The Dismal State of Federal Cybersecurity: It’s Time to Play Chess Instead of Checkers

The cyber attack on US federal personnel data, unofficially attributed to Chinese hackers, was found to yield far more than the Obama administration admitted to. In a letter to the director of the Office of Personnel Management (OPM), J. David Cox, national president of the American Federation of Government Employees (AFGE) has said that, “based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

Cox continued, saying the hackers accessed a massive amount of information, including Social Security numbers, military records, addresses, birth dates, pay histories, health insurance and pension information. Also, the AFGE believes that Social Security numbers were not encrypted. Cox referred to this negligence as “a cybersecurity failure that is absolutely indefensible and outrageous.”

How the Obama administration should proceed, according to current and former officials contacted by The Washington Post, is a difficult discussion. “There are a whole array of things we need to do across the board, from raising our defenses to making sure that this stuff isn’t actually on the criminal underground to understanding the full scope” of the breach, the first official said. “We haven’t gotten there yet.”

As it turns out, the hackers were active in the database for a year prior to getting caught. A year. According to a Wired article, the hackers accessed a large quantity of SF-86 forms — the form used for conducting background checks for worker security clearances. SF-86 forms can contain a lot of very personal data, not only about workers seeking security clearance, but also about their friends and families. Another disturbing finding is that some of the forms would likely have information regarding the applicant’s dealings with foreign nationals and that information could potentially be used against those nationals in their own countries.

The Obama administration seems to be absolutely befuddled by the situation. It’s not as if the US government has never been hacked before. And, it’s not as if the US government has never been hacked by Chinese hackers before.

In April, 2012 Chairman of the Committee on Homeland Security Subcommittee on Oversight, Investigations, and Management Michael T. McCaul announced that America was under attack by digital bombs. “America’s computers and Internet infrastructure are under attack and every American is at risk. The US government, critical infrastructures, American business institutions and our personal data are being compromised by nation states and hacker groups. The intent is to conduct cyber warfare, possibly paralyzing our infrastructure, stealing our intellectual property, conducting espionage, and gaining access to our credit card, bank account and social security numbers.”

Who was behind these attacks and why? McCaul explains:

“An October 2011 Report to Congress on Foreign Economic Collection and Industrial Espionage states it is part of China and Russia’s national policy to try to identify and take sensitive technology, which they need for their development. China and Russia view themselves as strategic competitors of the United States and are the most aggressive collectors of US economic information and technology…There are of course many other countries developing cyber capabilities and using cyber espionage to steal US trade and technology secrets to bolster their own economic development; and all of them pose a threat.”

Also in 2012, Gen. Keith Alexander, head of the Pentagon’s joint Cyber Command, which was established to counter such campaigns, said: “We see a disturbing track from exploitation to disruption to destruction.” At that time, it was commonly accepted amongst intelligence analysts that Beijing presented the biggest and most persistent threat in terms of cyber crime. In 2012 the Pentagon was pondering what to do about the China threat. Now, in 2015 the Pentagon is still pondering what to do about the China threat.

Testifying before the Senate Armed Services Committee in March of 2013, Gen. Alexander said that China is stealing a “great deal” of the U.S. military’s intellectual property, adding that the NSA sees “thefts from defense industrial base companies.” He also confirmed speculation that China was behind the prior year’s attacks on the RSA.

It was also discovered, in 2012, that fake electronic parts had become prevalent in U.S. military systems, with China, not surprisingly, being the chief source of the phony devices. A U.S. Senate investigation determined that these bogus parts represent a threat to national security. The probe, conducted by the Senate Armed Services Committee, spanned the course of a year and found electronic parts from China in:

  • The Air Force’s C-130J cargo plane
  • Assemblies for Special Operations helicopters
  • The Navy’s Poseidon surveillance plane

Eighteen hundred incidents of fake parts were detected in the Department of Defense supply chain in 2009 and 2010. The total number of suspected counterfeit parts was found to be over one million, according to the investigation.

This year, in April, the Government Accountability Office (GAO) reported a “sharp increase in cyber incidents reported by federal agencies over the last several years, as well as the reported impact of such incidents on government and contractor systems.”

So, this most recent incident did not arrive without ample warning.

The New York Times reports that the Obama administration is considering financial sanctions against the OPM hackers. The Obama administration should also consider joining the 21st century, because one of the main reasons the US government is an easy target is that it continues to employ dated cyber strategies and implement obsolete technology.

One recommendation as to how the US government should proceed comes from Alan Cohn, who is of counsel in the national and homeland security practice of Steptoe & Johnson LLP and a consultant on security, technology, innovation and government. He is also the former Assistant Secretary for Strategy, Planning, Analysis & Risk at the Department of Homeland Security. According to Cohn, federal networks can be fortified if the government begins to model themselves after Silicon Valley.

Cohn suggests:

1 — Scrapping the government acquisition system “for cybersecurity. Simply put, the speed of innovation in cybersecurity has made the current multiyear government systems acquisition process irrelevant. Likewise, government acquisition risk-management models, which highly favor mature technologies, are rendering acquired technology obsolete as soon as it is fielded. As David Cowan of Bessemer Venture Partners recently said, ‘There is no such thing as a mature cybersecurity technology.’

The government must be free to jump to where the best companies are going, scrapping massive integrated systems in favor of a nimble architecture for information technology and cybersecurity. In that architecture, cybersecurity features are purchased as a service and incorporated as an application program interface, but only for so long as the technology actually meets the threat.”

2 — Getting venture capitalists involved. “Every industry, including the technology industry and its major cybersecurity players, are outsourcing research and development in whole or in part to startups. This means that venture capitalists serve as a screening mechanism for bringing new technologies and innovations to the market, or to incorporation as features into larger products.”

3 — Congress continue to “give strong authorities to DHS and the Office of Management and Budget to truly enforce basic cybersecurity standards for the federal government.”

Cohn also points out that, “last year’s reforms to the Federal Information Security Management Act were a good start, but adoption of new technology, meeting minimum standards for cybersecurity, and making networks available for intrusion prevention, detection, and investigation activities cannot be optional on the part of each federal department and agency.” In April, in a more in-depth report, the GAO released its recommendations in a report entitled, Cybersecurity: Actions Needed to Address Challenges Facing Federal Systems.

Back in 2006, the FBI publicly asked hackers for help in fighting cybercrime. “We need your expertise and input as we develop strategies to battle cybercrime in the 21st century,” FBI official Daniel Larkin said while addressing the annual Black Hat security conference. He confessed that though the government has tried to stay current on possible threats, there are others who likely know about potential threats before federal agents do. “Critical information on terrorism and cybercrimes could be in your hands and might be in your hands before they reach ours,” he said to the black hat hackers.

CNET reported on the FBI’s appeal:

“The FBI’s call for help confirms that it is not equipped to deal with cybercrime, said Tom Thomas, a security consultant from California who is attending Black Hat. ‘It is not reassuring,’ Thomas said. ‘It confirms what we already suspect. There is great technical inadequacy, if not downright ineptness, at the FBI. Therefore they are, perhaps desperately, seeking help from almost anyone.’”

A TechRepublic article explains that the obvious advantage of hiring black hat hackers to advise on network security is that, “when it comes to the network intrusion game, they have real world experience in playing offense. The typical IT pro only knows about playing defense. There is a very big difference in mindset between being someone whose primary training is in protecting the network and someone who has learned, usually mostly through trial and error, all the little ‘tricks of the trade’ for breaking into networks. A good hacker really loves the challenge and spends many, many hours perfecting his craft.”

Incidentally, there is a bit of a history of hackers assisting the authorities. For instance, in 2013, a Huffington Post article describes how Anonymous helped police track down…you guessed it…Chinese hackers.

Anonymous is also credited with warning police, in advance, about the Garland, TX attack. Also, last month, France’s Prime Minister Manuel Valls announced he would hire “many hackers” and “a battalion of community managers” to monitor terrorists online. Additionally, earlier this year, when the FBI was searching for the Centcom hackers, they were aided by information acquired by Anonymous. And, the hacktivist collective was also instrumental in shutting down a child pornography website, while also helping the police arrest Canadian, Chris Forcand.

In February, President Obama admitted, while addressing a cybersecurity summit in San Francisco, that the government is not performing up to par. He remarked that the government designs “new defenses, and then hackers and criminals design new ways to penetrate them. Whether it’s phishing or botnets, spyware or malware, and now ransomware, these attacks are getting more and more sophisticated every day.” He said that the federal government needs to be just as fast and flexible and nimble in constantly evolving its defenses.

The federal government is many things, but fast, flexible and nimble they are not.