Federal cybersecurity efforts need clear responsibility, urgency and leadership

By James Norton

Enemy nation-states, terrorists, and cyber gangs are striking the federal government’s cybersecurity Achilles heel, taking advantage of a disorganized bureaucracy that continues to leave government networks susceptible to attacks. Patience should be running thin as we watch the country become more vulnerable, despite years of languishing promises of strengthened security. Where is the sense of urgency, and whose feet should be held to fire?   

Sadly, the recent hack perpetrated on the Office of Personnel Management (OPM) was just a glimpse into what will be the new normal, if the government does not act fast and put real solutions in place. As OPM acknowledged, an estimated 4 million federal government employees had their personal data hijacked; when the relatives, friends and colleagues listed in many of these files are taken into account, the number quickly swells to 8 million—or even 12 million—individuals affected. Each one is a victim of what may be the biggest espionage heist in history.

The full extent of the harm remains to be seen, but we know home addresses, social-security numbers and other personal information were stolen by enemy intelligence services. The perpetrators now can use this sensitive information to establish hit lists, to exploit the victims, or to build upon it in future attacks, further chipping away at the nation’s security.  

This startling attack was entirely preventable; OPM’s database was improperly secured and inadequately encrypted. The security measures in place are comparable to a “beware of the dog” or “this house is secured by ADT” sign, and they did not seem to intimidate or slow the Deep Panda hackers as they waltzed through front door and into OPM’s vault of information with the hubris of Danny Ocean’s crew. Even more startling is a report by the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) that, in fiscal year 2014, more than 640,000 cyber-related incidents impacted federal government agencies.

The US-CERT is charged with collecting this data and reporting on the thousands of intrusions occurring in the online neighborhood; however, after 10-plus years of mounting data and the skyrocketing number of intrusions, what is the plan to combat these attacks? While the government is taking steps to protect its networks by deploying US-CERT’s early warning system known as “Einstein,” deployment is not keeping pace with our enemies. Coupled with a tight budget environment and the inability of government agencies to procure updated security technologies, the United States is a sitting duck for cybercriminals.  

It is distressing that it seems any urgency for increased cybersecurity at federal agencies has been short-lived or for show. Every year, there is a flurry of legislative and regulatory activity, but very rarely does anything get signed into law or enacted. Even if it does, it lacks a clear mandate. Current cyber legislative proposals are geared towards providing liability protection for corporations; while these measures are critically important, they do not address the root causes of the federal government’s inability to secure the its own information.

As we sift through the wreckage, Congress should begin with determining who is responsible for agencies’ cybersecurity. The lack of identifiable leadership has allowed for finger pointing.