The theft of personal information regarding millions of government employees and their associates from an Office of Personnel Management database — which cybersecurity experts have attributed to China —represents an enormous intelligence threat that is still not fully understood. Since discovering the theft last spring, government officials have been preoccupied with assessing the risks to national security, but they must also address its potential to enable an adversary to steal valuable economic and commercial information.
OPM's database is a treasure trove of sensitive information on more than 21 million current and former government employees and contractors. China's intelligence services could use the data to identify people with financial difficulties, learn potentially embarrassing personal information (such as drug use or mental health issues) or tap into lists of contacts and organizational affiliations to develop seemingly innocuous communications designed to elicit information.
The Chinese government could be interested in using this information to recruit and obstruct U.S. officials engaged in traditional national security disciplines, such as intelligence, diplomacy and defense. But China is likely equally interested in economic espionage — it has routinely stolen corporate secrets and hacked into the servers of U.S. companies engaged in high-tech and potentially profitable businesses. As a result, we should expect that China will also use the OPM data to approach employees of U.S. government agencies who have access to American companies' sensitive economic and commercial data.
Government agencies responsible for promoting U.S. companies overseas would be a prime nontraditional target for Chinese economic espionage. For example, the Overseas Private Investment Corporation provides loans, loan guarantees and insurance to support U.S. investments in emerging markets, while the Export-Import Bank does the same for U.S. exporters. The Commerce Department helps U.S. businesses research foreign markets and identify foreign business partners. The Trade and Development Agency helps bolster the competitiveness of U.S. firms seeking contracts abroad, particularly in capital-intensive sectors like energy and infrastructure.
Officials at these agencies have insights into the financial health, business plans, market access and project finance requirements of U.S. companies seeking their services — many of which likely compete with Chinese firms. If China learned the terms for OPIC financing for Ghana's purchase of General Electric Co. gas turbines, for example, it could gain valuable business intelligence that could enable a Chinese state-owned enterprise to offer Ghana a better deal — thereby impacting both U.S. foreign policy and commercial competitiveness.
These government agencies' officials are intimately involved in high-value business deals of great interest to the Chinese government and to large Chinese companies. Yet the compromise of their information in the OPM database represents an enormous counterintelligence risk that has largely been overlooked because the officials do not work on “traditional” foreign affairs and defense issues.
Agencies such as OPIC and the Trade and Development Agency can take several immediate steps to mitigate the risk of commercial espionage stemming from the OPM hack. They must assess the extent of the threat by identifying how many employees may have been affected and determining what types of corporate information they possess. They should immediately implement a comprehensive security and counterintelligence training program. Most employees of economic agencies do not see themselves as espionage targets and may not be attuned to intelligence threats. Affected staff should be given specialized training in how to identify intelligence threats such as elicitation and be made aware that the overly inquisitive person at a conference or the sender of a seemingly well-informed email inquiry may be a foreign intelligence officer trying to pull information out of them.
Agencies should also explain the extent of the compromise to their corporate partners. These U.S. companies deserve to know whether, and to what extent, foreign competitors may be able to gain leverage over agency employees with access to their finance, pricing and market data. The firms may decide that the benefits of an OPIC loan outweigh the potential business risks, but they may also prefer to seek financing from sources whose employees are less likely to be targets of foreign espionage.
At this very moment, Chinese security services are presumably scanning the OPM data to identify American intelligence officers and assess whether some U.S. diplomat's high debt makes him vulnerable to recruitment. But Beijing is probably also sifting through the data to identify officials who know which U.S. companies are seeking to develop foreign countries' critical infrastructure and on what terms. The United States must work to mitigate this commercial espionage threat as well.
Larry Hanauer is a senior international policy analyst at the non-profit, non-partisan RAND Corporation. He is a former subcommittee staff director on the House of Representatives Permanent Select Committee on Intelligence.
This commentary originally appeared on U.S. News & World Report on January 29, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.