Frightening news that the scope of a federal government data breach thought to have originated in China is worse than Americans realized comes as Chinese President Xi Jinping joins President Barack Obama. The conversation could get tense, as the revelations underline the need for Obama to pressure the Asian power to crack down on cyberattacks against U.S. agencies and businesses.
The extensive theft of personal data maintained by the Office of Personnel Management affected an estimated 21.5 million federal employees or job applicants and could aid the communist nation in attempting to blackmail or bribe Americans into stealing government secrets. On Wednesday, OPM disclosed even more dire news: that hackers stole the fingerprints of an estimated 5.6 million people, far more than the 1 million previously thought and potentially giving Chinese intelligence the ability to spot U.S. agents traveling covertly around the world.
Fingerprints are forever, and can help identify an official or undercover agent no matter what alias or password he or she uses. With that risk in mind, the FBI, Defense Department and intelligence agencies are working to determine and limit ways that the trove of stolen biometric data could be misused, OPM spokesman Samuel Schumach said in a statement.
"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited," Schumach said. "However, this probability could change over time as technology evolves."
See photos of the Chinese president's visit to the U.S.:
China, like Russia, is believed to access online information stolen by criminal groups secondhand, giving it the ability to deny direct responsibility for attacks on foreign government agencies and businesses, says former CIA operative Robert Baer. If they're able to match the stolen fingerprints with government employment records or applications gleaned from the OPM breach, he says, the implications for both national and personal security are huge.
"Once they get into this kind of data, they can get into other data like cellphones and other aspects of people's lives," Baer says. "There is nothing government can do to mitigate the exposure. They may have to get a whole new set of people as covert operatives in China. That's an enormous expense."
Xi this week appeared to deny that his government is responsible for online theft of secrets from businesses and agencies during a speech to American business executives in Seattle. And yet the communist nation's J-31 prototype looks like a close copy of the U.S. Navy's F-35 plane, security analysts have told U.S. News, indicating that China-based hackers have likely stolen the military's plans for the fighter jet. China also has not extradited five members of the People's Liberation Army whom the Justice Department charged last May with allegedly stealing trade secrets and communications from U.S. companies.
During his visit, the Chinese president almost certainly will face more pressure from Obama to address cybercrime following the additional revelations about the theft of federal data, says Shawn Henry, former executive assistant director in charge of the FBI's Criminal, Cyber, Response and Services Branch.
"We are seeing China conduct espionage on a massive scale, gaining unprecedented access to sensitive data, intellectual property and other assets that hold competitive advantages for U.S.-based firms and government agencies," says Henry, who is now president of the cybersecurity firm CrowdStrike. "The reality is that organizations need to prepare for being hacked [and need] to detect intrusions early and prevent the extraction of data. "
Obama suggested on Sept. 16 during remarks to business executives in Washington that he is preparing to levy sanctions against China in retaliation for hacking incidents, noting that "industrial espionage" and "stealing trade secrets" are things "that will put significant strains on the bilateral relationship if not resolved."
Any sanctions levied would likely draw on an executive order issued in April that gives U.S. officials the ability to impose punitive measures "on individuals or entities" connected to online theft.
"We are encouraged to see the administration take a more aggressive stance in its dialogue with China," Henry says on behalf of CrowdStrike. "Sanctions penalizing businesses taking advantage of stolen trade secrets can be effective in reducing the scale of state-sponsored espionage."
Assistant Secretary of State Daniel Russel tells U.S. News that Chinese diplomats are committed to addressing problems with the U.S., as behind-the-scenes conversations between the nations have become increasingly blunt on topics like cybersecurity. The administration also may be on the verge of addressing some cybersecurity concerns with an agreement by both sides not to use online weapons to attack critical infrastructure during peacetime, The New York Times reports.
The White House, however, scaled back expectations about such an agreement being imminent during a conference call with reporters on Tuesday.
"That would be ... a long-term goal of working towards establishing those norms," said Dan Kritenbrink, senior director for Asian affairs at the National Security Council. "I think we're a long ways from getting there, but that certainly is the goal."
China may already be developing offensive hacking weapons, evidenced by the display earlier this year of its "Great Cannon," which redirected traffic flowing through China's networks to overload the servers of U.S.-based GitHub in a massive direct denial of service attack.
And despite any efforts by Obama during the state visit, it's "unlikely that China will change its stripes on cybersecurity," predicts Kevin Kearns, president of the U.S. Business & Industry Council, who adds "many other egregious behaviors will likely meet with little or no progress between the two nations."
"The Chinese are hoovering up every bit of information they can," he says. "The existence of an agreement is not going to change that."
To better protect U.S. networks from online espionage, he says agencies must recognize that "government doesn't move fast enough to keep up with cybersecurity," and that businesses need to take the problem more seriously. Indeed, Defense Secretary Ash Carter has said the Pentagon needs more help from Silicon Valley to bolster its capabilities in the cyber realm.
"We have to ramp up our security; it has to be unilateral, we can't be lax about it," Kearns says.