
CIA pulled officers from Beijing after breach of federal personnel records - wooster
https://www.washingtonpost.com/world/national-security/cia-pulled-officers-from-beijing-after-breach-of-federal-personnel-records/2015/09/29/1f78943c-66d1-11e5-9ef3-fde182507eac_story.html
======
discardorama
When Chelsea Manning leaked the documents, noone was put in danger.

When Snowden leaked the documents, no one was endangered.

This breach, and lots of people are endangered.

But are you getting calls for criminal investigation? Are heads rolling (other
than the head of OPM, who was hated anyways)?

~~~
kasey_junk
Isn't that what this article is about? We are pretty certain that this was an
act of espionage by another nation state. Criminal investigations are not how
you respond in those cases (unless we found the agent on our soil, which AFAIK
we did not).

What is curious is that we aren't sure what the norms are for how to respond
to cyber espionage, unlike with in person espionage which had a whole set of
responses we could fall back on.

~~~
pasbesoin
Criminal negligence?

Certainly, negligence that should incur public disgrace.

Also arguably demonstrating one of the points made by the whistleblowers: You
can't trust the government to properly manage all the information they
collecting.

~~~
irq-1
This isn't negligence. Instead of trying to protect data and networks the US
government has made "cyber crime" a military issue. They've been doing it
deliberately and publicly, for over a decade. Domestically they followed the
same plan: companies get protection (financial, legal, image,) discouraging
them from taking security seriously, and individuals get the CFAA which has a
similar effect. They want data and network security to be a military problem,
not to encourage security.

We can't blame the OPM for the security issues. They were a victim of a bad
national strategy.

If you "see something, say something" unless its about cyber security.

~~~
pasbesoin
Purposeful negligence?

It should be prosecuted, in the court of public opinion if no one will bring
it to a judicial court.

------
appleflaxen

      "We, too, practice cyberespionage and . . . we’re not bad at it" 
      - James Clapper
    

Ironic, for the intelligence leader of a country that had their defensive
systems completely penetrated (with the federal personnel records), and their
offensive systems fully outed in the most humiliating way possible (by
Snowden)

It seems to me that yeah... you kind _are_ bad at it.

At the very least, a little less self-certainty might be in order.

~~~
pp19dd
For what it's worth, the CIA is the only federal agency that keeps their own
employee records. Everyone else goes through OPM. They (rightfully) assumed
that OPM couldn't keep secrets and that's where we find ourselves today. It's
probable that these records are printed, locked in a vault.

James Clapper, the DNI, heads 16 intelligence agencies under him, one of which
(CIA) didn't have their records stolen. Though the budget breakdowns are not
disclosed, arguably, they are the largest of the bunch and only ones that have
deployed field operatives.

~~~
marme
this is exactly the problem. The CIA did not get hacked it was OPM and no CIA
records were stolen. But by simple process of elimination china could look at
all the embassy staff in beijing and find out who is not in the OPM records,
since the CIA is the only one not keeping personel files with OPM anyone
working at the beijing embassy and not in the OPM records must be a CIA agent

------
chaostheory
As some previous articles have already mentioned, they probably already knew
who they were anyways. Only their offices have special locks. They don't
mingle with anyone else at the embassy but their own. They also don't have
same 3-4 year requirement of staying at the embassy so they leave early; and
when their replacements arrive, they take over the same offices.

~~~
caio1982
I believe you're talking about
[https://news.ycombinator.com/item?id=10291691](https://news.ycombinator.com/item?id=10291691)

------
cm2187
I like the idea that CIA officers are directly identifiable by their absence
from the database. It reminds me of submarines and sonars. I understand that
modern submarines are pretty good at diverting sonar waves so that they have a
small footprint. However when a fishing boat passes over a submarine while
scanning the ocean floor looking for fish, the submarine becomes immediately
visible as a dark shape of sonar waves not returning from the ocean floor.

~~~
Luc
That smells fishy, as it would be something exploited immediately by any anti-
submarine vessel.

~~~
EliRivers
Anti-submarine vessels have to do one thing really well to have any chances;
be quiet. Fishing vessels can happily plough the ocean wave pinging to their
heart's content. An anti-submarine vessel that did that quickly becomes a
target, or if the submarine is feeling generous, something to go around -
thanks for telling us where you are.

There's a time and a place for active sonar in finding and killing submarines,
but it's not from your anti-submarine ship, all day every day.

~~~
3pt14159
Then part of your navy is hacked fishing boat sonar kits and an uplink to the
anti-submarine vessel. :)

~~~
TeMPOraL
Which, if the word of it ever got out, would paint fishing boats as a valid
target in combat operations.

~~~
EliRivers
On an interesting related note, during the recent Russian occupation of parts
of Ukraine, a helpful app was created and released by "Russia" [1] that would
allow pro-Russian civilians in the region to act as reconnaissance for the
Russian and pro-Russian forces. Very simple; if you see some Ukrainian
military, push the matching picture on the app. Your location and chosen
picture are uploaded, and whoever is sitting at the other end sees all the
results.

Bingo; you've turned the civil population into military reconnaissance. Are
they now a valid target? They certainly don't seem to be just plain civilians
anymore, but they're not lawful combatants either.

As it turned out, I am led to believe that the app wasn't a great success, but
it's still a disturbing trend.

[1] I say "Russia" because I can't dig out more detail right now. Obviously
company X working with agency Y or some other such.

------
rrggrr
Another vindication of Ishamel Jones' position on the stupidity of relying
upon State Dept covers for CIA personnel. For a hilarious and unparalleled
informative look at the Agency:

[http://www.amazon.com/The-Human-Factor-Dysfunctional-
Intelli...](http://www.amazon.com/The-Human-Factor-Dysfunctional-
Intelligence/dp/159403382X)

------
blisterpeanuts
This OPM breach is an unmitigated disaster. What were they thinking, storing
sensitive biometric information like fingerprints in an easily hacked
database[1]?

One can envision a time in the very near future (if not already), when a
random foreigner is stopped on the streets of Beijing and asked to press his
finger to a reader attached to an Android phone. The device would then display
his picture, official position, address, salary, clearance level, etc. Or
else, just walk into the restaurant he just left and take the fingerprint off
a used glass.

If he's there in some intelligence gathering capacity, the Chinese could then
have him followed, or send him packing, or maybe even detain him for a day as
a form of harassment, knowing that the U.S. government is powerless to do
anything about it. They have us over a barrel.

[1][http://blogs.scientificamerican.com/observations/what-
could-...](http://blogs.scientificamerican.com/observations/what-could-
criminals-do-with-5-6-million-fingerprint-files/)

------
gadders
I don't know why these hacking incidents are not considered acts of war.

~~~
TeMPOraL
Be thankful for that. Cyberattacks are so hard to trace back that it's very
easy to set up a false-flag operation. Framing someone else for your attack
would become a simple way of starting a war between two of your opponents.

