Wednesday, June 17, 2015

THE OPM HACK: Intel Community Warned White House of Impending "Digital Pearl Harbor"

By Mackenzie Eaglen

Don’t say we get it wrong 100% of the time. This year’s US government threat assessment by the entire intelligence community again placed the cyber and counterintelligence threat above that of terrorism.

U.S. Office of Personnel Management (OPM) Director Katherine Archuleta rubs her eyes, as she testifies before a House Committee on Oversight and Government Reform hearing on the data breach of OPM computers, on Capitol Hill in Washington June 16, 2015. Reuters.
The report, published in February, highlights the obvious, stating that “cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact.” The massive recent breach of the government’s personnel office (OPM) is just the latest and worst example, affecting well over 10 million federal workers.

More worrisome than the acts themselves is the increasingly political calculus and rationale behind these cyber penetrations—and the failure of deterrence by the US.

The OPM breach is the perfect example. In a warning act of déjà vu, the 2015 intelligence report also noted the vulnerability of OPM’s systems specifically based on a similar attack last year. In explaining the costs of data theft, the threat assessment referenced earlier unauthorized computer intrusions on the networks of the Office of Personnel Management as well as its contractors, both of whom are “involved in processing sensitive [personally identifiable information] related to national security clearances for Federal Government employees.” Unfortunately for those current and former federal workers and military servicemembers whose information was hacked and stolen, the government cannot say it didn’t warn us.

The existence of prior warnings only worsens the irresponsibility shown by those officials leading government and OPM who seemingly dawdled for an entire year. If only the right hand would talk to the left across government.

The 2015 intelligence report also notes that a “Cyber Armageddon” scenario is a low-possibility risk. What is more likely is what is already happening, which is “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”

America’s intelligence leaders have made clear the biggest threat today is cyber and counterintelligence. Who are the largest perpetrators of these types of attacks? The intelligence report singles out Russia and China as first examples. These nations have “highly sophisticated cyber programs” and are regularly conducting “politically motivated” attacks. What are they up to exactly? Countries such as China are “reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” Back in 2013, Verizon released a report detailing Chinese hackers lurking around inside American industrial control systems—the cyber equivalent to casing a robbery target. In 2014 alone, the FBI investigated a likely Russian hacking campaign against American banking backbone JP Morgan, while two cybersecurity firms blamed Iran for a major campaign against US critical infrastructure like major airliners, medical universities, and energy companies. As the year ended, the US government publicly accused North Korea of a devastating cyberattack against Sony.

Yet as early as 2010, cybersecurity firm Mandiant tracked the expansive Chinese probing campaign against US power generation utilities companies. Even far before that, Congressman Randy Forbes (R-VA) was raising red flags back in 2007, when he forced then-Attorney General Alberto Gonzales to admit that the biggest espionage threat faced by American was emanating from Beijing. Such campaigns leave national-state cyber aggressors well-poised to cause true physical damage, like the detonation of an Azerbaijani pipeline in 2008 that Russia is suspected of carrying out.

Currently the US deterrent lacks value, largely owing to our lack of substantive response. Detection and attribution are important, but do not weigh heavily on an adversary’s risk calculation. We have only ourselves to blame for the skewed risk vs. reward structure in the cyber realm. The report sadly affirms that the “motivation to conduct cyber attacks and cyber espionage will probably remain strong because of the relative ease of these operations and the gains they bring to the perpetrators.”

The result is a cyber world where multiple actors “continue to test their adversaries’ technical capabilities, political resolve, and thresholds.” Worse yet, the “muted response” by many victims to these electronic attacks has “created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation.”

Regular attacks of a political nature in part designed to test America’s political resolve in forcible actions just short of war are the cyber realities confronting the US today. Though the 2015 intelligence report considers chances of a cyber-9/11-type event as “remote,” a continuously weak US response to aggression will increase the odds to “possible” and maybe even “likely” in the coming years.


No comments: