The Best Defense is a Good Offense: Addressing Cyber Warfare from a Counterintelligence Perspective

What do the US State Department email system, Anthem Health Insurance, and the US Office of Personnel Management have in common? All were infiltrated by hackers, probably in association with the Russian and Chinese governments. These hacks were unprecedented in scope and could be devastating in effect.¹ The US government has viewed  these attacks with growing concern and deepening frustration. The problem refuses to go away, and traditional cybersecurity solutions are failing; hackers are still broaching US cyber defenses with an increasing rate of success. The US needs to deal with these leaks not only as security failures but also as counterintelligence shortcomings. Ideally, the US should implement a comprehensive counterintelligence strategy to gain better knowledge of these hacker groups and counter them before they strike.

In June 2015 it was discovered that the United States Office of Personnel Management had been hacked. The personal information of millions of past and present federal employees was stolen. The Office of Personnel Management functions as a human resources department for the entire federal government, managing background checks, pensions, training, and more.² The hackers likely have access to a thorough historical database of background checks—not only on all employees, but even on potential hires who did not ultimately make the cut. The effects of this hack are far-reaching and potentially catastrophic.¹

This attack is not an isolated event: the OPM attack comes as the latest in a series of cyber attacks of unprecedented magnitude on US infrastructure. The well-publicized Anthem hack earlier this year yielded similar types of information to hackers—birth dates, social security numbers, and other personal data—for millions of members of its health insurance program.³ Security experts who have analyzed the signatures and traces left behind by the hackers believe that the same hackers were involved in both the Anthem and OPM attacks, and that those hackers have close ties to the Chinese government and army.³

The ways that the Chinese government could use the information gleaned from the OPM hack are immense. Together with the Anthem data (and perhaps other data in addition) the Chinese government can build a thorough, cross-referenced database on US intelligence officers. This data could paint a picture of the entire US intelligence apparatus, both past and present. Leveraged this way, the data acquired from these attacks could represent one of the most significant counterintelligence operations in history.

As might be expected, such a catastrophic cyber attack drew a considerable response from the federal government. The White House issued a “fact sheet” detailing the government’s response strategy. Unsurprisingly, the report addresses the attack primarily as a cybersecurity issue. The White House report includes plans for encouraging private sector cybersecurity improvements, increasing cybersecurity information sharing, improving cyber incident response training, implementing DHS sponsored intrusion prevention systems, and more.⁴

While the White House report covered the cybersecurity issue thoroughly, it neglected to address the counterintelligence angle of the problem. These cyber attacks represent both a significant counterintelligence success for China and a devastating counterintelligence failure for the United States government. In the words of the Center for Strategic & International Studies (CSIS) writer James Lewis, the conversation surrounding the recent hacks has been “focused very much on symptoms rather than causes.”⁵ The government has focused on response training and security improvements—measures designed to fend off attacks as they occur—rather than finding ways to prevent these attacks from happening in the first place. Simply put, counterintelligence is the practice of conducting operations to identify and disrupt foreign intelligence activities. Recently, the US has failed to disrupt Russian and Chinese cyber intelligence operations, responding only with security measures. The OPM leak was not due to security failures alone. It was also due to a weak or nonexistent cyber counterintelligence strategy.

The federal government has begun to see the need for dealing with hackers as a counterintelligence problem. Counterintelligence operations may be either defensive or offensive in nature. One defensive counterintelligence measure that the government has recently adopted in response to the OPM hack is an educational campaign introduced by the National Counterintelligence and Security Center (NCSC).

The NCSC’s recently announced cyber counterintelligence campaign centers around educating the average computer user on the dangers of so-called “spear phishing” attacks.⁶ A little known fact of the hacker world is that most cyber attacks rely heavily on user ignorance and simple psychological trickery. Spear phishing is an example of this principle, relying on misdirection and the naïve computer user to freely and unwittingly hand access over to attackers. A spear phisher sends personal, targeted email messages to unwitting computer users. These email messages might simply ask users for information or they might warn users that their accounts have been compromised. The key is that the emails are disguised to look like they come from a trusted source. One way or another, spear phishers try to trick unassuming computer users into simply handing their credentials over.

The videos published by the NCSC are extremely relevant because the OPM hackers did in fact employ spear phishing attacks to acquire initial access to government systems. If the NCSC videos are effectively distributed, they have immense potential to undermine many hacking operations and deter future attacks of this type.⁷

What the US government has not implemented yet is an effective offensive counterintelligence strategy. An educational campaign is a good defense, but ideally the US intelligence services should also be infiltrating Chinese hacker organizations in order to predict these types of attacks before they actually take place, responding with appropriate preventative action (i.e., fixing system vulnerabilities, feeding the hackers false information, etc.). It is possible that the US already has classified counterintelligence programs in place seeking to infiltrate foreign hacker organizations, but if indeed such programs exist, they clearly are not succeeding.

The standard reaction to cyber intrusions is to respond with cybersecurity measures and that is the strategy the US has generally adopted. Improving security in computer systems is a desirable goal, but it is a complex and constantly moving target. No matter how sophisticated computer security systems become, hackers can always rely on user error to achieve their aims. Given the continued unreliability of cybersecurity, it may be time for the US to shift its focus to improving its cyber counterintelligence game. The NCSC educational campaign is a good start; a preventative, offensive strategy would be a welcome addition to the US cyber counterintelligence arsenal. ■

1. Kim Zetter and Andy Greenberg, “Why The OPM Breach Is Such a Security and Privacy Debacle,” Wired, 11 June 2015, http://www.wired.com/2015/06/opm-breach-security-privacy-debacle/.
2. Office of Personnel Management, https://www.opm.gov/about-us/.
3. Ellen Nakashima, “Security firm finds link between China and Anthem hack,” The Washington Post, 27 February 2015, https://www.washingtonpost.com/news/the-switch/wp/2015/02/27/security-firm-finds-link-between-china-and-anthem-hack.
4. Daniel Paltiel, “New White House Cyber Fact Sheet,” CSIS Strategic Technologies Program, 10 July 2015, http://www.csistech.org/blog/2015/7/10/white-house-cyber-fact-sheet-2015?rq=opm.
5. James Lewis, “OPM Hack – causes not symptoms,” CSIS Strategic Technologies Program, 16 June 2015, http://www.csistech.org/blog/2015/6/16/opm-hack-?rq=opm.
6. Sean Gallagher, “US counter-intel czar to hack victims: ‘raise shields’ against spearphishing,” Ars Technica, 9 September 2015, http://arstechnica.com/security/2015/09/us-counterintelligence-czar-tells-government-employees-raise-your-shields/.
7. Jared Serbu, “ODNI responds to cyber hacks with new counterintelligence campaign,” Federal News Radio, 10 September 2015, http://federalnewsradio.com/cybersecurity/2015/09/odni-launches-new-counterintelligence-campaign-response-hacks-opm-agencies/.