For a Good Time Hack OPM

Guest article by Brian Scopa, USN.

“Once is happenstance. Twice is coincidence. Three times, it’s enemy action.”

-Ian Fleming

 

M looking for W? W looking for M? PRC looking for Intel?

The revelation that the Office of Personnel Management has been hacked, allegedly by the Chinese, has profound implications for the safeguarding of classified US information. Beyond the typical identity theft problems associated with any breach of Personally Identifiable Information (PII) from a government or private database, the fact that the data on 4.1 million military and  government personnel contained  information on their security clearances is extremely grave. This is not only an egregious breach of individual privacy, but when combined with two other hacks of private websites make for a counterintelligence nightmare.

Allowing ourselves to go briefly down the conspiracy theory rabbit hole, two additional hacks of private websites are worth considering in conjunction with the OPM hack:

Linkedin in 2012. 

“LinkedIn Security professionals suspected that the business-focused social network LinkedIn suffered a major breach of its password database. Recently, a file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far.”

The consensual aggregation of personal and employment information online has greatly simplified the task of finding targets for intelligence gathering. The technology that makes finding a project manager with an MBA and five years of experience fast and convenient also makes it easy to track down missile and radar engineers on LinkedIn. The publicly available information on LinkedIn is a trove of intelligence in itself regarding military, government, and contract employees that work in defense related industries. Having the private email addresses and passwords of LinkedIn members has staggering spearfishing implications ala STUXNET.

Adult Friend Finder (AFF) in May 2015 

Andrew Auernheimer, a controversial computer hacker who looked through the files, used Twitter to publicly identify Adult FriendFinder customers, including a Washington police academy commander, an FAA employee, a California state tax worker and a naval intelligence officer who supposedly tried to cheat on his wife.” (emphasis mine)

Catching Flies

Developing intelligence sources costs time, money, and effort, regardless of the method employed, and intelligence agencies are constantly searching for ways to more efficiently target and recruit intelligence sources. The OPM and LinkedIn hack simplify the targeting, but it’s the AFF hack that helps with recruitment.

One of the most useful tools intelligence agencies have for recruiting sources is blackmail, and a ‘Honey Trap’ is the practice of luring a potential intelligence source into a compromising position with a romantic partner that’s working for an intelligence agency, and either gaining their cooperation in the name of love, or blackmailing the source into compliance.

The Chinese are apparently particularly fond of this specific type of intelligence gathering operation:

“MI5 is worried about sex. In a 14-page document distributed last year to hundreds of British banks, businesses, and financial institutions, titled “The Threat from Chinese Espionage,” the famed British security service described a wide-ranging Chinese effort to blackmail Western businesspeople over sexual relationships.”

The AFF hack is probably the first Massive Multiplayer Online Honey Trap (MMOHT).  Even better for foreign intelligence agencies (FIAs), it was self-baiting and required zero investment of resources.

How bad is it?

Perverting the Drake Equation for this exercise, we can conduct a thought experiment about the number of potential intelligence sources created by the confluence of the three hacks mentioned above, expressed mathematically as P = O * W * N * Y, where:

P = Total number of useful possible US government employee intelligence sources that could be exploited.

O  = All government employees with security clearances whose personally identifiable information has been compromised, reported to be 4.1 million.

W = Fraction of O that are AFF members. This number has not been made public by the DoD, if it’s known, but the reported number of member profiles compromised was 3.5 million.

N = Fraction of W that desperately want their activities on AFF to remain undisclosed and could be effectively blackmailed. Not everyone will be embarrassed by their activities on AFF.

Y = Fraction of O that has been or is currently employed in a position that a FIA would find useful to turn into a source of intelligence.

Since I don’t have any insight into the any of the variables with the exception of O, I won’t speculate on what P might be, but I have no doubt that it’s an actionable, non-zero number that FIAs must be rushing to exploit.

AdultFriendFinderIntel

 

Lessons Re-identified, Still Unlearned

Any information that’s online can be accessed online- full stop. We should all assume that any device connected to the public internet is hackable, and act accordingly. While there are many good precautions and security features that individuals, companies, institutions, and governments can take to better protect online dealings and information, such as two-factor authentication, tokens, and salted password hashing, it has been demonstrated time and again that the advantage in the cyber security arms race is with the attacker. You cannot count on technical means alone to protect your information.  If individuals with security clearances have used the internet to facilitate behavior that the knowledge of by a third party could lead to blackmail, the individuals should assume the information will be made public.

Security through obscurity is always a loser, but anonymity is still worthwhile. The critical information that makes blackmail possible in this instance is being able to identify government employees that were also members of AFF. If AFF members had taken care to remain anonymous by making their member profiles non-attributional, using email addresses and phone numbers not otherwise linked to them, using non-identifiable pictures, and keeping locations ambiguous, they may yet have some measure of protection from identification.

What’s next?

This is only the beginning of this particular saga. In the coming months I have no doubt we’ll hear about the hacks of other popular dating, hook-up, and porn sites. The hacking itself has probably already happened; it’ll just take time for the discoveries to be made.

The news is grim, but there is opportunity here. While FIA see openings, our own counterintelligence organizations have an unprecedented opportunity to identify potential targets before they can be contacted by FIAs and possibly prepare them to act as double-agents, turning the honey traps on the attackers. If nothing else, the act of sharing the blackmail information with the security services helps to inoculate the individuals against blackmail, since it’s typically (but not always) the fear of disclosure that makes the information useful, not the specific behavior that’s problematic.

In any case, it’s time for a DoD-wide effort to review the list of AFF members and check it against current and past employees with security clearances. Then, command security officers can start having the difficult, closed-door conversations necessary to learn the scope of the possible vulnerability. Doing so will limit the damage from this hack, and it’ll be a useful exercise in preparing for the next episode.

Which has already happened.

Sea Control 81 – Third Offset and Human Offset

seacontrol2ADM John Harvey, USN (ret), joins us to discuss the Third Offset and the “Human Offset.” Third Offset is Defense Undersecretary Robert Work’s strategy to embraces the US technological advantage, pushing the throttle to the max through a suite of development efforts. However, ADM Harvey worries that this technological emphasis will pull attention from other foundational areas – like talent management and development – as well as what he sees as a dedication of our resources into dominance less-achievable in our globalized civilian-led tech economy.

DOWNLOAD: Third Offset and Human Offset

CIMSEC’s June NY Meet-up

013a7778ffe210bbe8932e2ec467933eJoin our New York chapter for its June informal meet-up/happy hour. Members Ankit Panda and Stephen Brooker will lead a discussion on the South China Sea. We hope you’ll drop by for drinks and discussions with friends old and new.

Time: Thursday, 18 June 5:45pm
PlaceBedford Falls (Backyard)
206 E 67th St NW
New York City, NY

All are welcome – RSVPs not required, but appreciated: newyork@cimsec.org

The Sea Power of the State in the 21st Century

Admiral Sergei S. Gorshkov’s legacy as a naval leader and strategic thinker has not been entirely forgotten. Reports of his death, however, were not greatly exaggerated. Largely ignored by the NATO navies that once studied him so intently as the head of the Soviet Navy for much of the Cold War, Gorshkov remains an inspirational symbol in the two countries that should come as no surprise: Russia and China.

Earlier this year, Admiral Viktor Chirkov, the current commander-in-chief of the Russian Navy, pointedly chose the 105th anniversary celebration of Gorshkov’s birthday in his childhood home of Kolomna to make some bold statements about the navy’s future in the 21st century. After laying flowers at Gorshkov’s monument, Chirkov formally announced that Russia will be back in the aircraft carrier business with plans to build a new-generation one comparable in size to a U.S. supercarrier. Given the current state of Russian shipyards and the tremendous costs involved, defense analysts greeted the announcement with skepticism.  There was good reason to doubt this most recent news: Russia had already announced in 2005, and again in 2008, that it would begin to build carriers by 2010. According to Jane’s Defence Weekly, the new multipurpose, dual-design (two ski-jump ramps and electromagnetic catapults each) carrier is called Project 23000E or Shtorm (Storm).

USNA17th-19th C. Sea Power of the State: Admiral Chirkov getting a tour of USNA Museum in 2013 from CIMSEC member Claude Berube. Was the Russian navy chief trying to get advance info on the #CarrierDebate? (Photo credit: USNA PAO)

 Of course, Admiral Gorshkov once promoted the virulent anti-carrier stance of the Soviet Union. He mocked the platform as too expensive and too vulnerable and echoed Premier Nikita Khrushchev’s view that they were “floating coffins.” Yet, the Soviet Navy’s need to be untethered from the sole support of land-based naval aviation first resulted in helicopter carriers for anti-submarine warfare and amphibious operations in 1967, then eventually in large-deck carriers for fixed wing aircraft toward the end of the Cold War – the Kuzntesov (still in service, although with considerable time in the repair dock, in the Russian fleet) and the Gorshkov (sold to India).

Gorshkov would likely have applauded Chirkov’s ambitious 50 ship building plan for 2015 that included a mixture of surface and subsurface vessels. In particular, the resurgence of nuclear submarine production, especially the Borei-class ballistic missile sub, is a reminder of how Gorshkov once used submarines as the cornerstone of Soviet naval power and prestige for decades.

Chirkov also announced that 30 ships and submarines were currently deployed around the world, which indicated a modest but nonetheless significant return to the pattern of out-of-area patrols and presence missions for the Soviet Navy that Gorshkov introduced to much fanfare in the mid-1960s. This May’s joint Russian-Chinese naval exercises in the Mediterranean also supports the views that the Russian Navy is “rebalancing” to the region while the Chinese Navy may intend to secure its energy supply lines at the western edge of the “New Silk Road.”

Above all, Gorshkov would probably have approved of Chirkov’s vision: the adoption of an “ocean strategy” that will seek to reestablish Russia’s global reach and promote its political and economic interests. Chirkov’s choice of language harkened back to the efforts of his Cold War-era predecessor to justify a blue-water navy. Notably, Chirkov did not directly challenge the supremacy of the U.S. Navy as Gorshov did in the late 1960s. Rather, Admiral Chirkov’s mission, at least for the moment, is to put Russian naval forces back on the path to restoration, not on one toward great power rivalry. 

TimeCover

Gorshkov was associated with the phrase “’better’ is the enemy of ‘good enough.’” In other words, Chirkov must get the Russian Navy back to Gorshkov-era “good enough.”

There is also nothing revolutionary in Chirkov’s pronouncements. The navy’s primary missions are still, as in the Cold War, strategic deterrence and defense. It will likely not be as rapid as the transformation after the Cuban Missile Crisis, either. The Russian Navy, according to defense analyst Dmitry Gorenburg, will slowly grow through a phased recapitalization scheme that will unfold over 20 years. The pace of naval construction is, of course, subject to change based on evolving political and economic imperatives.

To further underscore that Admiral Gorshkov has not passed entirely into irrelevance, a pair of Russian military writers (one a retired navy captain) paid homage to him in a recent article for Voyennaya Mysl [Military Thought], the elite journal of Russia’s Defense Ministry for nearly a century. In “The Sea Power of the State in the 21st Century,” the authors noted that Gorshkov’s seminal 1976 book, The Sea Power of the State, took an expansive view of sea power that included naval, merchant, fishing, and exploration capabilities. Gorshkov envisioned the World Ocean as one immense domain upon which to assert Russian national power. These authors, however, wished to scope the definition of “the country’s sea power” down to “the navy’s real combat power” in order to illustrate the special place that navies hold in geopolitics.

A central theme of their essay, based on historical examples, was that countries without sea power do not have “a decisive voice in world affairs.” Russia used a strong navy in the past, the authors argued, to maintain its place in the top tier of nations. The blow to Russian prestige was great at the end of the Cold War with the demise of the Soviet Navy:

… the loss of the core of its powerful oceangoing navy during the political and economic reforms in the late 1980s and early 1990s cost the country dearly. It caused other nations, Russia’s neighbors and rivals on the high seas, in the first place, to rethink their attitude to this country. It was deserted by many allies and friends, and its image of a great sea power has faded.

Thus, the article indirectly endorsed Admiral Chirkov’s current strategy of “looking to the ocean” and his plan for a navy that can once more defend Russia’s national interests and secure it against threats. The authors acknowledged, however, the huge lead by the U.S. Navy in air-sea battle concepts and that of American expertise in network-centric naval warfare. Indeed, “it is difficult, even hopeless at times, for Russia to take up this challenge for economic considerations.” Nonetheless, they concluded, it is a price that must be paid for the return to greatness on the world stage.

Writers in Chinese open source literature have also found reasons for optimism in the example set by Admiral Gorshkov during the Cold War. According to Lyle J. Goldstein at the Naval War College’s Chinese Maritime Studies Institute, some naval analysts in China “are extremely interested in Gorshkov, his legacy, and Soviet naval doctrinal development in general” [per his correspondence with this author]. They are impressed by the rapid transformation of Soviet naval power under Gorshkov as well as his ability to check U.S. power with his own oceangoing navy. Moreover, they also appreciated, based on Gorshkov’s lesson, that a “balanced fleet” can also emphasize undersea platforms while never reaching parity with U.S. carriers.

China’s recent strategy white paper elevated the PLA Navy’s status and explicitly tied naval power to China’s geopolitical ambitions and economic development with the navy’s dual missions of “open seas protection” and coastal defense. Indeed, sea power will play a central role for the Chinese state in the 21st century: 

The seas and oceans bear on the enduring peace, lasting stability and sustainable development of China. The traditional mentality that land outweighs sea must be abandoned, and great importance has to be attached to managing the seas and oceans and protecting maritime rights and interests.

On the other hand, Gorshkov’s legacy shows that sea power, once achieved, can be transitory due to geographic, economic, and political factors. His is also a cautionary tale, for Russians and Chinese alike, not to pursue sea power beyond what a nation can support. As Goldstein noted, “… the [Chinese] authors do indeed directly connect the all-out Soviet naval expansion of the later Cold War, and the commensurate enormous investment of Russian national resources, to the demise of the USSR.” Moreover, there is the potential risk involved in Russia’s attempt under Vladimir Putin to return to the past glories of the Soviet superpower era yet fall well short of his goals. This naturally includes naval ambitions for aircraft carriers that never make it beyond the concept stage. Even the modernization of smaller surface ships such as frigates (including the new Admiral Gorshov-class) is now endangered by Russian actions in the Ukraine.

Both Russia’s and China’s navies may also face the same dilemma as that of the Soviet Navy by the mid-1960s if naval construction outpaces professional knowledge and practical experience. As Robert Farley noted, the Soviet Union “built blue water ships long before it built the experience needed to conduct long range, blue water operations.” A more provocative and aggressive stance toward the U.S. Navy, coupled with the deficiencies in Soviet training and this lack of a “blue water look,” resulted in repeated incidents at sea such as collisions that many feared might escalate during the Cold War.

Ultimately, sea power as an expression of great power status is beginning to look in the early 21st century much as it did in the 20th century. The investment in costly blue-water navies still speaks volumes about a country’s geopolitical ambitions and its strategic calculus – where it sees itself in the world and hopes to be in the future. The writings and accomplishments of Admiral Sergei Gorshkov are also a timeless reminder that in order to assess navies, one must still look at what they say, what they build, and what they do. In Gorshkov’s case, what he did remains much more memorable than anything he wrote.

Jessica Huckabey is a researcher with the Institute for Defense Analyses (IDA) and a retired naval reserve officer. She is writing her doctoral dissertation on American perceptions of the Soviet naval threat during the Cold War. The opinions are her own and not those of IDA or the Department of Defense.

Fostering the Discussion on Securing the Seas.