This spring, upwards of 22 million people—including all government workers and their families—were affected by the largest data breach of government computers ever, putting their personal histories—including information about bankruptcies, mental health issues and finances, not to mention Social Security numbers, at risk.
In a seeming moment of candor, Department of Homeland Security Secretary Jeh Johnson said in July that the two separate hacks of the Office of Personnel management first discovered in June were a “wake up call” for the federal government regarding the urgency of the cybersecurity threat, and that “we need to improve out mission” to secure the nation’s networks from further harm.
“To be frank,” he said before an audience at the Center for Strategic and International Studies, the preeminent national security think tank, “our federal cybersecurity is not where it needs to be.”
The sound heard shortly thereafter was of 22 million simultaneous face palms across the bureaucratic universe.
After spending two decades and untold billions in taxpayer dollars on federal cyber priorities, not to mention the dedication of new agencies, programs, departments, task forces, a czar, and a cyber command under the U.S. military, the idea that the DHS needed an “a-ha” moment to put the threat into perspective is absurd, even bordering on cheap sentiment considering the circumstances. Perhaps Johnson, on the job for a year and a half while playing defense all the way, was just happy that it was OPM director Katherine Archuleta on the chopping block. She resigned under broad congressional pressure on July 10, just a day after Johnson declared his epiphany.
Federal workers are not buying it. The American Federation of Government Employees and National Treasury Employees Union announced they were suing OPM on behalf of its combined 450,000 members, alleging that that the agency knew for years that its network security was weak and vulnerable, but failed to do anything about it.
The two OPM hacks included the background check system database that holds super-sensitive information about government employees and contractors who have applied for clearances since 2000 (and, by extension, their friends and family members who were listed on applications, too). “It’s a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government,” FBI Director James B. Comey said in July.
One could see an attack coming down Pennsylvania Avenue in this February report by the Office of Budget and Management, which found OPM consistently at the bottom of basic security metrics. It particularly stood out in its poor authentication and remote access encryption standards. In other words, OPM set out a bright neon welcome sign for hackers.
“Since 2007, officials at OPM have been alerted to their lackluster data security policies and protocols and failed to take appropriate steps to safeguard the information,” said the AFGE leaders when they announced the suit June 29. “Although they were forewarned about the potential catastrophe that government employees faced, OPM’s data security got worse rather than better.”
How could this be? Not only has the government poured endless resources into building and rebuilding network security—a little less than $13 billion across the government in the last year alone—but entire bureaucratic infrastructures have been raised up to address this issue. Despite that, and not counting the recent OPM breach, the number of security incidents reported by federal agencies rose to 67,168 in 2014 from a low of 5,503 in 2005, according to the GAO.
More importantly, Washington is treating this as yet another war—a “cyber war”—and blaming the North Koreans and Chinese governments for the most egregious attacks. And for good reason, as we know now that foreign hackers have accessed blueprints of the U.S. military’s most advanced weapons systems over the last decade, including Patriot missile technology, the Navy’s Littoral Combat Ship, the Aegis Ballistic Missile System and that albatross, the F-35 Joint Strike Fighter, which now carries a program price tag of over $1 trillion (though the Chinese might be rethinking the value of that last hack, considering a recent flight test that found the F-35 couldn’t dogfight its way out of a open kennel).
But like all Washington wars, there is a lot of bluster and bureaucracy, even more space carved out for generals and career employees seeking advancement, and a private industry sniffing out the next money pot. The usual short shrift is given to finding a long-term, creative strategy that actually works.
“To me, the whole enterprise is troubled, risks being a boondoggle, and is riddled with failures,” said Gordon Adams, who served as a senior budget official for national security in the Clinton Administration, which, incidentally, launched the very first commission dealing primarily with cyber threats to critical infrastructure in 1996, followed by the first cyber war game (enemy: North Korea).
From there the government continually added 20 years of layer upon layer of “solutions,” mostly in the form of new programs, salaries, and government buildings, each routinely forgotten once the next shiny solution came along. Remember the National Infrastructure Protection Center? Probably not. It was created under Clinton, but eventually disbanded when it was absorbed by the bureaucratic hydra otherwise known as DHS in 2003.
Every traditional law enforcement, military and surveillance agency now has a piece of cyber, not to mention the new components that sprang up in the wake of the 9/11 attacks—like the National Counter Terrorism Center, and the Center for Cyber Security under DHS. The most recent: the Cyber Threat Intelligence Integration Center, was announced in February.
Don’t forget the parade of blue ribbon panels, with names like the Critical Infrastructure Protection Committee, Partnership for Critical Infrastructure Protection, National Infrastructure Assurance Council, and the Critical Infrastructure Partnership Advisory Council, also gobbling up funding in order to issue white papers and recommendations most assuredly gathering dust somewhere in a desk no longer used.
In 2001, President George W. Bush appointed the first “cybersecurity czar,” but after the flashy Richard Clark the post became just another mouth to feed, with negligible impact and forgettable leadership. The current czar, White House cyber security coordinator, Michael Daniel, has been called a “total n00b” (gamer speak for novice) for his complete lack of technology on his resume. He is a former OMB official.
In 2010, USCYBERCOM (U.S. Cyber Command) was created and given four-star leadership (Gen. Keith Alexander, who was also director of the National Security Agency at the time) to centralize, synchronize, and lead all of the defense department’s cyber offensive and defensive operations, with components in each branch of service. It has received more than $500 million each year since 2014 and is expected to get a little less than that in FY 2016. However, defense-wide, the Pentagon is expected to get closer to $5.5 billion in cyber funds next year.
Of course, the goal of heading off the Chinese menace was never far from the lips of USCYBERCOM’s proponents. “The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized attack, I would want to go and take down the source of those attacks,” Alexander said at time of his four-star promotion.
The war was on, and so was the feeding frenzy. While it was well documented at the time that industry giants like Lockheed Martin and Boeing were having trouble keeping their own barn doors closed against persistent cyber espionage, the defense sector seized upon the chance to amp up their cyber portfolios for the federal round robin amid declining budgets and economic recession. When the Washington Post published “Top Secret America” in 2010, some 143 companies were getting paid to provide security services to 22 government organizations involved in “the cyber war,” the fastest growing zip code in the national security state.
Criticism abounds, and for good reason. Americans hear very little about the “offensive” side of this warfare, particularly America’s involvement in launching its own attacks to spy, steal secrets and sabotage the enemy’s capabilities.
Also, privacy advocates are rightly concerned about legislative “fixes” that would increase the information sharing between the federal government and the private sector, including the propagation of back doors and surveillance authorities like CISPA (Cyber Information Sharing and Protection Act). Given the disclosures by former Booz Allen Hamilton analyst Edward Snowden (ironically, the most profound example of the weakness of the sprawling contracting system in the cybersecurity context), there is understandable wariness over giving the government and their corporate “partners” any more access to Americans’ private data.
Finally, critics want to know much of the cyber war is hype generated to create more self-sustaining ecosystems within the government apparatus and the Military Industrial Complex. “Now that the government has decided to stimulate the cybersecurity market Washington’s perennial parasites want a piece of the action,” wrote Firedoglake’s DSWright in 2011. To be sure, the only place that so-called Beltway Bandits have been thriving in recent years has been in cybersecurity. But as the OPM disaster has shown, this hasn’t necessarily translated into success.
“The U.S government has an infinite capacity to spend money on cyber, and the road is littered with failure, both in setting up IT systems and in defending them,” Adams, now a professor emeritus at American University, noted to TAC.
The War on Drugs is a perfect example of a failed mission built on a similarly elaborate architecture of government appropriations, contractual relationships, and law enforcement authorities extending from the White House all the way down to municipal police departments and public schools. But the effort has been largely written off as one of the biggest failures in government history.
Rather than dismiss the cyber war as mere hype (Leon Panetta warning of a “cyber Pearl Harbor” is enough to get anyone’s cynicism in gear), putting cyber in the context of the Drug War could be the first step in wrapping one’s mind around this mess. There is a drug problem in this country, but the federal government has proven it cannot solve it. There are very real threats to both public and private networks and national security is indeed at stake. The further dependent we become on the grid (think: the Internet of Things) the more vulnerable the nation—its economy, its privacy, and security—becomes. But is the federal bureaucracy proving an effective leader in protection, prevention and resiliency? Not quite, not yet.
The “a-ha moment” here is not in finally recognizing the threat, but acknowledging that 20 years of evolving federal cybersecurity policy is not working. This is already morphing into another endless war the United States will never win. The time to break the cycle is now.
Kelley Beaucar Vlahos is a Washington, D.C.-based freelance reporter and TAC contributing editor. Follow her on Twitter.