30 June 2015

Why Can't We Play This Game?

General Michael Hayden
June 24, 2015

Jimmie Breslin borrowed a line from manager Casey Stengel to title his chronicle of the worst team in baseball history, the 1962 Mets. Stengel plaintively asked, "Can't Anybody Here Play This Game?" Given recent events, Americans could be asking the same question about their government's cyber performance.

Earlier this month the Office of Personnel Management announced that someone had grabbed super user status on OPM computers, taking the records of more than four million current, former and retired government employees and, then, within a week OPM added that an attacker had been in the database of the government's far more sensitive security clearance system for almost a year. Recent estimates put the number of people affected at 18 million.

We've seen breaches before, but these were particularly numbing. The massive files of American government names, social security numbers, dates and places of birth, jobs, training and benefits gives an adversary data that can be used to coerce, blackmail or recruit U.S. sources. Access to the security clearance database would disgorge even more detailed personal information, including the foreign contacts of American officials.

Fingers quickly pointed to China, and why not? The Chinese have pretty much had a freehand in American databases for the better part of a decade and the attacks fit their policy, their needs, their tactics and their tools. The only thing missing was a formal American accusation.

But let me quickly add that I do not blame the Chinese. If we determine that China did this, we would be assigning responsibility, but blame is a different matter. I blame China when they penetrate American industry (an unfair nation state vs. private company fight) and rip off intellectual property for commercial gain (something we view as criminal). 

This wasn't that. This was legitimate state espionage, one government going after another for information that could contribute to its national security. As Director of the National Security Agency, given the opportunity against similar Chinese information, I would not have hesitated for a second...and I wouldn't have had to get anyone's permission to do it. 

This is what serious nation states do. All of them. There is no shame for China here. This is all shame on us.

So how has the U.S. government responded? Well, if there is official outrage about our incompetence, it has been kept well hidden. We've gotten our share of somber press briefings, but there have been no visible consequences for catastrophic failure. I could add predictable failure, as well, since OPM's own Inspector General last year said that the network was so bad that several systems should be shut down. But they weren't.

A tone of self-congratulation seemed to surface at the inevitable Congressional hearings as OPM claimed that, but for its recent IT security modernization program, the penetrations would still be undetected. Despite the new tools, however, OPM was still unwilling or unable to precisely characterize the damage or identify the perpetrator. 

We then went through an interlude of comic relief, the kind necessary in all tragedies. The White House directed that all federal agencies conduct a 30-day cyber sprint to apply patches and the other elements of basic cyber hygiene that they apparently had not done in the preceding months and years.  

Then OPM, as required by law, began notifying folks whose personal information had likely been compromised. Tens of thousands of emails were sent directing government employees to -- wait for it -- click on the embedded hyperlink to take advantage of the data breach protection services being offered. Recognizing that just such an action (a spear fishing attack) had likely enabled the original breach, the Department of Defense (DoD) directed its employees to trash the OPM message.

In front of Congressman Jason Chaffetz and the House Oversight Committee, OPM Director Katherine Archuleta invoked a bit of the Homer Simpson defense (“It was like that when I got here”) when she said, "Cyber security problems take decades in the making…the whole of government is responsible..."

Not a defense I would have adopted (especially if I had been at OPM more than two years), but one not without some truth. After all, until the OPM breach, we were fixated on the damage done by Bradley/Chelsea Manning in DoD until he/she was eclipsed by Edward Snowden in NSA. And one can fairly wonder what of the insider threat needed explaining after Manning, but before Snowden. And it's probably fair to note that in both cases (like the OPM case) the downloading of massive amounts of data went undetected.

It's not only the executive branch that has been late to need. The last two Congresses have failed to pass cyber security legislation that would have given liability protection to firms sharing cyber threat information with one another and with the government.

And Chairman Chaffetz was an enthusiastic supporter of the USA Freedom Act designed to rein in the allegedly renegade National Security Agency and its wanton depredations of American privacy. Little more than forty-eight hours after voting to limit the Nation's most powerful cyber force, Chaffetz and the rest of Congress was demanding to know how the personal records of millions of Americans could have been violated by a foreign power. Perhaps they misidentified the real threats to American privacy.

In reviewing Breslin's book, the New York Times --with tongue in cheek-- described it as "one of the most imaginative spoofs of the year." Jimmy Breslin, the review went on, "has invented a fabulous baseball club he calls the Mets.” 

Except that the '62 Mets were real. Just like the sorry state of our cyber defenses. 

By the way, seven years later the Mets were the world champions. 

Shouldn't we get on with it, too?

General Hayden is a retired four-star General in the United States Air Force. He was the Director of the Central Intelligence Agency from 2006-2009 and the Director of the National Security Agency from 1999-2005. He is also an investor in The Cipher Brief.

No comments: