Congress may never be able to protect 21.5 million data breach victims from security dangers by funding identity theft protections, the second highest-ranking House Democrat says.
Lawmakers currently are crafting credit monitoring measures, but whoever stole background check data on U.S. personnel cleared to see classified intelligence might not have plans to drain their finances.
Instead, the culprit, believed to be the Chinese military, likely wants to compromise the victims' fidelity to the United States, some national security experts say.
"There may be some things we can't compensate for," conceded House minority whip Rep. Steny Hoyer, D-Md. "Clearly, if credit is breached, we can compensate for that. But there may be other things that might be more difficult to make people whole."
The attackers accessed "SF-86" forms held by the Office of Personnel Management that detail personal histories of drug use, mental illness and other life circumstances affecting security clearance applicants. The reports are used to assess each individual’s susceptibility to blackmail or recruitment by foreign agents.
Such "extensive information" on those individuals seeking clearances "might be used in ways that could undermine the security of the United States of America," Hoyer told reporters Friday.
Congress members are unclear about the kinds of actions an adversary could take with the filched government employee data in hand.
"OPM and various departments ought to be compiling such a list and then figure out how we can make sure that employees are protected to the extent we can protect them,” Hoyer said.
House Democrat Rep. Elizabeth Esty, R-Conn., is interested in hearing about the safety dangers, specifically.
"No credit check is going to make up for the risk to not just personal security, but our nation's security for every individual who went through or was consulted as part of that system,” Esty said at a House hearing earlier this month. "What sort of protection and advice do we give on the national security front, on the security breach aspect, because that is very different than your personal information [being used] to raid your bank account."
The majority of hack victims notified so far are eligible for three years of credit monitoring and identity theft insurance, according to OPM.
Ongoing congressional efforts to expand financial protections might be futile, argue some privacy researchers.
"Do we think China is going to sell the OPM data to identity thieves? How is this anything but a waste of money?" tweeted American Civil Liberties Union principal technologist, Christopher Soghoian, after a Senate panel voted to offer credit monitoring for 10 years and $5 million in liability protection.
Other security experts wager that the Chinese military might sell less useful data among the hordes collected to criminals.
Either way, the best protection for hack victims might be learning how to spot deception in emails, phone calls and social interactions.
"Every government employee, every victim, and every immediate family member of a victim need the training to recognize potential threats emerging from the compromised information," advises a report on the hack's national security ramifications by the Institute for Critical Infrastructure Technology.
The researchers added, "training remains the easiest and best strategy to mitigate adverse effects of the OPM breach such as insider threats, spearphishing emails, social engineering or future breaches."