25 June 2015

NO PATCH FOR INCOMPETENCE: OUR CYBERSECURITY PROBLEM HAS NOTHING TO DO WITH CYBERSECURITY

June 23, 2015

On Wednesday, June 17, Reuters reported tersely that the White House “continues to have confidence” in the beleaguered Office of Personnel Management (OPM) chief Katherine Archuleta. This came on the heels of new information that, among other things, the devastating OPM hack may have had something to do with OPM running high-end systems coded in a semi-obsolete programming language without built-in support for modern security practices. Or that OPM gave root system access (for those that don’t speak UNIX, root is privileged system access authority) to foreign contractors in China. No matter, the White House has “confidence” in the woman thatignored a direct warning from the Office of the Inspector General (OIG) cataloging key vulnerabilities in OPM systems, and who also happens to have worked as the national political director for President Obama’s re-election campaign.

It is time to dispense with the smoke and mirrors surrounding the discussion of cybersecurity. For too long, we have persisted in the delusion that cybersecurity and cyberwarfare are difficult and serious threats due to their technological novelty. We have taken refuge in fantastical fears over the looming, Hollywood movie-esque threat of catastrophic cyber-doom. Breathless articles are penned declaring that “cyber” will “change warfare more than the machine gun.” By defining the problem solely in terms of technology, such musings suggest that the solution is technological. This suggests all we need to do is get the best technical talent on the job and things will be fine. However, while patches are issued all the time for bugs and vulnerabilities in computer systems, there is no patch or security update for systematic, glaring incompetence.

The OPM hack demonstrates that cyber-silliness may be far more damaging to American national security than even the most fevered scenario of cyber-doom. Put bluntly, the problem lies not in some esoteric computer science problem. Rather, it is a matter of continuously selecting for and rewarding incompetence. Heads have rolled in government for far lesser setbacks than the OPM hack, yet the administration evinces “confidence” in the woman that presided over the wholesale theft of millions of government workers’ sensitive information.

The fact that the White House still has confidence in Archuleta is not surprising. After all, Obama’s cyber czar is a man that boasts about his own technological illiteracy. Cyber czar Mitch Daniels believes that such petty little things as information technology coding and system details are a “distraction” from policy big-think. Yes, dear reader, I am not cyber-shitting you. Daniels, a man tasked to oversee computer systems of enormous complexity and importance, believes that the details of how they work are a “distraction” from his real job: thinking Big Cyber Thoughts.

Certainly no one expected Daniels to have written his own Linux kernel, and government executives obviously should not be subjected to Google-style whiteboard coding exercises to get hired. However, “[a] man’s got to know his limitations,” Clint Eastwood laconically observed in Magnum Force. As former Defense Intelligence Agency Chief Technology Officer and Joint Task Force-Computer Network Defense veteran Bob Gourley noted, Daniels ought to have regarded his own knowledge gaps as something to rectify or compensate for, not spin as a personal advantage.

OPM director Katherine Archuleta is also an unfortunate case in point. Archuleta bragged about thwarting “10 million [cyber] attacks a month,” a claim that computing professionals and cyber policy specialists greeted with open ridicule. As the New America Foundation’s P.W. Singer tweeted, this is a “[u]seless, meaningless number … My pinkie stops 10 million germ attackers every microsecond. Not a measure of health.” Archuleta’s faux-metrics notably gloss over some other numbers of interest — the amount of vulnerabilities Archuletta ignored, the age of OPM’s legacy systems, thenumerical user group classification for root access (given to foreigners physically located on the home territory of a U.S. rival), and the number of up-to-date security systems, practices, and protocols that OPM did not use to protect its data.

Despite all of this, the White House is still confident in Archuleta. After the OPM hack, one shudders to think what she would have to do in order to lose the administration’s confidence. Give the Chinese and the Russianssecure shell access into the nuclear command and control system computers, maybe? Subcontract out the job to fix OPM to Edward Snowden or the Islamic State’s web development team? Put the full source code of the dwindling number of National Security Agency programs that Snowden hasn’t revealed on Github and invite Iranian hackers to make apull request?

Unfortunately, there is no patch for systematic incompetence. No amount of money, new cybersecurity authorities and organizations, or smart hackers lured away from Silicon Valley firms will compensate for the depressingly obvious realization that our government does not care about technical expertise or cybersecurity outcomes writ large and is not at all interested in accountability. We cannot simply run the policy equivalent of a software update and solve our cybersecurity problems without grappling with the disturbing nature of what Daniels and Archuleta represent — our policy elites’ tendency to cry “cyber Pearl Harbor” and nonetheless tolerate massive, systematic, and completely unacceptable levels of stupidity.

Adam Elkus is a PhD student in Computational Social Science at George Mason University and a columnist at War on the Rocks. He has published articles on defense, international security, and technology at CTOVision, The Atlantic, the West Point Combating Terrorism Center’s Sentinel, and Foreign Policy.

No comments: