Perhaps you missed the tantalizing detail I reported earlier that Congressional investigators believe the initial Equifax hackers entered that company’s systems with computers using IP addresses in China. Or The New York Times reporting that U.S. authorities now blame China for the hack on Starwood / Marriott. You probably forgot that the devastating hack of the Office of Personel Management systems has also been blamed on China. And you probably forgot that the hack of Anthem, the health care firm, was also blamed on China.
Combine all that information, and one thing seems disturbingly likely: There’s a big dossier database in the sky, controlled by some foreign entity, and your most personal information is in it.
Maybe you are worried about your credit report. But this surveillance database contains far, far more precious and revealing information. Where you traveled. How long you stayed. Your driver’s license. Your passport. If you are a government worker, who your closest friends are, and even your fingerprint.
All in the hands of a foreign, potentially hostile, nation-state.
Attribution is a very tricky game — freelance actors? the Chinese government? Another nation state hiring mercenaries in China? — and anyone who asserts with surety they know who did it might be overstating their case. When we spent months looking into the Yahoo hack, it became clear that both nation-states and freelancers can be involved in the same hack, making breach analysis even harder. With Equifax, there’s a theory that rogue hackers gained entry at first, then handed off the access to a more sophisticated entity. This kind of hack-sharing means that whoever stole all that data from Yahoo — remember, for years, Russian agents could read millions of victims’ emails — is available to whoever is building this big dossier database in the sky. Passport numbers and 15-year-old emails linked? That’s quite an incredible amount of information.
It’s fashionable to blame things on China right now, but the particular nation-state that’s the culprit at Starwood doesn’t matter as much as the potential existence of this database.
I haven’t seen it, but plenty of folks I speak to very much believe it exists. The best evidence for it: Where are all the stories of Equifax-related identity thefts, or widespread Starwood points hacks, or….? Whoever is stealing this information isn’t doing it for money, and isn’t doing it for lulz. No one hangs out in a network for four years for lulz. Or, for that matter, for money.
Instead, think about how useful a list of hotel stays would be as an intelligence-gathering tool? As my colleague at NBC News Ben Popken points out, Starwood is a favorite chain for U.S. Government employees. Executives, too. So perhaps most of the data is useless to the hackers; they just want to good stuff. That was initially the goal in the Yahoo hack: Read the email of very specific people. A needle-in-a-haystack search, with the hay uninteresting. Later on, however, the Yahoo hackers shared the stolen data with others who indeed picked through the hay — you and me, in this metaphor — and found all sorts of other uses for it.
Perhaps the criminals are even more interested in tracking corporate executives. Understanding their movements can provide a lot of intelligence — “Why is he visiting South Korea? Is he interested in a new supplier?” Think deeper, and you can imagine the data being used for leverage or extortion. What if a foreign power had information on a clandestine relationship a U.S. executive was having? That would be very useful in negotiations.
In some ways, all these hacks are starting to sound redundant, as if someone keeps stealing the same kinds of data over and over. But as Avivah Litan of Gartner recently told me, there is the matter of upkeep. Whoever has this database has to keep it current, and accurate. Each new heists helps the “owner” clean the data. (Read more from her here, and here .)
Bill Malik at Trend Micro offers another clever use for this executive-tracking database: something I call executive identity theft. Business email compromise is among the fastest-growing cybercrimes. A criminal poses as a CEO and demands her secretary wire money overseas immediately as part of secret merger talks. It works because underlings are less likely to question bosses. If a criminal had a tool that predicted executive movements, imagine how much easier, and more targeted, these attacks could be.
At this point, you are probably wondering what all this has to do with you. If merely monitoring high-value targets is the goal of these hackers, that should be a relief to most of us, right? Perhaps. You must understand that whoever is stealing these massive datasets is in it for the long game, however. Again, the Starwood hack lasted four years. Can you really be sure that you’ll be uninteresting to a foreign power in a decade or two? Are you sure there isn’t an email you wrote in 2003 that wouldn’t embarrass you somehow in 2023?
This is the point at which an editor would yell at me to give readers some hope, to dole out advice on what to do about all this. So sure, change your passwords and limit the personal information you give large companies. Always act like anything you type into a keyboard might eventually end up on a billboard in Times Square. But realistically, you are collateral damage in a cyberwar being fought by nation-states on one side and fairly helpless U.S. corporations on the other. The big dossier database in the sky is only going to get bigger, and more accurate, with each big hack. That’s our 21st Century reality now.