Monday, July 6, 2015

Exploring America's Lack of Cyber Strategy

James McFarlin

The emperor's clothes are coming off. A series of high-profile cyberattacks against government agencies are blasting open the true seriousness of the internal weaknesses in America's lack of cyber preparedness.

And the world is watching the undressing. Articles and commentary in traditional print media to professional journals and blogs are increasingly critical of not only America's cyber weaknesses but its lack of seriousness in addressing the issue.

The recent Wall Street Journal article "We're Losing the Cyber War" addresses years of Obama administration passivity in the face of repeated digital attacks. The Office of Personnel Management attack, in which 18 million or more federal employee employment records, including security clearances, is a case in point. While the data loss is calamitous in its own right, the lack of responsibility shown by the agency's management can only be viewed as arrogant, and lacking responsibility.

OPM director Katherine Archuleta, in a Senate hearing investigating this loss, stated "I don't believe anyone is personally responsible. If there is anyone to blame it is the perpetrators." This display of self-defiance was offered with a straight face in spite of the fact that the OPM Inspector General's office had warned the agency for more than three years of its widespread cyber defense weakness, warnings that largely went unheeded.

Perhaps feeling pressured by this attack as well as network breaches in the Internal Revenue Service, Department of State, US Army, and others, the White House then issued a directive for agencies to plug their gaping holes in cybersecurity. A "30-day "cyber sprint" was initiated, where agencies were ordered to shore up their defenses. This in spite of the fact that they had largely failed to do so for years.

At least two thoughts come to mind here. The first is the absolute naivete of this exercise, which has been described as everything from a smokescreen to hype to a hail Mary. The second: Where have these priorities been? House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), stated "The cyber race started fifteen years ago," and that this action was "coming too late" to be effective.

We face a serious national security threat from the cyber realm. When will this be taken seriously? Lee Hamilton, co-author of the 9/11 Commission Report, perhaps stated our problem best. In an update to that report issued on September 11, 2014, he said: "One of the problems in 9/11 was the lack of imagination of the terrorist threat facing us. Let's not make that same mistake in the cyber realm."

Seems as though we did that undressing some time ago.