Constant Crisis: Federal Cybersecurity’s Administrative Failures Highlight Key Policy Challenges

CONSTANT CRISIS

Although the White House, and in particular the American military establishment under Cyber Command (CYBERCOM), has attempted to unify a policy framework for a comprehensive cybersecurity plan, persistent administrative failures at the agency and inter-agency level have led to severely compromised computer networks. Since 2005, over 709 breaches have occurred within the public sector, compromising over 171 million individual records. Other intrusions into federal records by “cyber militias” have been widespread, and increasingly professionalized groups of young hackers are routinely at the front lines of increasing numbers of network attacks and penetrations.

Many of the compromised data sets included personally identifiable information (PII), such as social security numbers, names, addresses, and credit card information.  The 2015 disclosure of what ultimately would amount to over 20 million federal workers’ background investigations, accidentally disclosed by the Office of Personnel Management, is just one of such sets: it is also the largest leak in the history of the country.  A federal worker’s entry into an agency is precluded by a background investigation of varying complexity, usually involving several points of PII. The disclosure included up to 1.1 million fingerprints, and up to 1.8 million spouses and relatives of federal workers interviewed under extensive background checks now face the uncertain consequences of the data breach.

Breaches of governmentally administered data are only part of the larger cybersecurity challenge: retailers and other merchants have compromised over 257 million personal records; in addition, some 43 million medical records have been disclosed in the last ten years. These breaches reflect the growing dependence by many industries on digitally storing large sets of data, and the impunity with which customers will provide phone numbers, email addresses, and even social security numbers in return for weekly updates or special offers. Another aspect of the cybersecurity challenge reflects a sense of overwhelmed defenses in a highly connected world that incessantly seeks higher data transfer speeds. In this setting, the threat of disclosure, whether through the hacking of private or government records, reflects a constant crisis subject to increasingly sophisticated attacks.

HOW DID WE GET HERE: POINTING FINGERS?

  1. The Department of Homeland Security

Cybersecurity has been a serious concern since the first computer networks were put into place in the federal government. In 1977, Senator Abraham Ribicoff[1] introduced the first computer safety bill. By 1983, when a popular film called “War Games” depicted a teenager hacking into United States Strategic Command and narrowly averting World War III, SWAT raids were already confiscating Apple II computers and network passwords. The first agency or program to deal exclusively with cybersecurity of any nature within the United States federal government was the Computer Emergency Response Team (CERT), now a part of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.

CERT operates the Cybersecurity National Protection System, which guard’s critical infrastructure from malicious intrusions via four distinct capabilities: detection, analytics, information sharing, and prevention of malicious intrusions. The capabilities of CNPS, bundled together into a software program known as EINSTEIN, are scheduled for progressive implementation into all federal civilian agencies by 2016. Operational implementation of EINSTEIN’s updated system, E3A, was sped up by three years, making the third iteration of the system available sooner than the original date of 2018.

E3A’s technical capabilities are centered around collecting indicators of cyberthreats. These indicators are present within data left by intruders in previous breaches. E3A is a program conducted by the cybersecurity analysts of DHS’ Office of Cybersecurity and Communications (CS&C). In a real sense, E3A is the executive branch’s current frontline of defense, and it is available to civilian agencies in an incremental stage until wide-scale adoption in 2016. More than one cybersecurity analyst has already stated that it is 15 years behind the times, and it appears that E3A had been active at the time of the attack[2]. Many questions about the effectiveness of a 3-billion-dollar program are now at the forefront of the program’s criticism.

  1. The Office of Personnel Management

The severity of the Office of Personnel Management’s disclosure does reveal a vulnerability that may have compromised their ability to withstand this particular intrusion. Even if OPM was not covered under EINSTEIN, and it was, it was required to submit to regular internal inspections under the Federal Information Security Act, first introduced in 2002, and amended in 2014[3].

According to the OPM, the very fact that they were able to perceive that any records had been compromised in the first place was due to improvements in their cybersecurity infrastructure in 2013. Had they not introduced these new capabilities the agency would likely have not reported any wrongdoing. According to the Office of the Inspector General at OPM, several vulnerabilities exploited by the 2015 hacking group were found and recommended after the 2013 implementation of OPM’s information security infrastructure improvements. 

CONCLUSIVE ILL

Many sources in the news media cited Chinese militias as the cause of OPM’s high-level disclosure of PII. Hacking groups sponsored by the Chinese government have made regular headlines between 2005 and 2015; a specific People’s Liberation Army component has been found indicted in absentia by an American court. While this was entirely symbolic, it did underscore the tensions latent between both the US and China. The story of how these particular hackers managed to access, view, and store the data is a common one: a search for vulnerabilities within the information technology systems within an organization, followed by exploitation to find a “backdoor” to access. Among the key vulnerabilities cited by the Office of the Inspector General at OPM was the absence of multi-factor authorization. This type of authorization requires two or more passwords to log onto a network. More importantly, the OIG included evidence of a “significant material weakness” in information technology governance: neither the expertise nor the equipment was at hand to combat cyberthreats.

The disclosure at OPM symbolizes a watershed moment in federal cybersecurity in the United States. As networks become more and more crowded with increasingly sophisticated users, a sluggish response to threats can only highlight the failure of administrative responses to increasing the security of information technology.

Sources Referenced:

[1] (“Timeline: The U.S. Government and Cybersecurity”)

[2] (Otto, “DHS official: Einstein 3A is 15 years behind the times”)

[3] (“Federal Information Security Management Act Audit FY2014 “)


Pieter van Wassenaer '16

Pieter van Wassenaer is an Associate Editor for the Cornell Policy Review and Master's of Public Administration Candidate at The Cornell Institute for Public Affairs. He is concentrating in Government, Politics, and Policy Studies and his interests include issues of European integration, national identities, and intergovernmental organizations. He is a citizen of both the United States and the Netherlands, and originally hails from Amsterdam.
Scroll to Top