How Much Damage Can the OPM Hackers Do With a Million Fingerprints?

The pilfering of 1.1 million fingerprints is “probably the biggest counterintelligence threat in my lifetime,” one former NSA official said.

Dustin Volz
Add to Briefcase
Dustin Volz
July 14, 2015, 11:14 a.m.

The Of­fice of Per­son­nel Man­age­ment an­nounced last week that the per­son­al data for 21.5 mil­lion people had been stolen. But for na­tion­al se­cur­ity pro­fes­sion­als and cy­ber­se­cur­ity ex­perts, the more troub­ling is­sue is the theft of 1.1 mil­lion fin­ger­prints.

Much of their con­cern rests with the per­man­ent nature of fin­ger­prints and the un­cer­tainty about just how the hack­ers in­tend to use them. Un­like a So­cial Se­cur­ity num­ber, ad­dress, or pass­word, fin­ger­prints can­not be changed—once they are hacked, they’re hacked for good. And gov­ern­ment of­fi­cials have less un­der­stand­ing about what ad­versar­ies could do or want to do with fin­ger­prints, a know­ledge gap that un­der­girds just how fright­en­ing many view the mass lift­ing of them from OPM.

“It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time,” said Jim Pen­rose, former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace. “There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence.”

(RE­LATED: OPM An­nounces More Than 21 Mil­lion Af­fected by Second Data Breach)

Though the idea of hacked fin­ger­prints con­jures up troub­ling scen­ari­os gleaned from Hol­ly­wood’s panoply of es­pi­on­age capers, not much is cur­rently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by of­fi­cials to China. In fact, the agency said it didn’t even know yet spe­cific­ally which per­son­nel have had their prints com­prom­ised.

“We do not have that in­form­a­tion at this time,” said Sam Schu­mach, an OPM spokes­man, ex­plain­ing that the agency is still as­sess­ing the breach and has not yet per­formed a “deep dive” in­to the data to as­sess whose fin­ger­prints are now in the hands of hack­ers.

Ques­tions also re­main about what the ul­ti­mate goal of the OPM hack­ers is, and the ad­min­is­tra­tion so far con­tin­ues to re­fuse to pub­licly blame China for the in­tru­sion. Some have likened the breach to an enorm­ous sur­veil­lance op­er­a­tion, one that Beijing con­duc­ted in or­der to build data­bases on the ins and out of the U.S. gov­ern­ment and to po­ten­tially co­erce, black­mail, or bribe of­fi­cials in­to di­vul­ging closely guarded secrets.

Whatever the motives, the stolen fin­ger­prints are viewed as a uniquely im­port­ant and un­pre­ced­en­ted data heist—one that could reap huge re­wards for the hack­ers for dec­ades to come.

(RE­LATED: OPM Dir­ect­or Kath­er­ine Archu­leta Quits)

“It’s really hor­ri­fy­ing, on so many levels,” said Peter Sing­er, a strategist at the New Amer­ica Found­a­tion and a con­sult­ant for the mil­it­ary who just pub­lished a book, Ghost Fleet, that ima­gines what a cy­ber-heavy 21st-cen­tury war between the U.S., China, and Rus­sia might look like. “This is dif­fer­ent from the oth­er breaches be­cause this is a cy­ber­at­tack that was not about in­tel­lec­tu­al-prop­erty theft. It was not about eco­nom­ic ad­vant­age of some sort. This is what we call pre­par­ing the bat­tle­field.”

Part of the worry, cy­ber­se­cur­ity ex­perts say, is that fin­ger­prints are part of an ex­plod­ing field of bio­met­ric data, which the gov­ern­ment is in­creas­ingly get­ting in the busi­ness of col­lect­ing and stor­ing. Fin­ger­prints today are used to run back­ground checks, veri­fy iden­tit­ies at bor­ders, and un­lock smart­phones, but the tech­no­logy is ex­pec­ted to boom in the com­ing dec­ades in both the pub­lic and private sec­tors.

“There’s a big con­cern [with the OPM hack] not be­cause of how much we’re us­ing fin­ger­prints cur­rently, but how we’re go­ing to ex­pand us­ing the tech­no­logy in the next 5-10 years,” said Robert Lee, cofounder of Dra­gos Se­cur­ity, which de­vel­ops cy­ber­se­cur­ity soft­ware.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches

Also prob­lem­at­ic is that there is “no way to re­is­sue a fin­ger­print,” Lee said, mean­ing that once a set is in the hands of a for­eign ad­versary they are vul­ner­able as long as that per­son is work­ing in gov­ern­ment.

That real­ity could cre­ate a squeeze on gov­ern­ment for dec­ades to come, as agen­cies may be forced to forgo fin­ger­prints for things like two-factor au­then­tic­a­tion and in­stead rely on an­oth­er bio­met­ric, such as fa­cial re­cog­ni­tion or iris scans. But those could also someday be hacked, as the OPM hack showed that just about any­thing stored in a gov­ern­ment data­base can be up for grabs.

One thing seems clear: The fin­ger­prints of most cov­ert CIA spies work­ing for the gov­ern­ment are likely not af­fected, be­cause the spy agency man­ages it own re­cords apart from OPM. But the re­cords for nearly every oth­er ex­ec­ut­ive agency, from the NSA to the FBI and any­thing housed un­der the De­part­ment of De­fense, were laid bare dur­ing the hack. And some CIA agents who have pre­vi­ously worked else­where in gov­ern­ment where they were re­quired to sub­mit a se­cur­ity-clear­ance form to OPM are also vul­ner­able.

One night­mare scen­ario en­vi­sioned by Ramesh Kes­anupalli, an ex­pert in bio­met­rics, is that agents trav­el­ing across bor­ders un­der ali­ases could be spot­ted for their true iden­tit­ies when their prints are scanned. Kes­anupalli also warned that the fin­ger­prints could end up some­where on the black mar­ket, mak­ing bio­met­rics a nov­el good to be traf­ficked on the In­ter­net that could be use­ful to a buy­er for dec­ades.

For Kes­anupalli, the hack may spur the gov­ern­ment to start ad­opt­ing oth­er bio­met­rics more quickly in lieu of the con­tam­in­ated fin­ger­prints, not­ing that iris scans are not as eas­ily hack­able as prints and harder to forge than fa­cial scans, which can some­times dupe cam­er­as.

But fin­ger­prints are likely only go­ing to grow in im­port­ance for the gov­ern­ment in the com­ing years, he said, and that is true for hack­ers, too.

“You nev­er know down the line where we are go­ing to use the fin­ger­prints,” Kes­anupalli said.

Pen­rose, the former NSA of­fi­cial, also spec­u­lated that most of the stolen fin­ger­prints were likely di­git­al scans and not the older ink-based re­cords, which may sug­gest that the bulk of the prints be­long to act­ive or re­cent em­ploy­ees. The broad­er breach af­fected all em­ploy­ees go­ing back to 2000, OPM said.

“Jason Bourne would be in big trouble over this,” Pen­rose said, ref­er­en­cing the fic­tion­al ac­tion-movie char­ac­ter played by Matt Da­mon. “Give him some new fin­ger­prints.”

What We're Following See More »
SAUDI ARABIA BILL
Veto Override Scheduled for Wednesday in Senate
1 hours ago
THE LATEST

Senate Majority Leader Mitch McConnell said this afternoon that the Senate on Wednesday will take up an override of President Obama's veto of legislation that would allow the families of 9/11 victims to sue the government of Saudi Arabia. "The vote is expected garner the two-thirds majority necessary to override the veto."

Source:
MEDIA SHOULD HOLD TRUMP RESPONSIBLE
Reid Devotes Senate Floor Speech to Trump’s ‘Racism’
2 hours ago
THE LATEST

"Donald Trump is a racist," announced Senate Minority Leader Harry Reid from the Senate floor this afternoon. Reid said all of us are occasionally politically incorrect, but "I don't know of anyone that when that happens doesn't acknowledge it and, if necessary, apologize quickly." But Trump, he added, says things with "full intent to demean and to denigrate." Reid argued that the media isn't holding Trump to account, and should explicitly call him a racist.

ABSENT FROM LIST: GENNIFER FLOWERS
Most Trump Guests Have Military Ties
5 hours ago
THE LATEST
TOP OF MIND
Trending on Google: ‘Why Should Trump Not Be President’
6 hours ago
THE DETAILS
WHO PLAYED THE DONALD?
Longtime Clinton Aide Played Trump in Mock Debates
8 hours ago
THE DETAILS

After keeping the information private for most of the lead-up to the debate on Monday, it has been revealed that longtime Clinton aide Philippe Reines has been playing the role of Donald Trump in her debate prep. Reines knows Clinton better than most, able to identify both her strengths and weaknesses, and his selection for a sparring partner shows that Clinton is preparing for the brash and confrontational Donald Trump many have come to expect.

Source:
×