From the Thursday edition of the Morning Jolt:
The Post-Cyber-Security Era
I didn’t write a lot of pieces praising President Obama over the last eight years, but way back in June 2009, I wrote that he was correct to want to establish a new position “cyber-security coordinator”, often nicknamed the “Cyber Czar.” As luck would have it, right before Obama announced the position, I had attended a gathering of some of the corporate world’s top cyber-security experts and wonks, and they had shared the familiar potential horror stories about our insecure infrastructure: attacks and shutdowns of electricity grids, air traffic control, finance and banking, telecommunications, etcetera.
At the heart of the discussion at that conference was the question of whether deterrence could work in the era of cyber-warfare:
A country that fires a missile at a U.S. military base has effectively declared war and can expect severe consequences; but a country that causes intermittent communications disruptions at that base is in a murkier area. Would the U.S. make a non-cyber response to a strictly cyber intrusion? Do you drop a bomb on a target if they’ve only broken into your computer?
The idea of a political campaign being a target for cyber-intrusion and mischief was familiar eight years ago. When announcing the formation of the “Cyber Czar” position, Obama said:
It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics. What isn’t widely known is that during the general election hackers managed to penetrate our computer systems. To all of you who donated to our campaign, I want you to all rest assured, our fundraising website was untouched. (Laughter.) So your confidential personal and financial information was protected.
But between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans. And we worked closely with the CIA — with the FBI and the Secret Service and hired security consultants to restore the security of our systems. It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.
(A lot of people wondered whether Obama was supposed to mention the CIA’s role. A CIA role would suggest foreign involvement in the hack.)
One of the lessons of the Obama era is that despite all the talk of cyber-security, no one in charge took it seriously enough. It took Obama seven months to name his first cyber-czar.
It was in Obama’s second term that the cyber-intrusions, believed to be directed by foreign governments, really piled up.
In 2014, the U.S. Postal Service “suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers.”
Also in 2014, a private firm that performs background checks for U.S. government employees suffered a hack that “compromised data of at least 25,000 workers, including some undercover investigators.”
Also that year, China hacked the National Oceanic and Atmospheric Administration and the National Weather Service, requiring the agencies to seal off data vital to disaster planning. A review determined that the agency did not notify the proper authorities when it learned of the attack.
In 2015, the IRS “disclosed a massive security breach that allowed hackers to obtain detailed tax-return information on 104,000 taxpayers.” In 2011, the Treasury Department’s Inspector General found the IRS did not have an adequate “screening process” nor adequate “minimum requirements” to ensure security and privacy.
The biggest hack of them all, at the Office of Personnel Management, involving the personnel records and security clearance files of 21.5 million federal employees. In March 2014, OPM became aware of a partially successful Chinese hack into its systems. In July, after a New York Times report, OPM director Katherine Archuleta publicly denied that any hack had occurred: “We did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”
That was not only a lie, it represented blind denial of just how bad the consequences were. The information stolen basically amounts to a “how-to” guide for blackmailing federal employees with security clearances, with the confidential records including the intimate personal details of federal workers’ infidelity, drug abuse, and personal debts uncovered during the background-check process.
In February, an unknown hacker published contact information for about 20,000 FBI employees and threatened to publish information on another 9,000 Department of Homeland Security employees.
While all of this hacking was going on, much of it believed to be directed by foreign-governments, the Obama administration mostly dithered on options for retaliation – or what could have been a form of deterrence.
“We’d have all these circular meetings,” one senior State Department official said, “in which everyone agreed you had to push back at the Russians and push back hard. But it didn’t happen.”
So the Russians escalated again — breaking into systems not just for espionage, but to publish or broadcast what they found, known as “doxing” in the cyberworld.
In other words, hackers managed to breach the federal government, an entity that enjoys way more resources, power, expertise and incentive to have secure systems than the average Joe. And the federal government offered no significant retaliation or consequence.
And now we’re supposed to be surprised that the e-mails of the Democratic National Committee and John Podesta weren’t secure enough?
Now we’re supposed to delay the vote of the Electoral College so that the electors can hear the CIA assessment that Russian hackers got into the e-mails of the DNC and Podesta? Why would this information be surprising to anyone in the Electoral College who has paid any attention to the world of cyber-security in recent years?
Despite this gruesome record of incompetence, we now have elected officials who claim the election results are “illegitimate” because of the Russian hacking. (Wasn’t there broad consensus in October that this precise argument was the worst possible thing Donald Trump could do?)
Don Beyer, the Virginia congressman calling for the delay in the electoral college vote, declared, “If we don’t act early, and soon, we run the risk of having an illegitimate president.” What makes Trump illegitimate? The implied contention is that without the DNC and Podesta hacks, Hillary Clinton would have won – which is not proven at all. It’s impossible to prove, and also supremely implausible knowing what we know. The Beyer theory assumes that the electorate is hapless automatons, mentally enslaved by media coverage that is critical of Hillary, while somehow psychologically immune to media coverage that was critical of Trump. Still, I suppose we shouldn’t dismiss his theory of unthinking masses of voters; after all, they reelected Beyer.
In February – about six and a half years after he named his first “Cyber Czar” – Obama announced the creation of the nonpartisan Commission on Enhancing National Cybersecurity, They presented their report to the president… December 1. Enacting their recommendations will be almost entirely up to the Trump administration. During his remarks after meeting with his Commission, Obama announced, “I have consistently made cybersecurity a top national security and economic security priority.” Mm-hmmm.