It’s been a bad summer to hold a security clearance. In June, the Office of Personnel Management first announced that its systems had been breached, and that sensitive security clearance information had been stolen. A slow drip of terrible revelations would follow, from the size of the breach—four million, then 18 million, then 21.5 million—to the type of data stolen. It was at first limited to the usual information: names, addresses, and social security numbers. Then suddenly we learned that, no, it was actually the detailed background information on clearance-holders: your adulterous relationships, mental health counseling, drug abuse histories, and granular-level specifics about that time you were arrested at an Arby’s.
Later, we learned about the criminal incompetence of OPM’s information security team. (“One contractor,” it has been reported, “with root access to the OPM database was physically based in China.”) There’s a good chance your local phonebook guards your telephone number more effectively than OPM guarded the darkest aspects of your personal and professional life. Two months elapsed before OPM came forward with news of the hack at all. It wasn’t discovered by routine internal security assessments, but possibly by a data auditing company hoping only to demonstrate how their product worked. (In other words, sales reps discovered the breach, as opposed to the supposed information security specialists on the government payroll.)
If there’s one takeaway from the OPM breach, it’s that all you apparently need to work in OPM IT is a pulse. At first blush, surly, that’s the worst case scenario, right?
THE WORSE CASE SCENARIO
Then came the Ashley Madison hack in July 2015. In case you’d never heard of Ashley Madison, it is a website whose slogan is: “Life is short. Have an affair,” and purports to help married individuals discretely link up for no-strings-attached sexual liaisons. And oh boy did things go south quickly for Ashley Madison members. Hackers managed to steal everything from the site—names, search histories, home addresses, email addresses, credit card numbers—you name it. Hackers promised not to release the data if the site would only shut down. Ashley Madison refused. As a result, not only did the data leak, but programmers quickly developed easily searchable databases of member information. Want to know if your husband had an affair? Type in his email address and you’ll know everything in sordid detail. Oh, but it gets worse. You could, in fact, type in anyone’s email address to find out if he or she attempted to have an affair.
Thus far, there have been reports of churches outing members of their respective congregations, companies disciplining employees, the Defense Department launching investigations of dot-mil email addresses discovered, and yes, of course, suicides and divorces. (The latter of which, as ClearanceJobs News reported previously, can be problematic for your clearance.)
That’s not even the worst case scenario! To see what a real catastrophe might look like, marry the OPM breach with the Ashley Madison hack. The same type of data was stolen, after all. The only thing left is for the perpetrators to leak the stolen data file online, in which case America will have a perfect, searchable database for every recovering alcoholic with a clearance, every confirmed extramarital affair, every failure of judgement with respect to drugs, finances, or prostitution. We’re one leak away from that, and the total collapse of ordered society.
IS THERE NO HOPE?
But there is a bright side to all of this. It’s not much, but let’s face it: anything would be helpful at this point. Consider that U.S. Cyber Command has well over a dozen cyberwarfare/cybersecurity subordinate units of various function, not even counting joint task forces. Just about every agency in the intelligence community has some acknowledged cybersecurity function, as do innumerable states, cities, and counties. Unless the cyber community is keeping quiet some thwarted launch by foreign powers of American nuclear missiles, it’s safe to say that our cybersecurity capabilities are problematic at best. But what have been the stakes, really, aside from hypotheticals? (E.g., Collapsing power grids, overloading nuclear power plants, taking control of jets in the air and air traffic control on the ground.)
For the first time, the U.S. government has a concrete example of how cyberattacks can undermine governments and endanger American lives and happiness. If it is true that the army always fights the previous war, if nothing else, then, maybe our cyber-forces will now defend to the last our personnel records. (The same holds true for private industry. Before the hack, Ashley Madison was poised for a massive and likely successful stock market IPO. Now the company would seem to be worth pennies. Facebook knows that it’s one catastrophic hack away from bankruptcy, should a searchable database of privately sent messages ever sees the light of day. You can bet they’re doubling their efforts.
Meanwhile, if we are, in fact, in a cyberwar, there is no longer any denying who our enemy is on the cyber-field of battle: it’s China. For even the most hawkish among us, the prospect of another land war in Asia is unappealing. For most rational Americans, war with China is unthinkable—not only because of the catastrophic loss of human life virtually guaranteed, but because our economies are so closely intertwined. We need each other.
Land war is not going to happen. But cyber war? It’s here, and people are coming around to that fact. The consequences of such a realization cannot be underestimated. People want their private data kept private, and will demand that China be stopped. This won’t mean missiles, but it will mean, perhaps, the redirection of resources to combat electronic espionage by foreign entities, and more importantly, an engaged public to conduct oversight that Congress has thus far failed to provide. The public at last has an understandable example of what cybersecurity means, and will expect that resources go toward effective measures.
Lastly: If your name appears in the Ashley Madison database, there’s a good chance that your next polygraph will be interesting, to put it mildly. You are very likely going to have to have a long, painful talk with your spouse. If your marriage survives (and it may; it seems unlikely that you’ve ever had an affair through Ashley Madison, if its user numbers are accurate), you will be able to go into the polygraph with a clear (well, clearer) conscience knowing that the worst is already out there, no equivocations needed. If marriage or personal counseling results from all this, again, it is something you can be forthright about to your examiners without fear of what might result. Everybody will know what’s going on.
And you can be honest about all this knowing that the OPM is likely disaster-proof for the foreseeable future. The agency’s modus operandi for the next several years will likely orbit a star of cybersecurity. What you tell investigators will quite possibly be very safe from public exposure. Let’s face it: if Ashley Madison was part of your life, you were in some way compromised for blackmail whether you knew it or not. A point of leverage existed that might one day have been used against you. No longer. In many ways, because of this summer of security breaches, both your data and your clearance are now a lot more secure. That’s a bright side if ever there was one.