The nation with the most powerful military in the world suffered a major strategic loss — and for several months not a single person even noticed. That’s because that attackers didn’t use traditional weapons or seek out conventional targets. They hacked their way in, exploiting lax security and management practices at the Office of Personnel Management. More than data, they shattered the foundation of secrets and information that our government has used to protect American interests at home and abroad.

The attackers got the “crown jewels” of the intelligence apparatus by targeting the people who comprise it. As a result, over 21 million federal employees are at risk of having their lives’ details used against them for decades to come. Foreign hackers are now in possession of security clearance documents that contain deeply personal secrets, and there is no way of reversing that. These individuals are caught in what Maj. Gen. Charles J. Dunlap has labeled the “hyper-personalization of war.”

While there is nothing new about espionage or hacking, the size and depth of these attacks make them extremely serious. The ubiquity of technology and poor security have caused both crime and surveillance to skyrocket in frequency and specificity; those same factors are now also allowing intelligence agencies to infiltrate each others’ systems and societies. Nations are seeing identity databases as important targets for both offense and defense. Everyday there is more data gathered and shared about who we are, what we like, and what we do — that makes the underlying identity information even more valuable as time goes on.

What institutions and governments used to do as regular practices won’t work with today’s threat climate. As we are reminded on a daily basis now, whatever is collected will eventually leak. Wherever there are weaknesses, somebody will be waiting to exploit them — increasingly, with state support. And no amount of free credit monitoring can make up for broken national identification systems that lock victims into a state of insecurity.

Over the last two decades there has been a major push globally to centralize and digitize government information in the name of efficiency and cost-savings. Government identity databases have become more functional and foundational. In the best cases this has led to a decrease in corruption, increase in trust, and improvement in quality of life. The problem is that few governments are willing to prioritize the security and legal changes, oversight, and framework needed to match the increase in vulnerability. South Korea, Israel, and Serbia are all publicly known to have experienced major attacks on their national identification systems, while dozens of other countries have dealt with significant issues and glitches. It’s not just hackers that are the problem — private companies are collecting this information too; the United States once purchased the voter rolls of Mexico and Colombia to cross-check for illegal immigrants.

Governments are not used to thinking about how protecting databases may be even more significant to national security than protecting physical borders. Before the attacks, compare the amount of political pressure on an issue like building a fence on the Mexican border to the urgency of improving data security at federal agencies. Technology has made it possible for nations to adopt “dragnet surveillance” where everybody is seen as a suspect, it’s only natural that they would also conduct “dragnet espionage,” where all members of a foreign nation are considered fair targets for spying. The safety of a nation depends on the cybersecurity of its individual citizens. That’s why it’s especially self-defeating when governments work to restrict and track the moves of their citizens online and demand backdoors in encryption that can be accessed by anybody.

Security agencies have been grappling with the double-edged sword that technology has given: spying has never been easier while at the same time it’s become harder to do their jobs. Our world is covered in cameras, sensors are being packed into objects, and social media makes it impossible to control what information is collected and shared. Increasingly ubiquitous facial recognition is making undercover work more difficult. Biometric entry systems are making it harder to cross borders in disguise (consider too the fact that hackers now own the unchangeable fingerprint data of over a million security clearance holders in the United States).

Governments have been quick to seize the opportunity that the technology-driven loss of individual privacy and security has brought for their military and intelligence operations. It’s not clear they’re quite ready to deal with the threat this poses to their population as well. With attacks like what the United States just experienced, governments may learn the hard way that protecting personal information at all levels is a matter of collective safety.

According to the U.S. Government Accountability Office, the amount of incidents reported to US-CERT by federal agencies has increased greatly over the last decade (Source: GAO.gov)
According to the U.S. Government Accountability Office, the number of information security incidents reported to the US Computer Emergency Readiness Team (US-CERT) by federal agencies has increased greatly over the last decade (Source: GAO.gov)

You can reach Tarun directly at [email protected] or follow him on Twitter. Also, check out his upcoming book, Identified.

[image courtesy of Shutterstock]

I am a researcher with the Hybrid Reality Institute, and Co-Founder and COO of AIC Chile. Identified, a book I've authored about the global rise of digital identification systems, will be out later this year. It analyzes the impact of the technologies that governments and companies use to see who we are. I track these systems over time to see how they are changing governments, institutions, social norms, and your daily life. Learn more, and sign-up for updates here. Follow me on Twitter — @twadhwa — or check out my website for more articles, talks, and updates.