What is U.S. Director of National Intelligence James Clapper thinking?
While federal courts and federal agencies are busy re-examining liability and rights of victims in breach cases, Clapper is semantically slicing and dicing one of the largest hacks on record and muddying the water on what constitutes damage and future risk.
Is Clapper undermining progress toward establishing standards for de-constructing hacks, determining damages, and doling out punishments?
Clapper recently told a Congressional committee that the massive hack of 21 million people (including minor children) at the Office of Personnel Management was not an "attack" in the strict definition of the word since data was not destroyed or manipulated. Clapper also noted that the data has not been used "in a nefarious way." He said data was "simply stolen," And added, "That's a passive intelligence collection activity -- just as we do."
The 21 million OPM victims, roughly 7% of the U.S population, probably aren't soothed by the description "intelligence collection activity," and are likely very anxious about anything nefarious happening.
And how does Clapper know conclusively the data has not been used in nefarious ways? Further, does it even matter? Just the fact data is missing heightens risk.
Even OPM seems to realize that. Today, the agency announced it was raising the number of fingerprints that were stolen in the hack from 1.1 million to 5.6 million. As part of OPM's official statement it said, "...the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves."
The threat of further harm after an initial breach is the biggest issue forcing federal courts and agencies to re-examine the rights of breach victims and the window of protections for those victims.
Clapper has a history of being a bit unclear with his assessments.
In 2003, Clapper, then head of the National Geospatial-Intelligence Agency, tried to explain the absence of weapons of mass destruction in Iraq by claiming they had been moved before American troops showed up. It was a claim even his superior said had no supporting evidence.
In 2011, Clapper, now U.S. Intelligence Director, told a House Intelligence Committee that the Muslim Brotherhood had no overarching agenda, particularly in pursuit of violence, at least internationally. In 2013, two U.S. representatives accused Clapper of perjury for telling a Congressional committee that the NSA does not collect any type of data at all on millions of Americans. Two months later, Clapper said his statement was erroneous and he said he had forgotten about the Patriot Act.
And almost a year later, Edward Snowden, when asked in a TV interview why he blew the whistle, said, "Sort of the breaking point was seeing the Director of National Intelligence, James Clapper, directly lie under oath to Congress. ... Seeing that really meant for me there was no going back."
Now Clapper, who clearly is hedging his bets from the angle of espionage and national security, appears to be injecting semantics into the breach debate.
The day before Clapper's "not an attack" declaration, U.S. Sen. Charles Schumer, D-N.Y., had a different take. Schumer used the word "attack" when talking about how hackers accessed 10 million healthcare records stored by Rochester, N.Y.-based Excellus BlueCross BlueShield.
The intrusion fell well below Clapper's threshold of "stolen" and "nefarious use." Excellus was only certain the hackers saw the data but could not confirm they took anything. "When it comes to the personal information of New Yorkers ... we can never be too safe," Schumer said.
Clapper is clearly missing the victim angle that Schumer so clearly understands. Federal courts also are beginning to understand the dynamics and ramifications of hacks that begin with compromised records and deteriorate into data re-use for other nefarious purposes and crimes. Those courts are building a clearer picture of the real and potential damage victims face.
In the past few months, U.S. courts have been challenging legal precedent that denies victims in breach cases the right to file lawsuits in federal court based on future harm.
In July, the U.S. Court of Appeals for the Seventh Circuit challenged the depth of on-going harm to victims by overturning a district court that tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach. The Court said victims had "standing," a right to file a lawsuit in federal court, over concerns of on-going problems. The Ninth Circuit Court also recently concluded that victims have a legal right to file a lawsuit over the long-term consequences of a breach. And in a case last year, the U.S. District Court for the Northern District of California ruled, in a case involving the Adobe breach, that the risk hackers will misuse stolen data is "immediate and very real."
Given Clapper's criteria, if these particular breaches were not classified as attacks would victims have any redress in court?
Of course, the other side of the story Clapper didn't address is that OPM's systems were poorly maintained and ripe for hacking. The question becomes where does "intelligence collection activity" start to look more like liability and negligence?
Last year, an OPM Inspector General report revealed OPM couldn't find all of its equipment, and that 11 "major systems" were operating without security certification. The report concluded "a material weakness in the internal control of the agency's IT security program."
This sort of negligence is another breach variable gaining clarity as the Federal Trade Commission (FTC) takes the lead in policing corporate data protection.
In late August, the FTC closed its investigation into last year's Morgan Stanley hack saying the company had responded quickly and had adequate internal security policies in place. On the flip side, a U.S. appellate court also in late August ruled the FTC could sue Wyndham Hotels over computer system hacks. The ruling validates the FTC's power to pursue legal remedies from companies it deems to have inadequately invested in computer security as judged by claims made via their privacy policies.
Victims' rights and national security may play on different fields, but those that have their data stolen through no fault of their own are not collateral damage. Emerging breach patterns clearly show initial hacks often foreshadow re-use of data.
All this highlights the legal infancy around breaches, and begs for answers to what happened where, to whom, how and the legal implications.
Perhaps those on the front lines fighting cybercrime, such as Clapper, will begin to do a better job crafting those answers.