In cyberattacks, blame the victim


In cyberattacks, blame the victim

Jun 19, 2015 3 min read
James Jay Carafano

Senior Counselor to the President and E.W. Richardson Fellow

James Jay Carafano is a leading expert in national security and foreign policy challenges.

It's called The Great Game. Big nations perpetually battle for advantages, going after each other like LeBron James and Stephen Curry tussling for loose balls in the NBA finals.

So when China is accused of pulling off the hack of this young century — scarfing up massive amounts of personnel files from the U.S. Office of Personnel Management (OPM) — well, just chalk it up to China being China.

Gathering intelligence on other governments is part of The Great Game. And personnel files are exactly the kind of government-controlled information that other nations covet the most. "The real trick in human intelligence," explains Ronald Marks, a veteran intelligence officer, "is finding people with access to important people and their information."

For the U.S. government, the OPM holds the mother lode of that kind of data. By some estimate, as many as 14 million records were lost. It's a massive treasure trove of information that can help sharpen the targeting for future intelligence gathering. Point Beijing.

It is tempting to argue that the federal government should have been better prepared for exactly this kind of cyber assault. But cracking into cyber systems from the outside, especially systems not highly classified, does not require ninja cyber skills. Often, it's done through persistent phishing — gaining entry credentials such as passwords by tricking legitimate users into handing them over.

But while it's understandable that Washington couldn't stop the attack, it's unforgivable that the feds couldn't stop the hackers from taking so much out and running their vacuum cleaner operation for so long undetected.

In this case of cyber combat, the administration has no one to blame but itself for suffering a cyber-Waterloo.

A big part of the problem lies in the feds' approach to cyber security. Washington spends too much time trying to tell the rest of the world what to do and too little on getting its own house in order.

In 2012, analysts at The Heritage Foundation began compiling a database that documents and analyzes major breaches of federal cyber systems. The results were appalling. Up to last October, there were more than 23 major failures in every agency from the Pentagon to the Department of Health and Human Services. The list has only gotten longer.

What makes the government's track record even more inexcusable is that it comes years after making cyber security a top priority. President Obama first appointed a cyber czar in 2009. Most of the White House effort, however, seems to be for show — conferences that rack up frequent-flier miles and strategies that take up shelf space.

On the practical side, the score seems suspect. The Oval Office has sought cyber security legislation that takes a heavy-handed regulatory approach, in which Washington dictates what security practices are best for the private as well as public sectors. In the constantly and rapidly evolving world of cyber espionage, it's a slow-footed, doomed-to-fail approach. Luckily, the administration has largely failed to press Congress to embrace this approach.

Similarly, the White House rolled out a poorly thought-through plan for divesting control of The Internet Corporation for Assigned Names and Numbers, which manages IP addresses on the Internet — pretty much ground zero for ensuring responsible management of the global network that carries everything online.

Meanwhile, deployment of EINSTEIN — the massive government-intrusion detection program that was supposed to handle threats such as the OPM attack — is far behind schedule. Worse, it could already be technologically obsolete.

The White House needs to put some real energy — and creativity — into its cyber security operations. Rather than heap more regulations and red tape on the Internet and its users, Washington should focus on facilitating public and private information-sharing about cyber threats and effective prevention and mitigation responses.

Meanwhile, the government needs to get serious about the state-managed cyber threats that are eating our lunch. Russia and China are our top competitors now. But Iran and North Korea are coming on strong.

 - James Jay Carafano, a vice president at The Heritage Foundation, is author of Wiki at War: Conflict in a Socially Networked World.

Originally appeared in USA Today