There is a movement afoot, a sea-change in the nature of data breaches currently affecting many Americans. Not in frequency, or in identities stolen, or in money lost, but in kind and effect. Content pilfered in a typical data breach includes credit card numbers, social security numbers, and various other sorts of identity information. In both the OPM hack and the Ashley Madison breach, we’ve experienced a shift in purpose. Neither of those breaches are about credit card numbers. They signify a new foreign policy tool designed to inflict harm and represent the first wave in an ongoing cyber conflict we haven’t fully recognized.
In the last year, I’ve received five different data breach notification letters: my insurance company, three banks, and my government. And except for that last disclosure, I didn’t really care. Like most of us, I’m apathetic to it. It’s background noise. I get another year’s worth of credit monitoring and then I do what I always do. Pay a bit more attention to emails I receive to make sure they aren’t phishes. Check my credit report a bit more frequently. But that’s about it.
Then the OPM hack occurred and I felt a chill run up my spine. OPM ultimately acknowledged that the personnel and security clearance records of 22.1 million people, including friends, family members, and neighbors of government employees and contractors, were stolen. If you’ve ever held a security clearance or applied for one with the US federal government, you are required to complete a form called the Questionnaire for National Security Positions (SF-86). It initiates the background investigation process. A truly invasive practice, but one constructed to ensure that only the most reliable, responsible people are entrusted with state secrets. Of course, there are instances where untrustworthy people make it through, but for the most part, it works.
The SF-86 requests details about every part of your life. It requires information about your family members, including their names, addresses, and when and where they were born. It asks for your employment history, residential history, and educational history to include a listing of people who knew you at each job, home, and university. Foreign contacts, foreign travel, and any foreign activities you are a part of, including any financial interests you have overseas, must be disclosed. It inquires about your mental health history, including treatments you’ve received. It covers all run-ins with the law, any illegal drug use, your use of alcohol, your finances, and your use of information technology systems. It’s robust and sweeping. For those that choose to go through it, it’s a burdensome endeavor, but one worth the effort. So, when OPM announced the breach, security clearance holders were stunned and more than a little frightened. Not only was SF-86 information swiped, but friends, family, and others were put at risk.
Last week, we learned the identities and sexual preferences of over 30 million users of Ashley Madison, an online platform designed to facilitate infidelity. In terms of lasting harm, these two breaches are a significant threat to our national security. If I possess both sets of data, I can destroy your life and anyone close to you. And, because the data in both hacks is structured and organized, bad actors can begin to make correlations between the two. Not only can they uncover my drinking problem, but also my sexual predilection for feet. Or maybe my father, who simply happens to have his full name, address, and date of birth on my SF-86, cheated on my mom for the last two years through Ashley Madison. Perhaps more frightening, bad actors can use data from both hacks to make inferences about my future behavior based on my past, similar to how advertisers and marketers apply big data techniques to our online social and search data.
In a 2014 study, Experian, one of the big three credit reporting agencies, discovered that most consumers do nothing after a data breach. That’s about to change. As of this writing, there are reports of wives confronting husbands about their Ashley Madison membership, there are neighbors looking up neighbors, and there are governments and non-state actors exploring ways to exploit all of it. We’ve entered a new age of data breach. Money is not the object. It’s something more. It’s about pain, torment, and pressure. It’s about foreign policy, political influence, and relationships between nations and non-state actors. It’s about inflicting emotional harm on a population in an effort to influence future outcomes.
Data is not just ones and zeroes. It is information encoded with emotional value. As such, it can be used to drive results and influence behavior. In what ways will the data from these two hacks be used to sway foreign policy decision making? We’ve observed the use of social technologies like Twitter to recruit radicals. We’ve seen how message boards and blogs enable communication between extremists. How long until we experience a data breach meant to terrorize?
On second thought, maybe we already have.