. After it was revealed that former Fox chief Roger Ailes is informally advising Trump on debate preparation, host Sean Hannity admitted over the weekend that he's also advising Trump on "strategy and messaging." He told the New York Times: “I’m not hiding the fact that I want Donald Trump to be the next president of the United States. I never claimed to be a journalist.”

Source:
×