The four individuals who were identified and indicted by the Trump Administration in relation to the Equifax breach from 2017 is yet another example of the overt collection efforts by the Chinese government to steal Americans’ sensitive personal information. The openness of the U.S. government to share these examples should help bring the reality of cyber threats to the forefront in corporate board rooms and research universities. I would like to highlight that these particular attacks were conducted for a different goal – espionage.
As a former Special Agent, U.S. Army Counterintelligence, I understand there are profound and far-reaching implications of these carefully coordinated and expertly executed cyberattacks. It’s a known fact that nation-state bad actors aren’t just exploiting American companies for their own financial gain, the attackers are digging for information that they will almost certainly use to put lives at risk.
The DOJ announcement publicly cited what we in the industry have known for a long time – China has carried out successful, elaborate and potentially ongoing cyberattacks against American citizens for some time. This compromised information was never specifically seen on the Dark Web or sold by known cybercriminals – this indicates a nation-state both in the sophistication and secrecy of the attack, and in that the attackers’ motive is not for financial gain.
The scale of this incident is a terrifying reminder that American companies and organizations cannot passively sit back and assume their liability is limited to their bottom line. A foreign government now has the personal information of nearly 150 million Americans. This includes known habits, medical records, complete financial history and facial recognition that would allow the Chinese government to monitor the location and activity of an American visiting that country, or any online activity via social media. This information can be extremely useful in influencing campaigns and elections – and the policy implications thereafter.
Private datasets continue to contain more invasive information on individuals. In most cases, this data is collected without explicit authorization. It's particularly troubling that companies like Clearview AI are collecting and selling similar types of data to dozens, if not hundreds, of American corporations, law enforcement agencies and foreign governments. A breach or disclosure to a hostile government of this kind of information doesn’t represent a minor inconvenience for victims, as might be the case with a credit card number. Access to these comprehensive datasets can result in a severe breach of consumer privacy, making it impossible for an individual to remain anonymous. If companies and organizations accept such potentially invasive data, they must also accept their position as being on the front lines in the battle for data security and keeping Americans' private lives private.
The combined compromised datasets of the Anthem, Marriott and Equifax breaches, along with others, greatly assists nation-states in identifying vulnerable individuals who are likely targets within American organizations. These could be employees with high debt, with a hidden past, and/or who can gain physical access to your internal network – people the agent handlers can recruit through pressure tactics, putting even more information and people at risk. This is the cyber equivalent of “spotting and assessing” for source-targeting and for identifying U.S. personnel operating overseas.
When cyber espionage becomes part of the conversation – as I know from my time as a counterintelligence agent and now working with corporate America – the issue becomes one of national security that can endanger America’s competitive advantage. American corporations, alongside U.S. intelligence agencies, are primarily responsible for protecting and defending our most critical national assets.
The Department of Justice absolutely did the right thing in taking a more aggressive posture against a nation-state for its attack on our national security and in unmasking the individuals and governments behind it. My hope is this is just the first of many steps the U.S. will take to protect American lives and corporate intellectual property from this active cyber warfare activity by adversarial nation-states.
The Equifax breach, and numerous others, were terrible events. Now that the stakes of this issue are becoming clearer to more Americans, we can use these as a cornerstone to reinforce a commitment to privacy and data security, and ensure American companies and universities take the right steps to protect their information at all costs. This is a “clarion call” for Board Members and Chief Executives to demand more to protect the information for which they are responsible. It is a matter of national security.