This year marks the 10-year anniversary of an event many in the government’s security apparatus would like to forget: the hacking of the Office of Personnel Management’s security clearance files.
The theft sent shockwaves through federal workplaces for both its brazenness and its success. Some 22 million security clearance applications and background investigation files were purloined, including sensitive details about federal employees and contractors like substance abuse, sexual indiscretions, and medical history. Also taken was information about security clearance holder relatives and associates living overseas that could be valuable leverage in the wrong hands.
The immediate assumption by many in national security was that a state actor – most likely China – was responsible. Besides the sophistication and resources needed to pull off such an attack, the best evidence may have been left behind by the hackers themselves: a backdoor tool installed in OPM’s network associated with Chinese-language hacking groups that have previously targeted dissidents in Hong Kong and Tibet, along with the use of superhero names historically linked to a Chinese hacking group.
Yet it would be years before the government explicitly linked Beijing to the attack. Only in 2018 did then-National Security Advisor John Bolton publicly accuse the Chinese government of responsibility – an allegation Chinese government officials denied. Two years later, in 2020, the U.S. Department of Justice charged four Chinese military hackers with a breach of consumer credit-reporting company Equifax, which they linked to the OPM hack as part of a larger operation to gather information on U.S. government security clearance holders.
A decade after the hack, however, questions remain. Most notably, what is the Chinese government doing with all that information and why haven’t they used it yet? As Arun Vishwanath, a cybersecurity expert at the State University of New York at Buffalo, told Wired magazine, “We haven’t seen a single indication of this data being used anywhere. Yeah, we know the data is gone, but where did it go? What’s the purpose of all of this? No one has the answer to any of that.”
That may be true, but we can probably make an educated guess.
History shows the Chinese government to be a patient adversary. They’ve been telegraphing designs on Taiwan for years now, but have yet to invade – likely because they are absorbing lessons from the Russian invasion of Ukraine and attempting to ensure operational readiness of their military. Meanwhile, they’ve spent decades stealing proprietary U.S. technology piecemeal in order to eventually leapfrog the United States in economic and military might. They’ve purchased (or attempted to purchase) large swaths of land near sensitive U.S. military sites that some observers speculate may be for the eventual purpose of housing eavesdropping equipment. And earlier this year, news broke that numerous Chinese-manufactured shipping cranes at ports throughout the United States contained cellular components – allowing for remote access and control – that had no legitimate purpose.
In other words, the Chinese government plays the long game.
So, what will they ultimately do with all the information? An educated guess is that they’ve been doing plenty with it already: mining and exploiting data to use as one of many means of sowing chaos in U.S. society when it suits China’s purposes. This requires some outside-the-box thinking, but imagine a combination of cyber-attacks on critical infrastructure like utilities and the banking sector – which we already know China is targeting – combined with damaging information released publicly about government officials charged with responding to and mitigating the damage from such attacks. The theory may be unconventional when compared with alternative motivations (like identifying spies), but it is also not without precedent. After all, terrorists have been using secondary bombs to target first responders for years. And it is, of course, entirely possible that the Chinese government had more than one motivation; the data is valuable for a variety of nefarious purposes.
Whatever the motivation, it is worth remembering that the information is still out there somewhere. And considering the resources, effort, and risk it took to acquire it, the idea that it isn’t being used for something seems unlikely. That should concern us all.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.
