The data breaches at the Office of Personnel Management (OPM) affected approximately seven percent of the U.S. population, and while the exact number of victims was quantified last week, the total theoretical impact of the breaches likely won't be known for years.
“It's not dropping a pebble in a pond, but more like a giant boulder,” said Paul Kurtz, CEO of TruSTAR Technology and former White House cybersecurity advisor, in an interview with SCMagazine.com “We will not fully understand the ripple effects for a long period of time, if ever.”
Former CIA Director Michael Hayden in an interview with FedScoop estimated that the counterintelligence threat could last 40 years, or until the youngest members of the federal workforce retire.
So with a clear idea of the looming and long-term threat, the government and observers are beginning to nail down exact uses for the stolen data, and one cybersecurity professional believes it could help build an arsenal of information on Americans.
“China is building the Facebook of human intelligence capabilities,” Adam Meyers, vice president of intelligence at CrowdStrike, told Bloomberg. “This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals.”
Although neither President Barack Obama nor any other federal official has confirmed China as the perpetrator behind the attacks, many sources claim it is the case.
White House Press Secretary Josh Earnest said during a press call: “I know that there are some who speculated on who may be responsible at this point. I'm not willing to do that. But I will note that there have been other incidents of inappropriate cyber activity that we have attributed to the Chinese.”
On the stolen background information applications, including SF-86 forms, applicants include personal information far beyond their Social Security Number (SSN); they provide details on psychological and emotional health counseling they've received, as well as interactions with police, the use of illegal drugs and alcohol, and financial problems.
The provided information covers the past seven years, although higher security clearances require 15 years' worth of information.
“That is a gold mine for a foreign power,” Kurtz said. “The opportunities are endless for the bad guys to use this data for more advanced digital espionage against those both directly and indirectly affected.”