Chinese hackers target US weak spot: people

China-based hackers are suspected of having broken into the computer networks of the United States Office of Personnel Management, the human resources department for the federal government.

They allegedly stole personnel and security clearance information for four million federal workers.

The attack was not the first. Last summer, in the same office, hackers targeted the files of tens of thousands who had applied for top-secret security clearances.

The US Office of Personnel Management conducts 90% of all federal background investigations, including those required by the Department of Defence and 100 other federal agencies.

That information on federal employees is a goldmine on steroids for a foreign intelligence service because of what is in the file of someone who has a security clearance.

Anyone seeking a clearance starts by completing Standard Form 86, Questionnaire for National Security Positions, an extensive biographical and social contact questionnaire.

Investigators, armed with the questionnaire information and whatever data government records searches uncover, then conduct field interviews.

The investigator will visit an applicant’s hometown, her second-to-last-boss, her neighbours, her parents and the local police to ask questions in person.

An applicant will sign the mother of all waivers, which gives the US government permission to do all of this as intrusively as the government cares to do.

The feds want to know everything about a potential employee who is to be given the US government’s secrets.

This is old-fashioned, shoe-leather cop work, knocking on doors, eye-balling people who say they knew the applicant, turning the scepticism meter up to 11.

Things like an old college roommate who moved back home to Tehran, or that weird uncle who still holds a foreign passport, will be of interest.

Some history of gambling, drug or alcohol misuse? Infidelity? A tendency to not get along with bosses? Significant debt? Anything at all hidden among those skeletons in the closet?

The probe is looking for vulnerabilities, pure and simple. That’s the scary ‘why this matters’ part of the China-based hack into American government personnel files.

U.S. spy agencies, like every spy agency, know people can be manipulated and compromised by their vulnerabilities.

If someone applying for a federal position has too many of them, or even one of particular sensitivity, she or he may be too risky to expose to classified information.

That’s because, unlike almost everything you see in the movies, the most important intelligence work is still conducted the same way it has been since the beginning of time.

Identify a person with access to the information needed, learn everything you can about her, then get close to her.

Was she on her college tennis team? Funny thing, the spy who’s wooing her likes tennis, too.

Information like that is very likely in the files taken from the US Office of Personnel Management.

Specifically, a hostile intelligence agency is looking for a target’s vulnerabilities. They then use that information to approach the targeted person with a pitch — give us what we want in return for something you want.

For example, if you learn a military intelligence officer has money problems and a daughter turning college age, the pitch could be money for secrets.

A recent divorce? Perhaps some female companionship is desired, or maybe nothing more than a sympathetic, new foreign friend to share a few friendly beers, and talk over problems.

That kind of information is likely in the files taken from the US Office of Personnel Management. The more tailored the approach a foreign agent can make, the more likely the chance of success.

Unlike in the movies, blackmail is a last resort. Those same vulnerabilities that dictate the pitch are, of course, ripe fodder for blackmail. (“Tell us the location of the code room, or we’ll show these photos of your new female friend to the press.”)

In real life, however, a blackmailed person will try whatever she or he can to get out of the trap. Guilt overwhelms and confession is good for the soul.

A friendly approach based on mutual interests and goals (Your handler is a nice guy, with a family you’ve met. You golf together. You need money, they ‘lend’ you money. You gossip about work, they like the details.) has the potential to last for many productive years of cooperative espionage.

So much of what a foreign intelligence service needs to know to create those relationships, and identify those vulnerabilities, is in the hacked files, neatly typed and in alphabetical order. Never mind the huff and puff you’ll be hearing about identity theft, phishing and credit reports.

US national security is why this latest hack is a big, big deal.