Enemy nation-states, terrorists, and cyber gangs are striking the federal government’s cyber security Achilles heel, taking advantage of a disorganized bureaucracy that continues to leave government networks susceptible to attacks. Patience should be running thin as we watch the country become more and more vulnerable despite years of languishing promises of strengthened security. Where is the sense of urgency, and whose feet should be held to fire?
Sadly, the recent hack perpetrated on the Office of Personnel Management (OPM) was just a glimpse into what will be the new normal if the government does not act fast and put real solutions in place. As OPM acknowledged, an estimated four million federal government employees had their personal data hijacked, but when the relatives, friends and colleagues listed in many of these files are taken into account, the number quickly swells to eight or even twelve million individuals affected. Each one is a victim of what may be the biggest espionage heist in history. The full extent of the harm remains to be seen, but we know home addressees, social security numbers, and other personal information were stolen by enemy intelligence services. The perpetrators can now use this sensitive information to establish hit lists, to exploit the victims, or can build upon it in future attacks, further chipping away at the nation’s security.This startling attack was entirely preventable; OPM’s database was improperly secured and inadequately encrypted. The security measures in place are comparable to a “beware of the dog” or “this house is secured by ADT” sign and did not seem to intimidate or slow down the Deep Panda hackers as they waltzed through front door and into OPM’s vault of information with the hubris of Danny Ocean’s crew. Even more startling is a report by the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) that in the fiscal year 2014 over 640,000 cyber-related incidents impacted federal government agencies.
The US-CERT is charged with collecting this data and reporting on the thousands of intrusions occurring in the online neighborhood, however after ten plus years of mounting data and the sky-rocketing number of intrusions, what is the plan to combat these attacks? While the government is taking steps to protect its networks by deploying US-CERT’s early warning system known as “Einstein,” deployment is not keeping pace with our enemies. Coupled with a tight budget environment and the inability of our government agencies to procure updated security technologies, the United States is a sitting duck for cybercriminals.
It is distressing that it seems any urgency for increased cyber security at federal agencies has been short-lived or for show. Every year there is a flurry of legislative and regulatory activity, but very rarely does anything get signed into law or enacted. Even if it does it lacks a clear mandate. Current cyber legislative proposals are geared towards providing liability protection for corporations, and while these are critically important, they do not address the root causes of the federal government’s inability to secure the its own information.
As we sift through the wreckage, Congress should begin with determining who is responsible for agencies’ cyber-security. The lack of identifiable leadership has allowed for finger pointing. While some have argued DHS should be responsible, the experience of recent years has shown the DHS cannot and should not be expected to prevent cyber attacks across the federal government; funding issues, turf wars, and information gaps contribute to the impossibility of such a mission. Each agency is its own silo, with its own networks, budget, procurement processes, and unique challenges. The cyber security buck for each agency should stop with the head of the agency. Congress should then be rigorous in exercising oversight over the agencies to ensure they are meeting security standards and complying with the law. With clear responsibility and accountability will come true urgency and real action. Just as today’s CEOs must understand cyber threats facing their corporations, instill security in their employees, and allocate proper funding to secure networks to prevent attacks that could cost them their jobs, so too must our cabinet-level officials take personal ownership of their agencies’ cyber security. For the federal government to prevail, cyber must become an across-the-board issue with each agency striving to maintain security in a culture of awareness and preparedness.
There is no silver bullet to the complex problem of cyber attacks on the federal government but identifying who is responsible and prodding them to act through legislation and oversight is a first step to stop the bleeding.
Norton is homeland security and public safety policy expert. He has served as a senior defense industry executive and as deputy assistant secretary of the U.S. Department of Homeland Security in the Office of Legislative Affairs. He is an adjunct professor at Johns Hopkins University, teaching courses on cyber, homeland security and the legislative process. Follow on twitter @jamesnorton99
View Original Article Here