

Chinese Hackers Pursue Key Data on U.S. Workers - aeonflux
http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html&assetType=nyt_now&_r=0

======
vonmoltke
_But in this case there was no announcement about the attack. “The
administration has never advocated that all intrusions be made public,” said
Caitlin Hayden, a spokeswoman for the Obama administration. “We have advocated
that businesses that have suffered an intrusion notify customers if the
intruder had access to consumers’ personal information. We have also advocated
that companies and agencies voluntarily share information about intrusions.”_

That's rich. I'm a Facility Security Officer and this article is the first I
have heard of this breach.

Also, as indicated by an article comment someone else posted here, e-QIP is
used for all clearance investigations handled by OPM, regardless of who the
candidate works for. They cover DOD, DOE, DHS, and other base-level security
clearances. The complete records are supposed to be destroyed once the
clearance is adjudicated, so it should only affect personnel who are in the
process of an initial or periodic investigation.

For reference, here is what the SF-86 is:
[http://www.opm.gov/forms/pdf_fill/sf86.pdf](http://www.opm.gov/forms/pdf_fill/sf86.pdf)

~~~
danielweber
_this article is the first I have heard of this breach._

FWIW, the article is 8 days old. Did you find out through this article before,
or did you just find out from this article being posted to HN today?

~~~
vonmoltke
A brief NPR report on the subject last week was the absolute first I heard,
but this article is the first detail. The NPR story didn't say what the
hackers had tried to get, just that they breached OPM and tried to get a list
of government employees in sensitive positions. This article I did not see
until it was posted here

Edit: clarifications

------
mcguire
This is indeed a big deal. I believe e-Qip is used for HSPD-12 processing, so
you would be looking at information for almost everyone who was directly or
indirectly employed by the federal government. And their references,
relatives, and so forth. It's not just security clearances; I got to use it
last year applying for a public trust clearance.

Also, OPM is essentially the human resources department for the federal
government, overseeing a bunch of stuff including currently running
usajobs.gov.

~~~
acdha
Definitely not just sensitive jobs – I first encountered it as a contractor
working for NASA (where I set foot in a government building no more than twice
a year).

That's a _LOT_ more people, many of whom have probably gone on to work in
other interesting places.

------
dm2
Whose responsibility is it to prevent this?

USCYBERCOM?
[http://en.wikipedia.org/wiki/United_States_Cyber_Command](http://en.wikipedia.org/wiki/United_States_Cyber_Command)

The NSA should also play a role in defending the US from attacks via the
internet.

The hackers must have used a US based VPN, because it would be retarded to
allow connections directly from China to access any US DoD systems, right?

~~~
Someone1234
The department itself is responsible for preventing this.

Cyber Command shouldn't be operating on US soil (or constitutional reasons),
at least outside of "training exercises" and securing inter-DoD systems (of
which the federal government is not). The NSA can help other departmental and
non-departmental organisations secure their system either through consulting
or potentially even pen testing (that's legal and part of their remit).

The FBI has also taken an on-again/off-again role in trying to secure inter-US
systems but they don't really have the budget or remit to be doing that fully.

> The hackers must have used a US based VPN, because it would be retarded to
> allow connections directly from China to access any US DoD systems, right?

As you yourself eluded to, blocking connections based on GeoIP is utterly
utterly pointless. The internet is designed such that you can route around
those types of blocks fairly trivially (e.g. proxies, VPNs, foreign servers,
private interconnect agreements, et al).

~~~
dragonwriter
> Cyber Command shouldn't be operating on US soil (or constitutional reasons)

Could you elaborate the specific constitutional bar to Cyber Command operating
on US soil?

~~~
Someone1234
This Yahoo! Answer (of all places!) does an amazing job of answering this:
[https://answers.yahoo.com/question/index?qid=20090401073222A...](https://answers.yahoo.com/question/index?qid=20090401073222AAzQsmX)

~~~
dm2
I'd argue that the intention for that is to protect against using military
equipment against civilians. (which is already being done in some cases,
MRAPs, automatic weapons, body armor, SAMs)

Using the military to protect from foreign attacks is exactly what it's
suppose to be used for. What's the harm of protecting US govt employees and
even civilians and businesses from internet attacks with agencies that are
technically part of a military branch? I'm not saying send troops after
anyone, if someone within the US hacks something, either pass it to the FBI or
just fix the security hole and move on.

From the page you linked to: "Active participation in civilian law
enforcement, such as making arrests, is deemed to be a violation of the Act,
while taking a passive supporting role is not. Passive support has often taken
the form of logistical support to civilian police agencies." So basically that
doesn't apply to internet and telecommunications protection. I'm not
suggestion that USCyberCom hacks US citizens or businesses, but they possess
the capabilities to help protect them which in turn strengthens their own
security.

~~~
Someone1234
The way Cyber Command operates is quite offensive (e.g. attacking servers used
by "enemy" "combatants").

The NSA's job is to secure US systems, the Cyber Command's job is to go attack
foreign country's systems.

There is definitely some overlap there (particularly with cyber Command
working to improve DoD security).

I'd say that ultimately the NSA has a far bigger/better legal right to be
doing that kind of thing than the Cyber Command does (and also the law
wouldn't be super-clear-cut if the Cyber Command had to attack a US-hosted
server, network, or client).

Or to use a really bad analogy: You could have the US Army defend Washington
DC instead of the Capitol Police, however most would be more comfortable with
the Capitol Police and there are far less potential legal hurdles also.
Everything is fine if all the US Army did all day was stand outside of
buildings, but as soon as they literally have to shoot someone all hell is
going to break lose (or in our case as soon as Cyber Command had to act in an
offensive way against a US company, citizen, or similar).

~~~
dm2
From the wikipedia article on USCYBERCOM:

"In July 2011 Deputy Defense Secretary William Lynn announced in a conference
that “We have, within Cyber Command, a full spectrum of capabilities, but the
thrust of the strategy is defensive.” “The strategy rests on five pillars, he
said: treat cyber as a domain; employ more active defenses; support the
Department of Homeland Security in protecting critical infrastructure
networks; practice collective defense with allies and international partners;
and reduce the advantages attackers have on the Internet.”"

Their directors have emphasized that while it will have extensive attack
capabilities that it will also provide support to all departments to help
strengthen system security across the board.

Banks, hospitals, government departments not relating to the military,
utilities (power/water), are all critical to the nation and we must use every
asset we have to protect them.

I'd argue that any analogy involving armed soldiers or deadly equipment is
very different from defensive cyber warfare. Cyber Command should NEVER act
offensively against a US company or citizens, no government organization
should in my opinion unless a similar level of physical violence is threatened
or preformed by those citizens.

If I was in charge I would allow all US citizens to attack US government
systems as long as they responsibly disclose the security vulnerabilities and
do not distribute any stolen information (and as long as they don't cause a
service interruption), without fear of prosecution.

------
sampsonjs
The most uncomfortable thing on an SF-86 would probably be your past
convictions, but it's unlikely you would get a TS in that case. After that,
maybe the names of family members. It also would have your current address and
foreign investments, but nothing extremely personal.

~~~
sampsonjs
Worst possibility is folks email are now targets, and there's enough info to
get past password reset questions.

~~~
walshemj
No the worst possibility is an undercover Officer gets blown and ends up
staring in the latest Al Quaida "happy decapitation videos" series

~~~
g8oz
But lets not over estimate the probability of the worst scenario. And lets not
take action based on that overweighted probability.

~~~
walshemj
Depends if your a non-avowed CIA officer in a dodgy part of the world or not.

I am sure vilerats and the other "state" officers killed in begazi familys
might have appreciated a bitmore worse case planning.

------
flyrain
How do you know these are Chinese Hackers?

~~~
Someone1234
The US just claims every "cyber attack" is the work of Chinese hackers. It is
very politically useful both for the continued demonification of what they see
as a large adversary but also because it makes the US government appear less
incompetent (as they often play up the "elite Chinese hacker" architype).

~~~
watwut
That was my impression too.

