Falling Behind in the Cyber War

Falling Behind in the Cyber War

This post is also available in: heעברית (Hebrew)

39170237_mBy Rachel Ehrenfeld

Shutting down the background check system of the Office of Personnel Management employees will do little to prevent the abuse of millions of personal files of former, current and wannabe government workers that have already been stolen. But a shutdown was ordered anyway. Incredibly, OPM Director Katherine Archuleta described the shutdown as a “proactive, temporary suspension.” Proactive? After millions of files were compromised?

The shutdown, reportedly, will last 4-6 weeks or longer to allow the OPM investigation into the hacking of its systems and supposedly to minimize its vulnerability to future cyber attacks.

In hearings before Congress, OMP officials’ explanationsof their system’s vulnerability to cyber attack were alarming. They suggest that most, if not all, government cybersecurity efforts are next to meaningless.

In an interview with the Wall Street Journal, a comment by Phyllis Schneck, a top cybersecurity official at the Department of Homeland Security, exposed the heart of the problem. According to Schneck,  the OPM system “did not detect it at first because it had not seen it before.” Clearly, the Obama administration continues to cover only past attacks it knows about, but has nothing to prevent new attacks. As with other wars we are facing, this government is fighting the last one, but ignoring the new ones.

This, despite the fact that the Executive Branch has spent upwards of $529 million on its cyber security system called Einstein. It as been implemented in various civilian agencies between 2004 and 2014.  Einstein must turning in his grave.

It seems likely the hackers got into the OPM network using access codes provided by a federal contractor. But the fact that OPM did not itself discover the breach in any way, shape or form, is telling.  Some say the news of the attack came from the Department of Defense, while others say – “Four people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPMąs network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.”

But things are worse than that.  While government cannot keep up its own cybersecurity, it leans heavily on the private sector in our (the “consumers”) interest by fining private companies for security breaches.

The foregoing was said by Congressman Will Hurd (R-Texas) in a June 25 Wall Street Journal op/ed. He calls this hypocrisy on the part of the Executive Branch, which it is.  What he doesn’t say is that the Obama Administration has been giving special attention to protecting consumers from businesses it deems too irresponsible and greedy to cyber-protect their customers.  “Customers” vote. “National security” does not.

Among other things, Hurd noted that OPM Director Katherine Archuleta, while testifying before the House Committee on Oversight and Government Reform, declined to apologize for, or even acknowledge, her agency’s refusal to implement security best practices recommended for several years by the OPM’s own inspector general, Patrick E. McFarland. In report after report going back to 2010, the Inspector General had identified insecure, outdated and poorly managed IT systems and practices that left the agency’s information vulnerable. Hurd demanded that Archuleta resign.

But Archuleta is not alone. She hąs been doing what every other agency head has been doing for years: the interminable and altogether insouciant implementation of all sorts of cyber security directives.

And government employees union representatives have not been very helpful either when it comes to cybersecurity. The American Federation of Government Employees (AFGE) has been very noisy about the damage done to its members by the OPM breach.  However, the very same AFGE protested a 2011 action by the Immigration and Customs Enforcement Agency (ICE) to limit its employees’ access to their personal webmail accounts from office computers.  ICE believed that such access compromised its cybersecurity.

ICE lost, AFGE won. A federal arbitrator ruled that the Agency may not take any action to reduce security risks to its IT systems without first providing the Union an opportunity to bargain. Cybersecurity involving federal employees is apparently something the government has to bargain about?

While our highest intelligence and national security officials, including the President, have harped on and on about the severity of the cyber threat, none of them have taken responsibility for meeting that threat in any real way.  Did they hold OPM Director Archuleta’s, or anyone else’s, feet to the fire?

Don’t expect any heads to roll anytime soon.  Cybersecurity policy, like most of this administration’s national security policies that are not immediately beneficial to it politically, have not been taken seriously.  As a result, no one is taking responsibility for preventing, or at least stopping, cyber attacks, and no one is accountable for the enormous cost to our economy and national security.

In the meantime, the White House has hired Google’s hacking expert, Peiter Zatko, to start the cyber version of Underwriters’ Laboratory. No specific details of this new program were made public, and it is unknown how this will help to protect us from cyber attacks.