This is what will happen: an airplane will fall out of the sky, a power plant will explode, and a freight train will run amok. People will die, and cyberterrorists will take credit for the mayhem. Only then will Americans take seriously the consistent and inexcusable failures of the Obama administration to protect our country from cyberattacks.
The most recent hacking of the Office of Personnel Management (OPM) should concern us all. First, the scale is staggering; important information about some 18 million government workers was stolen. Second, the government was dishonest about the intrusions – revealing only the hacking of personnel files at first, and then admitting eight days later what they had known all along that the thieves had also made off with highly classified materials related to security clearances. Third, it turns out that the system being used to protect government data has cost hundreds of millions of dollars, and is hopelessly outdated. But, the feds are sticking with it.
The OPM hack is the biggest in our country’s history, and possibly the most dangerous. The breach exposes information not just on the presumed 18 million government employees whose Social Security numbers were hijacked, but possibly as many as 30 million people overall. Information contained in security clearance files includes records of issues like mental health or drug use that could be used to blackmail or compromise intelligence or diplomatic workers.
OPM officials initially told The Wall Street Journal that security files had not been stolen. They knew otherwise, as the FBI had already informed them of the more serious lapse. As The Journal reported, the day the OPM denied that security files were compromised, former head of Homeland Security Janet Napolitano, who had clearly been tipped off, sent out a letter to colleagues at the University of California warning that anyone who had ever been involved in a security check was at risk.
OPM head Katherine Archuleta, testifying before the House Oversight and Government Reform Committee faulted the agency’s security system, called Einstein, which has been in place for more than a decade, cost over $500 million, and has been overhauled three times. One of Einstein’s many shortcomings is that it allows entry to sites via stolen login credentials. That’s what happened to OPM. Also, the widely used system by federal agencies other than the Pentagon is capable only of detecting intruders that have penetrated the system before. Discovering newcomers or so-called “zero-day” hacks is tough, and expensive. The first-time signatures of cyber thieves are difficult to detect, and the sophistication of such a hack means it is usually the work of a foreign state.
That is one reason that James Clapper, Director of National Intelligence, suggested that China was “the leading suspect” behind the breach. The intrusion was clever enough to solicit admiration from our top spy: “You have to kind of salute the Chinese for what they did.”
Maybe, but we don’t have to salute the Obama White House, which according to The Journal is embroiled in as-yet inconclusive arguments about how to respond to relentless intrusions into our government’s data. It is not just OPM that has been hacked; other targets in recent years include the Pentagon, the CIA, the Department of Commerce, Homeland Security and the National Nuclear Security Administration. Even the White House has been hacked, for heaven’s sake. In all, there were more than 27,000 breaches of government computers involving personal information in 2014. That’s in spite of $65 billion spent on information technology security since 2006.
At an intelligence conference last week, Clapper said, “Until such time as we can create both the substance and the psychology of deterrence, this is going to go on.” He noted the difficulty of doing so, because of “unintended consequences and other related policy issues.” In other words, at the moment, our internet data is pretty much open to hackers, because we have not adopted better security techniques or threatened retaliation. This is unacceptable. And, it is not new.
In 2013, a year after Defense Secretary Leon Panetta warned of a coming “cyber Pearl Harbor,” Senator Tom Coburn, ranking member of the Homeland Security and Government Affairs Committee, issued a report detailing widespread government cyber lapses, drawing on over 40 audits and investigations by various groups including the Government Accountability Office. The report noted that the government had failed to adopt even the most basic of precautions, such as resetting passwords or applying software updates in a timely fashion. The ineptness is breathtaking. It is also frightening.
Coburn’s group cites the Nuclear Regulatory Commission, which stored detailed information about our nuclear power plants on an unprotected shared hard drive. He noted that hackers entered unprotected computers operated by the U.S. Army Corps of Engineers and stole data about the country’s 85,000 dams – such as the potential death count were each to be breached. Another cyberattack was aimed at our Emergency Broadcast System; local TV stations in several markets broadcast phony reports of zombie invasions.
While this last effort sounds almost playful, these attacks are anything but. They should be viewed as acts of aggression, and the perpetrators held accountable. Panetta warned in 2012, “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches... [which might} attack these systems and cause panic and destruction and even the loss of life.”
Let us hope that it does not come to that.
Unhappily, Americans are becoming inured to cyber intrusions; most people have had their emails or credit cards stolen by cyber thieves. Such annoyances have become everyday events; the OPM breach probably struck most people as almost routine – like the data stolen from 40 million Target customers last Christmas. That is not the case.
What should be done? Through an aggressive counter-cyber effort, Obama must make it clear that attacks on U.S. property will be met with equal force. This means confronting the Chinese, which this administration has long been loath to do, for fear of upsetting commercial relations. The White House has no stomach for confrontation, especially since President Obama needs China to back his Iran nuclear deal. Every day, the price tag of that agreement gets more expensive.
Top Reads from The Fiscal Times: