Late Thursday evening, for the second time in less than a year, U.S. government authorities admitted that hackers managed to breach database security at the federal Office of Personnel Management, and gained access to the confidential records of more than 4 million current or retired federal employees.
The day before this admission, an FBI counterterrorism official told Congress that tech companies should “build technological solutions to prevent encryption above all else,” so that the FBI could “ensure appropriate, lawful collection [of data] remains available.”
The OPM was also hacked last July, when hackers managed to steal data on up to 5 million government employees and contractors who hold security clearances. It's not currently known how much overlap, if any, there is between the 5 million OPM records stolen last year and the 4+ million announced this week.
In both OPM hackings, security experts said that signs indicated the hackers enjoyed backing from the Chinese government. Also in both cases, the Chinese government denied involvement and pointed out that hacking is illegal under Chinese law.
The OPM hackers aren't the only ones suspected of having Chinese government backing. The July OPM hackers were also believed to be behind:
- last November's breach of the United States Postal Service database (800,000 USPS employees' records compromised, and possibly information about USPS customers as well);
- last February's breach of Anthem health insurance company (80 million current and former customers compromised, many of whom work for the federal government or various defense contractors);
- last March's breach of Premera Blue Cross (11 million records compromised); and
- last month's breach of CareFirst Blue Cross/Blue Shield (“only” 1.1 million that time, but they're mostly residents of D.C. or its suburbs which, like the Anthem breach, means a large percentage of them probably worked for the federal government in some capacity).
These various hackings suspected of Chinese government support are not to be confused with the various hackings suspected of having Russian government support, which include but are not limited to last summer's hacking of the State Department and subsequent hacking of the White House itself, including the president's own email correspondence and real-time schedule.
And government networks aren't the only ones worth breaching, if you're a hacker looking to harm U.S. national interests. Consider last November, when researchers at Kaspersky discovered a four-year-old campaign of corporate espionage they dubbed “Darkhotel.” The hackers attacked and intercepted the wi-fi networks at expensive luxury hotels of the sort where mega-company CEO-types stay while on business trips, and planted malware disguised as legitimate software updates, in order to load keylogging software onto the executives' mobile devices.
And what types of high-ranking corporate executives did those hackers target? According to Kaspersky, the hackers' targets were primarily “nuclear-themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.”
Fortunately, there is a very simple and easy way to protect all of this private information – everything from confidential personnel or medical files and weapons-grade nuclear secrets to your own personal photos, documents and financial data.
It's called encryption – encoding your files so that nobody can break the code unless they have the encryption key – and as recently as October 2012 the FBI's own safety-tips websites urged Americans to protect the data on their mobile devices with encryption: “This can be used to protect the user’s personal data in the case of loss or theft,” according to the FBI's “New E-Scams and Warnings” page from Oct. 12, 2012.
But the following year, James Comey took over as FBI director and brought with him a completely different view of encryption: he thinks it will only benefit bad people, and ought to be illegal.
When Apple launched its iPhone 6 in September, it bragged about the phone's strong security features, including automatic data encryption. This made Comey respond by predicting that encrypted communications could lead to a “very dark place.” He also criticized “companies marketing something expressly to allow people to place themselves beyond the law” — as opposed to, say, “Marketing something expressly so people know their data is safe from hackers and thieves.”
The day before ...
And today, the Guardian reported that on Wednesday, June 3 (only one day before the Office of Personnel Management admitted discovering its second probably-Chinese hacking in a year), the FBI's assistant director of counterterrorism Michael Steinbach testified before the House Homeland Security Committee and said that tech firms should “prevent encryption above all else,” so the FBI can continue tracking ISIS supporters and other terrorists in the Middle East.
“There are 200-plus social media companies. Some of these companies build their business model around end-to-end encryption,” Steinbach said. “When a company, a communications company or a ISP or social media company elects to build in its software encryption, end-to-end encryption, and leaves no ability for even the company to access that, we don’t have the means by which to see the content. When we intercept it, we intercept encrypted communications. So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else. We are striving to ensure appropriate, lawful collection remains available.”
The Guardian went on to explain:
Steinbach insisted that he wasn’t asking for a “back door” to be built into encryption products, telling legislators that “we’re not looking at going through a back door or being nefarious.”
But security experts have long argued that the nature of encryption is such that there can be no middle ground between encryption which is unbreakable to all, including law enforcement, or encryption which contains some sort of flaw that can be used by anyone who knows of its existence, whether or not they are law enforcement.
A key under the mat
One of those experts is Apple CEO Tim Cook, who earlier this week gave a speech to the Electronic Privacy Information Center's 2015 “Champions of Freedom” event in Washington, D.C. Cook pointed out that if law enforcement can read data without its rightful owners' knowledge, hackers can too: “If you put a key under the mat for the cops, a burglar can find it too.”
Cook went even further when he said, “Let me be crystal clear: Weakening encryption or taking it away harms good people who are using it for the right reasons. And ultimately, I believe it has a chilling effect on our First Amendment rights and undermines our country's founding principles.” Furthermore, outlawing secure encryption “as some in Washington would like us to do, would only hurt law-abiding citizens who rely on us to protect their data. The bad guys will still encrypt; it's easy to do and readily available.”
Yet if more good guys would encrypt their sensitive data, the bad guys wouldn't be able to steal so much of it. The FBI refuses to understand this, and whoever's in charge of security for various confidential federal computer networks might be having difficulties as well.