Cybersecurity

Users Weigh in on What Database the PLA Should Hack Next

By Paul Rosenzweig, Benjamin Wittes
Friday, July 31, 2015, 9:28 AM

The results are in. Lawfare's “Name that Database” contest is now closed.

All we can say is that Lawfare readers are a remarkably creative—and scary—bunch of folks. Some of these ideas are really quite spectacular.

We want to emphasize, at the outset, that we have collected these ideas from Lawfare readers on what databases the PLA should steal next as an exercise in crowdsourcing vulnerability. We do not know if these databases are really vulnerable and we certainly don’t encourage anyone (American or Chinese) to test them. To the contrary, the list is offered first, to illustrate the volume and diversity of information in unclassified government databases that a foreign intelligence adversary would plausibly find enticing; second, as a way of encouraging the database managers to look at their own condition with a more critical eye; third, to encourage the intelligence community to think about the counterintelligence problem of unclassified material in databases around government; and fourth, for reader amusement.

We are not announcing a winner today. Instead, we’ve decided to crowdsource the judging as well: we are asking readers to review this list and vote in the form below on which entry you think the winner should be. Feel free to vote for more than one entry. Recall that the competitors were asked to nominate the "most interesting, vulnerable, hackable, unclassified database in the United States government." Of course, our criteria for “most interesting” are subjective in nature, so you will have to use your own judgment on this. We don’t promise to accept the majority result, but we surely will take it into account when announcing the winner. Deadline for voting is 5 PM EST on Wednesday, August 5.

Here is a summary of the entries we received. For obvious reasons, some of the entrants preferred to be cloaked in the veil of anonymity. Others are quite happy to have their names associated with their brilliance.

  • One entrant nominated the State Department's CCD. This is the data base responsible for housing visa applications for foreigners seeking to travel to the United States. A good way to track your citizens.

Cybersecurity expert Nicholas Weaver submitted five entries:

  • PACER. You have all sorts of interesting information on criminal and espionage cases hidden behind "sealed" documents not accessible to the public: identities of informants, information about sources and methods, etc... Are we really confident those "sealed" document only exist in hardcopy form? Wouldn't you want to read them for yourself?
  • Not retained as a database (gun owners do have a remarkably rational fear of databases), so you have to snarf it as a realtime feed of queries instead as things are checked: NICS, National Instant Criminal Background Check, the system used to say "yeah, this guy can get a gun" And then after running for a year, wikileaks that database that results...
  • The SEC EDGAR filing database, again set up a real-time feed of additions. STOCKINT For The Win!
  • Government database in private hands: Google's internal database of 'who are we supposed to be tapping today for the US government'. Oh wait, the Chinese already got access to that once...
  • State Department's travel system. If the diplomats matter, don't you want their travel calendars as they are generated?

An entry from Mike Brown:

  • "FinCEN and/or Fedwire would both provide a nation-state/APT with advanced insight into financial flows ranging from personal behavior to firm level and macroeconomic espionage. FinCEN, of course, receives reports of all large and suspicious transactions. Fedwire might provide not only the interesting transactions data itself, but the code and structure of the system could provide a nation-state with a model to build an alternative international payments system—I'm sure we know of a few countries with that goal. In addition, both quietly manipulative and denial of service attacks on Fedwire would wreck the US financial system."

From Jonathan Lichtman:

  • The Past Performance Information Retrieval System (PPIRS) which is essentially a government-wide database of contractor past performance evaluations. These evaluations contain the type of work, the government end-user, the performing industrial contractor and the performance evaluation of the contracted work.
  • The U.S. Patent and Trademark Office database of patent applications electronically submitted through the EFS-Web application. This database includes all applications and supporting materials for U.S. Patent applications.

One entrant, who is in the military and does national security law, offered these two ideas:

  • Defense Enrollment Eligibility Reporting System (DEERS) - A worldwide, computerized database of uniformed service members, their family members, and others (including retirees) who are eligible for military benefits. This one is the key to the military kingdom. It is the one database that any Special Operator or military person working under cover, whether for DoD or another agency, is absolutely listed under true name and details because otherwise their family will not receive healthcare, ID card, commissary/exchange privileges, etc.
  • The Composite Health Care System II (CHCS II) is the Military's electronic Computer-based Patient Record, a clinical information system that will generate, maintain, and provide secure online access to a comprehensive and legible health record. In moving to CHCS II, the Department of Defense (DoD) is making the quantum leap from paper based medical records to computer based patient record (CPR).

Another correspondent, Nick Kassotis, also focused on a military system:

  • "Defense Travel System (DTS) is an unclassified, web-based system used to book official travel for all DOD members (I'm sure other agencies have similar systems). You can see every bit of official travel someone has ever been on, as well as (more importantly) where they're planning on going in the future. If you have a giant database of OPM background investigations, and you're trying to figure out how to approach individuals you're targeting, why not do it when they're away from home, by themselves? You get flight info, hotels, rental car companies, room preference, etc. Huge amount of information."

Here are five entries from a government lawyer with a regulatory practice:

  • The DHS CFATS Top-Screen database, and/or the Chemical Security Assessment Tool database -- (It is not clear to me whether they are separate systems.) Neither appears to be classified, and all the Security Vulnerability Assessments and Site Security Plans for high-risk chemical facilities in the United States would certainly be high-value military espionage targets. The broader Top-Screen submission data would also seem likely to provide major economic espionage value. "Tesla has started reporting significant levels of Chemical X at their battery manufacturing facility. We better have our scientists and electronics companies start experimenting with it in battery applications."
  • Centers for Disease Control research data -- Even if certain data is kept classified--as I would certainly hope--surely there is tons of research on pathogens and treatments that could provide both military and economic value.
  • Federal Reserve projections and plans -- I feel almost silly mentioning this one, as surely the Chinese would never stoop to collecting and disseminating information that would give both governmental and private investors a huge advantage over their foreign competitors...
  • U.S. federal court email and network storage drive systems -- I do not know how integrated the IT systems are for the various federal courts around the country, though they seem to share at least a webmail system. Having access to SCOTUS results before they are issued would obviously be a huge commercial opportunity, and if the systems are integrated and you get access to all of the federal courts you would have reams of market-moving information. Network drives would also contain confidential business information involved in disputes--this would also be true of other federal agencies that conduct administrative procedures--which the companies will have conveniently labelled and separated from less valuable data.
  • National Archives data from the previous administration -- While presidential records are withheld from release until they are processed, I am not sure whether the National Archives employs a classified system to hold everything. It seems doubtful. While the records of previous administration are obviously less valuable than the current one, they would still be very valuable given continuity of strategy and intelligence, service of appointees in future administrations, etc. (I'm sure the Chinese would have loved to have access to Bob Gates's Bush Administration records in 2009, for instance.) If the Chinese are truly interested in understanding how the U.S. government works, as I have read, then this would be a great source.

Another entrant, Michael Tanji, offered two fascinating suggestions:

  • The DMV databases of VA, MD, DC. The bulk of people who support the DOD/IC live in this major metro area, and just about all of them drive to work. A nice data set to cross reference against OPM files if you're trying to build a dossier on someone (or several thousand someones). State computer security posture and talent? Not trying to be insulting, but we are talking about the DMV...
  • The student databases of public schools in the DC metro area. Defense wonks and spies have kids. Most of those kids go to public school. Those school records contain data on both the good (grades, hopefully) and the bad (disciplinary issues, medical issues). Jr and High school students probably have phones, they most certainly have social media accounts. Nothing is going to trigger a reaction like trying to exploit someone's kids. Computer security posture and talent in a public school system? Are you kidding me?

Another entrant, Faris Alikhan offered these interesting possibilities:

  • White House and Pentagon's Visitor's Passes: As an intern/young professional, myself and many of my classmates would manage to snag invitations for Pentagon tours or White House events like a State visit. The social security numbers of many aspiring professionals in Washington D.C. are entered into Excel spreadsheets and entrusted to the White House Office of Public Outreach. A tempting target if you're going after young professionals in foreign policy. Or really, if you're just an identity thief going after people's SSNs.
  • Bureau of Consular Affairs Student Visa Database: A foreign intelligence service could hack into the BCA's database, which handles student visa applications for foreign nationals wishing to study in the U.S. Finding out which of your citizens is interested in pursuing education in the U.S.--especially if you're an authoritarian state that wants to keep tabs on your young citizens and their impressionable minds. Or, even worse, if you'd like to try and recruit them.
  • State Tax Offices: While the IRS is an obvious target, so are State Tax Departments, both for criminals and for foreign intelligence services. Unit 61398 might not be interested in the tax department of Alaska or Arkansas, but large economic powerhouse states like California or Texas would be tempting targets. Or Maryland and Virginia, where the bulk of U.S. federal employees live and work.
  • TSA PreCheck: Given the rather poor reputation TSA has when it comes to finding knives and test bombs in luggage (as opposed to toothpaste and water bottles), their control over the biometric information in TSA PreCheck should be worrying. Especially considering they planned to outsource management of PreCheck to the private sector.. Everything from fingerprints to credit card data would be vulnerable.

Here is an entry from a local lawyer in a major law firm (similar to an entry made by Nick Weaver):

I have a suggestion for an unclassified database (actually, a series of related databases) that I have not seen suggested. The National Instant Criminal Background Check System (NICS) and related firearms purchase/carry databases contain firearms purchase history, criminal and mental health history and background investigations for concealed carry permit applicants. Some of the state sponsored concealed carry permit databases would be especially interesting. In those states that require you to articulate a threat before they will issue a concealed carry permit, the applications would have citizens describing what they are afraid of (e.g. histories of domestic violence or jobs that require them to carry large amounts of cash).

But the political consequences of revealing the theft would be more interesting than the actual stolen data. These databases relate to the signature issue for one of the most politically active demographics in the country, a group that tends to distrust government and resent sharing the information in the first place. I suspect that there is also a healthy dose of Sinophobia among gun owners as well. As we saw after Sandy Hook, whatever position one takes on gun policy, it’s a hornets nest that can reliably derail American politics. Consider the following hypothetical: the Chinese escalate tensions in the South China Sea, and get unified pushback from the United States and its allies. A timely “discovery” that the Chinese had hacked into NICS and concealed carry permitting systems in multiple states would be a monumental distraction for the administration and Congress, potentially making the United States appear to be a less reliable partner to its allies. It would also probably have the side effect of stirring up the Jade Helm conspiracy theorists and trigger a spike in people watching Red Dawn on Netflix. While there might be some blowback against the Chinese, it’s hard to imagine that it would be long lasting. And in any event, the United States’ response would be measured since the attack would not be more substantively serious than day-to-day espionage. Gun politics would make this especially tricky for a Democratic administration to manage.

Matthew Quallen, a Brookings intern, this summer writes in with two wonderful suggestions:

  • CODIS -- the Combined DNA Index System: maintained by the FBI, it contains slightly north of 10 million DNA profiles, making it the largest DNA database in the world. But that sounds like a tough steal; so, alternatively, California now maintains a DNA records for every individual it arrests, as a result of Prop 69--the world's third largest.
  • Federal Data Services Hub -- Once called the "largest consolidation of personal data in the history of the republic," it seems like a fair choice. The Hub consolidates information from across multiple agencies, including SSA, Treasury/IRS, DHS, VA, OPM, DoD/Tricare, and the Peace Corps for HHS and stores records for ten years at a time. See this delightful filing explaining that the hub includes personally identifiable data on medical history, income and employment (including tax returns) social security, incarceration history, Indian status, SSN, etc.

Another reader suggested:

  • The databases maintained by HOAs or utility districts. While these are among the lowest levels of government (hierarchically; not in terms of value), their databases contain tons of PII, and I can't imagine many (read: any) of them comply with cybersecurity best practices. Add in the fact that many of these entities accept payments for HOA fees or water bills by either credit card or ACH draft, and there is even more information that can be exploited. Obviously there is not one giant database like OPM where millions of people's information is stored, but I think that adds to the "value" of these databases in terms of hack-worthiness. Not only will infiltrations likely go undetected, but monitoring or regulating the security of all of these disjointed databases would be impossible.

Our own colleague Herb Lin offered the following:

  • I nominate the medical record databases of the uniformed military. And the hack would not be for exfiltrating information, but for installing back doors so that they can manipulate the information contained in these records, possibly with some of the following effects:
    • Destroying confidence in DOD-provided medical care.
    • Inserting false information that will cause many spurious investigations (e.g. inserting a mention of a problem with drugs or alcohol).
    • Altering records in ways that can harm people (e.g., changing allergy-to-medication records).

And imagine the scandal that Congress will be investigating when even a small number of uniformed military personnel – our heroes, and their spouses and children, who also get medical care from DOD—start complaining.

One reader, Mike, offered the following four data bases:

  • Bureau of Economic Analysis Survey -- Many US corporations with foreign affiliates must report fairly detailed information (including financials and operations, costs and expenses, employee headcount and employee compensation, infrastructure, and imports/exports). Providing this data is compulsory, but it cannot be used in any tax or legal proceedings. There are laws punishing people who disclose the data without appropriate anonymization (so people think it's useful/damaging), but it is not classified.
  • CIO Council -- I tried to stay away from organizations that were "too close" to cybersecurity that is directly relevant to defense, homeland security, or nuclear, because they might arouse more defenses. The CIO Council is intended to provide best practices for government-wide IT and cybersecurity needs, which leads me to think that they'll be more vulnerable themselves (...and provide more vulnerabilities for a wide variety of agencies).
  • Office of Compliance Counseling or Federal Mediation and Conciliation Service records -- These organizations handle federal employee grievances/disputes before they proceed to an administrative hearing or a district court, so the information is not yet public (and the employee is likely retained). Want to correlate that list of SF-86s with a list of disgruntled or incompetent employees?
  • Treasury, specifically Bureau of Engraving and Printing -- I don't believe currency details are classified (a quick perusal of USAJobs.gov shows a lot of public trust positions, but no secret clearance requirements). I don't think China necessarily wants to fire up a US currency printing operation, but it sure would be nice to know the full set of hidden features in our currency. They may be able to detect clever tracking operations we're running against their agencies. They may want to print some bills that pass our detection mechanisms but can be tracked by them in order to run their own. It almost seems low-tech, but following very specific pieces of currency could be monumentally helpful in low-level operations.

And one final entry from an anonymous submitter:

  • The Defense Department - Outlook Global Address Book – This database contains the email address of anyone with a CAC and a military email address. That includes even short-term workers in non-sensitive positions/organizations. Talk about a "phishers" delight.