Imagine this: a private company discovers that detailed personal identifying information—including Social Security numbers, dates of birth, passport data, foreign travel histories, and other sensitive personal and private data—for more than 25 million people has been compromised in successive security breaches. How swiftly do you think government officials, regulators, and policy makers would be demanding strong action?
The breaches at the Office of Personnel Management (OPM) of sensitive personal information, including the many counterintelligence nuggets often found in security background forms, have brought calls for action, followed by the inevitable resignation of the OPM Director. Much more in the way of serious reform is needed. A resignation alone, or a few fixes in one agency, will not counter the ongoing cyber threat posed by the Chinese, Russians, Iranians, cyber criminals, and terrorist organizations. We need a fresh examination of the federal government’s approach to cybersecurity, and we need new ground rules. We cannot continue to be punched in the nose and simply turn the other cheek, shrugging off the theft of classified and proprietary information.
The federal government should lead by example, achieving the level of cybersecurity and compliance it demands of the private sector. Yet, even as the government has criticized the information security practices of private companies that have suffered far less devastating breaches, its own practices have left much to be desired. According to a recent Wall Street Journal article, deficiencies in OPM’s technology systems and processes were apparent and well-documented for years. Such deficiencies are not unique to OPM. For example, a January 2015 review of the Department of Homeland Security by the Ranking Member on the Senate Homeland Security Committee, citing repeated Inspector General audits, noted that DHS “offices and employees do not always comply with federal rules and policies for agency cybersecurity.” That's not exactly reassuring, considering this is the department charged with much of the responsibility for the nation's critical infrastructure.
Getting the practical and technical pieces right is imperative, but, as a nation, we need new, reasonable, and responsible ground rules in place to address growing cyber threats. Simply put, how should we respond to cyber attacks sanctioned by foreign governments or carried out by terrorist organizations? We can no longer ignore the cyber threat they pose, or treat them in the same way as organized crime or cyber criminals. We must develop clear parameters for what constitutes an act of cyber war and the permissible and appropriate responses to that act. Our nation’s well-being cannot allow invasive and comprehensive attacks to be met with no response.
Considering the significance of the government's cyber mission, the consequences of inaction, and the security, diplomatic, economic, and privacy implications, the federal government should look beyond itself for solutions. As with other national security matters, an outside team could, with the necessary resources and authorities, accomplish both of these undertakings. Comprised of experts in cybersecurity, defense, intelligence, law enforcement, and corporate matters, the team should also have strong relationships with global counterparts. While there are lots of potentials, names like former FBI Director Bob Mueller, former Director of National Intelligence Mike McConnell, and former CIA Director and Secretary of Defense Leon Panetta come to mind. I have had the privilege of working closely with each of these gentlemen and they are very respected professionals.
We know the challenge, and we are seeing the threat firsthand. Now is the time for us to find the right approach and develop the sound practices, policies, and parameters necessary for the defense of this country.
