With the Russia investigation looming large, it would be easy to forget that the US government engages in a significant amount of hacking of its own. According to Mike McConnell, director of national intelligence under President George W. Bush, President Obama’s daily intelligence briefing were primarily based on information of which at least 75% has come from government cyberspies - and this was a percentage that was apparently only going up. Michael Hayden, who headed the NSA, and later the CIA, under Bush, went even further, claiming that, ‘You’re not waiting for someone to decide to turn information into electrons and photons and send it. You’re commuting to where the information is stored and extracting the information from the adversaries’ network. We are the best at doing it. Period.’
However, while the US may be good at infiltrating the computer systems of other countries, it is still nowhere near as good as it needs to be in terms of protecting its own. This is something the US government itself readily admits, with Rudolph Giuliani, President Donald Trump’s informal cybersecurity adviser, telling a cyber risk conference in New York City last week that 'there’s a lot of work the government has to do, this administration has to do, in getting the government up to a level of security where [we] can be comfortable.'
The US government is arguably the largest repository of data in the world. It possesses information about every citizen, from cradle to grave - where you live, where you work, who you associate with, and so forth. And few organizations are better resourced to anticipate and repel any cyberattacks that could pose a threat to this data, with the federal government's IT budget set to reach $95.7 billion in 2018. However, despite such significant investment, the Government Accountability Office still reports that ‘persistent weaknesses’ in cybersecurity programs exist at the 24 agencies it studied, with almost all agencies struggling with security management, access control, and configuration management. Another survey from 451 Research found that three of five federal IT professionals believe their agency has suffered a breach.
This should trouble all Americans as it represents a clear and present danger to their way of life. It is also not a problem that is easily solved. The main issue appears to be the continued use of legacy software and hardware systems. Analysis of 552 local, state, and federal organizations by risk management firm SecurityScorecard identified that the government is particularly far behind when it comes to replacing outdated software. This problem was exposed in the 2015 Office of Personnel Management (OPM) hack, which congressional hearings blamed in no small part on the agency’s failure to shut down or secure 11 legacy computer systems that had already been identified as insecure. The hack cost taxpayers in excess of $350 million when recovery, victim notification, and identity theft services were taken into account.
There have been a number of eye-catching cybersecurity initiatives announced by this administration and the last. President Obama launched a cyberspace policy review soon after taking office in 2009 and a number of plans and strategies were announced during his tenure, the most recent being the 2016 Cybersecurity National Action Plan, which pledged to invest more than $19 billion and eye catching proposals such as a new Federal Chief Information Security Officer to help retire, replace, and modernize legacy IT across the government and closer relationships with tech giants including Facebook and Google. President Trump, meanwhile, continued the rhetoric, issuing an executive order earlier this year on 'Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure'. According to White House Homeland Security Adviser Tom Bossert, the new administration is planning to write a new cybersecurity strategy, suggesting that the slew of Obama-era cyber plans and strategies are fast outliving their usefulness. Those documents served their purpose, Bossert said, but it’s nature of cyberspace for plans to grow out of date. The early documents, for example, don’t contemplate the threat that quantum computing may one day pose to encryption or the values of blockchain technology, he said.
Bossert continued that the cybersecurity strategy is likely to be broken into three main components. These are a commitment to improve the security of federal government computer networks, to leverage government resources to better secure critical infrastructure, such as hospitals, banks and financial firms, and to establish good practices in cyberspace and introduce punishments for continuing bad ones.
Despite these efforts, it is clear that there remain real vulnerabilities, and the sluggish nature of government means that it is not responsive enough to what is a rapidly evolving threat. The way to avoid this is, ultimately, by investing heavily in ensuring that old systems are upgraded and to stop treating information security as an afterthought. This is no easy feat. The Federal government is a behemoth with millions of workers, many of whom need to be better trained in good practice. There needs to be more invested in blockchain and machine learning as a means of cyber security - many agencies even still lack cloud systems. Such technology is constantly monitored and updated so that is far more responsive as the threat changes. A Verizon Data Breach Investigations Report recently revealed that more than 50% of data breaches remain undiscovered for months, but in truth any system that is merely reacting to a hack is not going to be effective, it needs to act in advance. By using machine learning tools to analyze network data, patterns of normal behavior can be identified so that any deviation suggesting a potential attack can be identified ahead of time, and the appropriate defenses implemented so that nobody gets in for even a second. These tools work by monitoring activity across multiple network assets and real-time data streams, and immediately detect anomalies in network traffic and data flows while also recognizing new ‘normal’ activity, thus minimizing false-positive alerts.
Ultimately, it's not enough to deal with the problems as they arise, you need to keep ahead of the game. So far, the federal government has not been up to the task. If Trump's words rhetoric translates into action, for once, it might change things. But so far it remains to be seen.