Cybersecurity

Other Unclassified Databases the Chinese Are Probably Stealing

By Benjamin Wittes
Monday, July 27, 2015, 2:42 PM

Let's play a game called, "If I were the PLA, I'd Spy With My Little Eye."

Ever since the OPM hack, I've been thinking about other unclassified government databases a foreign intelligence service that wants OPM data, trade secrets, and Anthem health records would likely find attractive. Here are a few I would be going after if I were the PLA and that I suspect (just a guess) are not being defended in a fashion commensurate with the threat:

  • FDA Investigative New Drug Applications. A trade secret gold mine, so-called INDs, as the FDA summarizes, contain: "Information pertaining to the composition, manufacturer, stability, and controls used for manufacturing the drug substance and the drug product." Fortunately, the FDA is a highly competent counterintelligence agency with first-rate cybersecurity expertise and is fully competent to protect the many INDs it holds.
  • Veteran Health Administration patient records. The VHA is "home to the United States’ largest integrated health care system consisting of 150 medical centers, nearly 1,400 community-based outpatient clinics, community living centers, Vet Centers and Domiciliaries. Together these health care facilities and the more than 53,000 independent licensed health care practitioners who work within them provide comprehensive care to more than 8.3 million veterans each year." Fortunately, like the FDA, the FHA is a highly competent counterintelligence agency with first-rate cybersecurity expertise and is fully competent to protect the sensitive medical records of the 8.3 million veterans it serves each year.
  • Visa applications. If I were a foreign intelligence service, I might be pretty interested in who's coming to America. According to the State Department, it issued between 6 and 10 million visas each year between 2010 and 2014. Why not steal them all? The applications contain all sorts of interesting information, after all. (They even usefully ask whether the applicant has ever "participated in, ordered, or engaged in genocide, torture or extrajudicial killings" or "engaged in the recruitment or the use of child soliders." Wouldn't you love a list of people who checked "yes" in response to those questions?) Fortunately, the State Department is a highly competent counterintelligence agency with first-rate cybersecurity expertise, whose employees are scrupulous about cybersecurity and never do business on their own email servers. I am sure it is fully competent to protect these records.
  • Export control applications. These are interesting whether or not the Commerce Department approves or disapproves them. The disapprovals, of course, involve technologies too sensitive to allow to go to particular countries. Those companies and technologies are great targets for future hacks. The approvals, of course, show which countries are getting what. Commerce reviews exports of "dual use" technologies; it "conducts a complete analysis of the license application along with all documentation submitted in support of the application. [It] reviews the item, its destination, its end-use, and consider[s] the reliability of each party to the transaction." Fortunately, Commerce is a highly competent counterintelligence agency with first-rate cybersecurity expertise. It is, no doubt, fully competent to protect these applications.
  • Security and Exchange Commission investigative files. The SEC informs us that, "Each year the SEC brings hundreds of civil enforcement actions against individuals and companies for violation of the securities laws. Typical infractions include insider trading, accounting fraud, and providing false or misleading information about securities and the companies that issue them." No reason to think the SEC—a highly competent counterintelligence agency with first-rate cybersecurity expertise—might have trouble protecting the data it collects in these investigations, is there?
  • IRS tax returns—because heck, why not? They go so well with SF-86s, after all.

Since nobody in the intelligence community is responsible for defending unclassified civilian government databases of interest to our foreign adversaries, I suggest we just negotiate the surrender of this material to the PLA on friendly terms and in the open.