Recent travels have set me slightly behind on interacting with the amazing ‘REP readership, so my hope is to open back up with this humdinger of what amounts to an obviously staggering risk to U.S. national security and the primary shareholders/keepers of this realm. I’m stepping outside my lane here, but had to offer some commentary when I read about the second major breach of sensitive information by Chinese hackers.

As many have no doubt read by now, and as Jack Murphy wrote earlier this week, the breach of the Office of Personnel Management (OPM) servers announced last week is growing extensively larger, with more information regarding a second security breach being reported as well. This does not bode well for OPM, the clearance holders, or anyone associated with a member whose information was compromised. It remains to be seen what the second- and third-order effects of these breaches will bring.

According to recent reporting from the Associated Press, a second hack, also linked to China, resulted in (hackers) gaining “access to the sensitive background information submitted by intelligence and military personnel for security clearances…which dramatically compounds the potential damage” from the initial-reported cyberattack earlier last week.

For those not familiar with the security clearance investigation process, OPM conducts “approximately 90 percent of background investigations for the federal government,” and was also the entity cited last week as the victim of a cyberattack that allegedly went undetected for over a year.

AP News shares the following regarding the bulk of information accessed by the hackers, identifying that:

The forms authorities believed to have been accessed, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.

How bad was it?

We’re not sure. But wait, there’s more. AP also identifies that, while the original acknowledgement of affected information from the original breach was around 4.2 million current and former employees whose information resided on the compromised OPM servers, “the newer estimate puts the number of compromised records between nine million and 14 million going back to the 1980s.”

Now, I’m not one to be an alarmist. But from a realist perspective, based solely on the publicly accessible information shared regarding these cyber breaches, it must be noted that the second- and third-order effects of these breaches will likely be far greater than anticipated.

Why should we care?

At the most basic level, the Chinese espionage apparatus/government now has sensitive personally identifiable information regarding at least four million, up to 14 million, federal employees. This information could easily be used for nefarious purposes, targeting the affected individuals and using any number of techniques to gain further access to additional servers or information, as AP news identified through the mention of advanced spear-phishing attacks, and as SOFREP also previously reported.

It is possible that individuals whose information was stolen will not care that their information was compromised, or will realize the scope of the issue is far outside their sphere of control. After all, the damage has already been done, and some may not feel threatened by or have the placement and access preferred by nefarious actors to obtain more information. On the other hand, what about those members placed in truly sensitive positions of employment in the U.S. national security enterprise (read: special operations forces, intelligence personnel, etc.) who must operate in a domain in which their sensitive and personal information is readily available to the adversary?

As Jack Murphy identified earlier this week, the loss of this data is cybertheft at best and endangering U.S. citizens at worst. Who becomes more susceptible to blackmail, coercion, or manipulation now that their personal information is available? Maybe the members themselves remain resilient; what of their foreign relatives living abroad and outside the safety net available as a federal employee?

What happens to it now?

While such personalized targeting is probably not likely at this time, there is currently no accurate assessment available on the extent of these breaches, nor will there be any shortage of time available to hone targeting options moving forward—especially with the drive of a nation-state behind it. Which brings up another issue: Perhaps the alleged Chinese hackers will keep the information in-house for their internal (to their apparatus) use, and engage in further cyber penetration, phishing, and targeting operations. However, there is no guarantee this information will not be shared, sold, or leaked to other interested third parties (read: Iran, Russia, other-country-we’re-not-on-best-terms-with) for the right price.

With these breaches fresh off the press, the OPM has yet to publicly address how the data “was protected, or specifics of the information that might have been compromised,” but did vaguely hint that “today’s adversaries are sophisticated enough that encryption alone does not guarantee protection.”  Well, that’s a start.

What do we do about it?

It remains to be seen how many records were accessed, the extent of the breaches, or what second- and third-order effects will result from this latest development. Unfortunately, only reactive measures are now available to contain any assessed damage from these incidents. While China is a noted offender of nefarious cyber activity, these incidents further highlight the critical necessity of overall cyberspace security, not only for the national security and federal enterprises, but the private and commercial sectors as well.

Featured image courtesy of