Information regarding the size and scope of the cyberattack against the Office of Personnel Management (OPM) continues to grow. As many as 18 million current, former and prospective federal employees — ranging from military personnel to the IRS — are now thought to be affected. This figure is a massive increase in the initial OPM estimate of 4.2 million and it’s likely to grow. Officials speaking about the breach, which is believed to have originated in China, have now acknowledged the incident goes back to June of last year.
The slow drip of information regarding the extent of the security breach has frustrated policymakers, many of whom expressed those feelings to besieged OPM Director Katherine Archuleta, during her testimony on Capital Hill to a Senate Appropriations subcommittee.
Archuleta defended her time as director saying, “In an average month, OPM, for example, thwarts 10 million confirmed intrusion attempts targeting our network. These attacks will not stop — if anything, they will increase,” she said and went on to promote her “aggressive effort” to reform and update the policies and procedures that govern OPM’s aging cybersecurity infrastructure.
The Obama administration continues to express its confidence in Archuleta’s ability to lead OPM. Such a statement is deeply concerning, considering that the Office of the Inspector General warned OPM that critical vulnerabilities in its security authorization system left it open to exploitation. A warning that Archuleta seemed content to ignore, or at best move at a snails pace to address.
The lackadaisical attitude surrounding the OPM breach is indicative of a wider cyber security mindset that is plaguing our national security infrastructure in cyberspace. The U.S. is simply not adapting fast enough. Every year the U.S. fails to adequately meet the threshold for the development of a robust and comprehensive cybersecurity platform, and we fall farther behind our digital adversaries. There is a mindset in Washington that addressing these security threats are somehow beyond our capability, and that no matter what we do there will always be penetrations of critical systems. You’d be hard pressed to find a policymaker that would tolerate, much less express, such an idea when it comes to terrorist threats from al-Qaeda or the Islamic State in Iraq and Syria. Why such an attitude is allowed to exist when it comes to cybersecurity is deeply troubling.
In February 2013, President Obama issued Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity. The EO was intended to lay out the administrations priorities and commitment to improving critical infrastructure and thus mitigating the threat from cyberattacks. The plan was developed in conjunction with recommendations from the Internet Security Alliance, a multisector trade association that provides a unique combination of advocacy and policy development. The EO outlines a robust plan, full of big ideas but short on a strategy for how it can be implemented.
The perfect example of this is White House Cybersecurity Coordinator Michael Daniel. During an interview with Information Security Media Group, Obama’s point man on cybersecurity came under heavy fire when he down played his own lack of technical expertise and dismissed the importance of understanding the nitty-gritty of implementing cybersecurity policy. While Daniel’s pedigree is impressive, especially in terms the scope and skills he has brought to his numerous positions in government, the decision to appoint him to the position of White House Cybersecurity Coordinator is indicative of a pervasive belief cybersecurity leadership doesn’t require technical expertise in the field. Can you imagine the Director of the Center for Disease Control not being a doctor or the Attorney General not being a lawyer?
A report released from the software security firm Veracode highlights the staggering deficiencies in civilian federal agencies. Entitled State of Software Security, the report examined 208,670 applications over the course of 18 months, and the company audited source code from government and private sector clients.
This particular report focused on the government sector, comparing it to 34 industries across a variety of different sectors. Veracode found that the government agencies ranks last in how often and how fast they are addressing security vulnerabilities — only 27 percent of identified vulnerabilities were adequately fixed and three out of four government sector applications consistently failed the OWASP Top 10, the pinnacle standard assessment of web application security. One reason cited for this high degree of vulnerability cited was an outdated programming language used in many government systems.
So why aren’t these government agencies adequately addressing these problems? The short answer is the government simply lacks the regulatory demands that is so often present in the private sector.
Many in Washington are expressing their collective outrage over the OPM breach, but the alarm bells that have been ringing over the last two decades will continue to be ignored. Incidents of computer attacks have increased 1,100 percent since 2006, the cybersecurity threat facing the U.S. is very real, unfortunately, for many policymakers on Capital Hill these security challenges exist in the abstract. There is no body count to tally from a cyber attack. There is nothing present in the physical world to help policymaker — many of whom purposefully avoid diving into the technical nuances of cybersecurity — properly conceptualize the threat. Right now, unless the problem we are facing in cybersecurity involves a Middle East government on the verge of collapsing, the desire and wherewithal to take action will continue to fall short.
Nations spy on one another; it’s a fundamental reality of the international system. The idea that China is spying on us is not the problem per se but rather the symptom of a much broader disease. The Chinese government is not going to stop trying to breach our digital bulwarks, no matter how much we whine. The problem is, however, that the digital age provides the potential for critical national security information to be taken with far greater ease and at much greater volumes than at anytime in history. We are making it far too easy for foreign governments to exploit our soft cyber underbelly. Can we really blame them for capitalizing on that advantage?