Earlier this month, the FBI revealed that as many as 18 million current and former government employees and other U.S. citizens may have had their personal information stolen in a cyberattack on the Office of Personnel and Management. The General Accounting Office is investigating potential cybersecurity breaches of Healthcare.gov, the health insurance exchange website. Sophisticated hackers, possibly from China, have stolen the identities of 80 million Americans from Anthem, a major healthcare insurance company. And malicious hackers have used stolen identity information to obtain fraudulent tax refunds using TurboTax for online transactions with the Internal Revenue Service and state tax refund websites.
These high-profile attacks have probably been carried out by a combination of nation states and criminals that could be associated with the intelligence services of nation states. They highlight why the United States needs a new identity management and protection strategy to better protect the personal information of U.S. citizens—including government employees—held in cyberspace by federal and state governments.
So far, the personally identifiable information (PII) stolen from OPM has not been offered for sale on the Internet's cybercrime black markets. Experts believe the OPM cyberattack is the work of Chinese intelligence and say the theft will be used to help carry out espionage and better inform targeting (and possible blackmail) campaigns aimed at U.S. intelligence personnel. In addition, because security clearance and job assignments were also stolen in the OPM hack, U.S. espionage efforts may suffer significant and long-term damage. The massive theft of personal data could potentially be used to commit a range of additional disruptive and damaging cyberattacks, including those that disrupt tax collection and refunds on a broad scale or that prevent access to the bank accounts of U.S. government officials, members of the U.S. military and military contractors.
Cyberattacks are also increasingly being used to support nontraditional forms of warfare. For instance, cyberattacks launched against Estonia in 2007 prevented officials from the Baltic State from accessing government websites and the public from accessing their accounts in Estonian banks. Cyberattacks have been used against Ukraine for years to allegedly gather advance intelligence of troop movements and bolster Russian war efforts. These are harbingers of hybrid warfare, a military strategy that includes the use of cyberwarfare to support—or potentially lead—larger military objectives.
It's not much of a leap to then say that the trove of personnel data recently stolen from OPM could be used in future hybrid warfare initiatives against the U.S. If an adversary can identify members of the U.S. government and military, it can use this information to compromise their personal phones and computers, track their movements and eavesdrop on their private communications. In addition, if an adversary uses stolen OPM information to disrupt the financial lives of those in the military, to target important members of the military and to blackmail them, they could be distracted from their duties. In light of the OPM hack, any online transaction that relies on stolen Social Security numbers or other government-held information should be considered compromised to nation state adversaries. The same holds true for those more than 100,000 U.S. taxpayers whose personal information was stolen this spring from the IRS website.
The U.S. government needs to develop an identity-protection strategy for its citizens. The strategy should include two key elements—government-issued “identity keys” that are essentially a unique identifying number or code, and, perhaps more importantly, a method for protecting these identity tokens or keys in online transactions.
The strategy could exploit new technologies like those developed in Silicon Valley for mobile payment and online transactions by companies such as Apple and Google. Secure forms of public key infrastructure encryption or the use of temporary one-time tokens also could be used to protect these keys. These are just examples of several potential technical solutions that could be implemented. A government-wide strategy needs to be devised to develop and implement a secure U.S. electronic identity management architecture. If such steps are taken, the United States should be able to better protect its citizens from the growing threat of cybercrime—and the U.S. intelligence community, military and key government officials from having to cope with growing hybrid warfare threats.
Daniel Gonzales is a senior scientist at the nonprofit, nonpartisan RAND Corporation.
Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.