By David Nordell
The recent hack of the US Administration’s Office of Personnel Management, which resulted in as many as 18 million personal data files -- including more than a million relating to high-level security vetting investigations -- has caused huge embarrassment in Washington DC, not only in the OPM’s own management but in other parts of the federal government, already notorious for its poor data security record. The embarrassment has been made considerably worse by a report just published by the Daily Beast that the personal data most probably included information from the Scattered Castles personal database system used by the most sensitive parts of the intelligence community, including the National Security Agency.
Both the general media and the specialised information technology and data security press have covered the likely damage to US national security caused by this hack, believed to have been carried out by China. But what has apparently not yet been taken into account is that this massive data theft has most probably increased significantly the risk of the stolen data being used to facilitate terror financing.
How so? Many terror outrages, such as the bomb attacks in London in July 2005, were financed by people using their own identities who expected to be killed imminently in the planned suicide attacks and were therefore not concerned about the risk of the financing operations being discovered by alert bank clerks or computerised transaction monitoring systems. But terror financing and money laundering have come a long way in the last ten years, and the use of false identities, or better still real identities stolen from others, has grown as Know Your Customer requirements in the financial industry have become more central in both opening new accounts and carrying out transactions.
The reality is that KYC is totally vulnerable to false and multiple identities, particularly in the USA, which doesn’t have any official national identity documents and so relies on a messy and completely insecure mixture of driving licences (some issued to the blind!) and Social Security numbers. The potential for some of the stolen data records to be used to construct false identities for terrorists, whether immigrants or home-grown, is therefore great. And of course, any false identification presented to banks or other financial service companies during KYC that appears to be of a federal employee, especially in any part of the intelligence community, is likely to be accepted more readily, even for unusual transactions, that that of any John or Jane Doe.
At the moment it’s impossible to know if the presumed Chinese hackers have shared their treasure trove of stolen personal data with terrorist gangs: on the one hand, the Chinese government itself is extremely concerned about the growth of Uyghur nationalist terrorism in the country’s largely Muslim west, to the extent of asking foreign experts for advice on preventing the flow of money to the Uyghurs; and some reports suggest that about one thousand Uyghur volunteers are serving in the ranks of the Islamic State. And on the other hand, China currently appears to be more attuned to cyber attacks carried out by the 100,000 cyber-warriors of the People’s Liberation Army against its actual or potential enemies than to kinetic attacks as carried out by ’conventional’ terror groups.
But the Chinese are not the only skilled hackers in the world: Russian hackers are no less good, and Vladimir Putin’s regime is highly likely to use terrorist attacks, especially under false flags, in any future aggression against its neighbours and enemies. Similarly, the Islamic State is now reported to be recruiting cyber-warriors of its own in order to carry out attacks against a much broader circle of targets around the world. In either case, it would be extremely naive to assume that Russia, IS and perhaps others have not already been able to carry out the same data thefts against the OPM, without being discovered, and therefore that many thousands of false identities of US federal employees are not already in use for the purpose of financing terrorist activities.