November 2014
If it Doesn't Exist, it Can't be Abused (11 November 2014)

If it Doesn't Exist, it Can't be Abused

11 November 2014

A number of outlets have reported that the U.S. Post Service was hacked, apparently by the Chinese government. The big question, of course, is why.

It probably isn’t for ordinary criminal reasons:

The intrusion was carried out by "a sophisticated actor that appears not to be interested in identity theft or credit card fraud," USPS spokesman David Partenheimer said.

But no customer credit card information from post offices or online purchases at usps.com was breached, they said.

Perhaps it was regular espionage:

But some analysts say that targeting a federal agency such as the post office makes sense for China as an espionage tool. For one thing, the Chinese may be assuming that the U.S. Postal Service is more like theirs—a state-owned entity that has vast amounts of data on its citizens, said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. Second, he said, the trend in intelligence is the same as in the commercial sector: amass big sets of data that can be analyzed for previously unknown links or insights.

"They’re just looking for big pots of data on government employees," Lewis said. "For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purpose."

That sounds likely to me, but I fear that this may be a self-inflicted wound. According news reports last year, the Postal Service is is recording all mail: who sends mail to whom? Could that have been what the Chinese were interested in?

Studying communications patterns is known as traffic analysis. It’s a venerable intelligence technique, and a powerful one. It’s even been in the news of late, as "metadata". The external appearance of a message—who it’s from, who it’s to, and how long it is (which you can approximate for mail if you can see the postage) tells a lot. Everyone who has ever waited for an acceptance decision from a college knows the difference between a thin letter and a thick one; the same sort of thing is done by intelligence analysts.

Let me give an example. Suppose, when examining all mail to a person, you see a letter indicative of employment—perhaps a tax document, in January or February— from a defense contractor to that person. You also see a what appears to be a debt collection letter and a letter from a bankruptcy law firm. (The Postal Service program takes photographs of the front and back of every letter. How long these are retained has not been disclosed.) It’s a pretty good bet that the addressee is in financial trouble; he or she may also have a security clearance and almost certainly knows people who do. A good target to recruit as a spy?

Identifying people with access to sensitive information can be simpler. According to 32 CFR 2001.46(c)(2)(i), certain types of classified information can be sent by registered mail. It may be possible to spot such letters by the patterns of communication.

The usual information targeted, though, is likely to be far more routine but probably more valuable. A change in the volume of correspondence between, say, a drone manufacturer and a company believed to make some of the parts they use is likely indicative of a change in production rates. For that matter, the correspondents of a drone manufacturer might suggest who the suppliers are, and thus give hints about manufacturing techniques and the drones’ capabilities. (A paint manufacturer? Do they make stealth coatings? A different engine supplier? Perhaps more range or a faster aircraft?)

The point is that the theft of this database (and it’s not known publicly if it was even targeted, let alone accessed) couldn’t have happened if it doesn’t exist. The decision to collect and store this data enabled the problem. Yes, mass surveillance systems can help solve crimes—but they can also lead to crimes.

There’s more. The Postal Service knows everyone you communicate with by paper mail. (Yes, there have been abuses reported.) The phone company knows everyone you call. Your ISP knows all of your email contacts. And law enforcement can get all of this without even probable cause, just a certification that "the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency".