ANALYSIS/OPINION:
Jimmie Breslin borrowed a line from manager Casey Stengel to title his chronicle of the worst team in baseball history, the 1962 Mets. Stengel plaintively asked, “Can’t Anybody Here Play This Game?”
Given recent events, Americans could be asking the same question about their government’s cyber performance.
Earlier this month, the Office of Personnel Management announced that someone had grabbed superuser status on OPM computers, taking the records of more than 4 million current, former and retired government employees, and then, within a week OPM added that an attacker had been in the database of the government’s far more sensitive security clearance system for almost a year. Recent estimates put the number of people affected at up to 32 million.
We’ve seen breaches before, but these were particularly numbing. The massive files of American government names, Social Security numbers, dates and places of birth, jobs, training and benefits give an adversary data that can be used to coerce, blackmail or recruit U.S. sources. Access to the security clearance database would disgorge even more detailed personal information, including the foreign contacts of American officials.
Fingers quickly pointed to China, and why not? The Chinese have pretty much had a free hand in American databases for the better part of a decade, and the attacks fit their policy, their needs, their tactics and their tools. The only thing missing was a formal American accusation.
But let me quickly add that I do not blame the Chinese. If we determine that China did this, we would be assigning responsibility, but blame is a different matter. I blame the Chinese when they penetrate American industry (an unfair nation-state versus private company fight) and rip off intellectual property for commercial gain (something we view as criminal).
This wasn’t that. This was legitimate state espionage, one government going after another for information that could contribute to its national security. As director of the National Security Agency, given the opportunity against similar Chinese information, I would not have hesitated for a second and I wouldn’t have had to get anyone’s permission to do it.
This is what serious nation-states do. All of them. There is no shame for China here. This is shame on us.
So how has the U.S. government responded? Well, if there is official outrage about our incompetence, it has been kept well-hidden. We’ve gotten our share of somber press briefings, but there have been no visible consequences for catastrophic failure. I could add predictable failure as well, since OPM’s own inspector general last year said the network was so bad that several systems should be shut down. But they weren’t.
A tone of self-congratulation seemed to surface at the inevitable congressional hearings as OPM claimed that, but for its recent IT security modernization program, the penetrations would still be undetected. Despite the new tools, however, OPM was still unwilling or unable to precisely characterize the damage or identify the perpetrator.
We then went through an interlude of comic relief, the kind necessary in all tragedies. The White House directed that all federal agencies conduct a 30-day cybersprint to apply patches and other elements of basic cyberhygiene that they apparently had not done in the preceding months and years.
Then OPM, as required by law, began notifying folks whose personal information likely had been compromised. Tens of thousands of emails were sent directing government employees to — wait for it — click on the embedded hyperlink to take advantage of the data breach protection services being offered. Recognizing that just such an action (a spear phishing attack) had likely enabled the original breach, the Department of Defense directed its employees to trash the OPM message.
In front of Rep. Jason Chaffetz, Utah Republican, and the House Committee on Oversight and Government Reform, OPM Director Katherine Archuleta invoked a bit of the Homer Simpson defense (“It was like that when I got here”) when she said, “Cybersecurity problems take decades in the making. The whole of government is responsible.”
Not a defense I would have adopted (especially if I had been at OPM more than two years), but one not without some truth. After all, until the OPM breach, we were fixated on the damage done by Bradley/Chelsea Manning in the Defense Department until he/she was eclipsed by Edward Snowden in the National Security Agency. And one can fairly wonder what of the insider threat needed explaining after Manning but before Snowden. And it’s probably fair to note that in both cases (like the OPM case) the downloading of massive amounts of data went undetected.
It’s not only the executive branch that has been late to need. The past two congresses have failed to pass cybersecurity legislation that would have given liability protection to firms sharing cyberthreat information with one another and with the government.
Chairman Chaffetz was an enthusiastic supporter of the USA Freedom Act designed to rein in the allegedly renegade NSA and its wanton depredations of American privacy. Little more than 48 hours after voting to limit the nation’s most powerful cyberforce, Mr. Chaffetz and the rest of Congress were demanding to know how the personal records of millions of Americans could have been violated by a foreign power.
Perhaps they misidentified the real threats to American privacy.
In reviewing Mr. Breslin’s book, The New York Times — with tongue in cheek — described it as “one of the most imaginative spoofs of the year.” Jimmy Breslin, the review went on, “has invented a fabulous baseball club he calls the Mets.”
Except that the ’62 Mets were real. Just like the sorry state of our cyberdefenses.
By the way, seven years later, the Mets were the world champions.
Shouldn’t we get on with it, too?
• This column was first published by The Cipher Brief website, of which Gen. Michael Hayden is an investor. Gen. Hayden is a former director of the CIA and the National Security Agency. He can be reached at mhayden@washingtontimes.com.
• Mike Hayden can be reached at mhayden@example.com.
Please read our comment policy before commenting.