Home / Blogs

If It Doesn’t Exist, It Can’t Be Abused

A number of outlets have reported that the U.S. Post Service was hacked, apparently by the Chinese government. The big question, of course, is why.

It probably isn’t for ordinary criminal reasons:

The intrusion was carried out by “a sophisticated actor that appears not to be interested in identity theft or credit card fraud,” USPS spokesman David Partenheimer said.
...

But no customer credit card information from post offices or online purchases at usps.com was breached, they said.

Perhaps it was regular espionage:

But some analysts say that targeting a federal agency such as the post office makes sense for China as an espionage tool. For one thing, the Chinese may be assuming that the U.S. Postal Service is more like theirs—a state-owned entity that has vast amounts of data on its citizens, said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. Second, he said, the trend in intelligence is the same as in the commercial sector: amass big sets of data that can be analyzed for previously unknown links or insights.

“They’re just looking for big pots of data on government employees,” Lewis said. “For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purpose.”

That sounds likely to me, but I fear that this may be a self-inflicted wound. According news reports last year, the Postal Service is recording all mail: who sends mail to whom? Could that have been what the Chinese were interested in?

Studying communications patterns is known as traffic analysis. It’s a venerable intelligence technique, and a powerful one. It’s even been in the news of late, as “metadata”. The external appearance of a message—who it’s from, who it’s to, and how long it is (which you can approximate for mail if you can see the postage) tells a lot. Everyone who has ever waited for an acceptance decision from a college knows the difference between a thin letter and a thick one; the same sort of thing is done by intelligence analysts.

Let me give an example. Suppose, when examining all mail to a person, you see a letter indicative of employment—perhaps a tax document, in January or February—from a defense contractor to that person. You also see a what appears to be a debt collection letter and a letter from a bankruptcy law firm. (The Postal Service program takes photographs of the front and back of every letter. How long these are retained has not been disclosed.) It’s a pretty good bet that the addressee is in financial trouble; he or she may also have a security clearance and almost certainly knows people who do. A good target to recruit as a spy?

Identifying people with access to sensitive information can be simpler. According to 32 CFR 2001.46(c)(2)(i), certain types of classified information can be sent by registered mail. It may be possible to spot such letters by the patterns of communication.

The usual information targeted, though, is likely to be far more routine but probably more valuable. A change in the volume of correspondence between, say, a drone manufacturer and a company believed to make some of the parts they use is likely indicative of a change in production rates. For that matter, the correspondents of a drone manufacturer might suggest who the suppliers are, and thus give hints about manufacturing techniques and the drones’ capabilities. (A paint manufacturer? Do they make stealth coatings? A different engine supplier? Perhaps more range or a faster aircraft?)

The point is that the theft of this database (and it’s not known publicly if it was even targeted, let alone accessed) couldn’t have happened if it doesn’t exist. The decision to collect and store this data enabled the problem. Yes, mass surveillance systems can help solve crimes—but they can also lead to crimes.

There’s more. The Postal Service knows everyone you communicate with by paper mail. (Yes, there have been abuses reported.) The phone company knows everyone you call. Your ISP knows all of your email contacts. And law enforcement can get all of this without even probable cause, just a certification that “the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency”.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com