ANALYSIS:
America’s Growing Vulnerability to Hacking
Last week the Obama Administration announced that over 4 million records of current and past federal employees had been hacked over the last year. This week, it was learned that the St. Louis Cardinals were being investigated for hacking into rival baseball teams computers. Hillary Clinton’s private email server that she used during her tenure as Secretary of State was hacked by the Chinese, and possibly the Russians, North Koreans and Iranians.
The damage is hard to exaggerate. Former NSA counterintelligence officer John Schindler calls it a “disaster” in a column headlined “China’s hack just wrecked American espionage.” Joel Brenner, America’s top counterintelligence official from 2006 to 2009, says the stolen data amounts to the “crown jewels” of American intelligence. “This tells the Chinese the identities of almost everybody who has got a United States security clearance,” he told the Associated Press.
What is happening? Why has the US become so vulnerable to cyber attacks? Is this a new phenomenon, or has it become a more visible threat than in the past?
While investigating the security breach at the Office of Personnel Management (OPM), the House Oversight Committee concluded Tuesday that “state sponsored and non-state sponsored hackers are aggressive, motivated, persistent, and well-funded in their attempt to breach government and commercial systems.”
The fact is that American government computers are hacked on a regular basis and the government has downplayed it rather than admit that they have made mistakes. In addition, many federal agencies have been tardy in hiring cybersecurity experts.
In the last week, millions of American government employees, former employees, contractors and more were informed that their personal information had been hacked. According to Politico, “Administration officials have said privately that signs point to the first hack having originated in China, and security experts have said it appeared to be part of a Chinese effort to build dossiers on federal employees who might be approached later for espionage purposes.”
This represents a major security threat. The federal government, through the Office of Personnel Management (OPM), interviews everyone who requires any sort of security clearance, and asks the most detailed and personal questions about past associations, indiscretions and behavior, to make sure nothing in their past could subject them to blackmail or subversion. The interviews extend to friends and associates of those being vetted, and those people are also in the databases that have been breached.
It seems, OPM failed to everything they could to secure those records. According to David Cox, the national president of the American Federation of Government Employees, in a letter to the OPM director, “We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information; age, gender, race, union status, and more. Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.”
In addition to not protecting the data initially, he Obama administration initially downplayed the cyber hack of the OPM. It did so even though it had missed the hack for at least four months, if not more, until a company, CyTech Services, which was conducting a sales demonstration, found malware in OPM’s system that could have been there for a year or more.
Rather than admit that a private civilian group had discovered the hack, the administration tried to say it was responsible for discovering the breach. The Department of Homeland Security had said the government’s EINSTEIN detection program was responsible for uncovering the hack,” according Wired.com. Wired.com’s response was, “Nope, also wrong.”
“The OPM had no IT security staff until 2013, and it showed,” reports Wired
The total number of Americans threatened is unknown as of this time, but could be as many as 14 million – including all current federal employees, retired federal employees, and a million former federal employees.
This isn’t the end of the risk. Reports of a second hack by China has added to the outrage, and compounded the problems. “Hackers linked to China have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, U.S. officials said last Friday, describing a cyberbreach of federal records dramatically worse than first acknowledged,” reported the Associated Press.
“The forms authorities believed may have been stolen in masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.”
These haven’t been the only hacks. There have been many more and the response to these previous hacks indicated the reluctance of the administration to act decisively. The case of Obamacare is an excellent example.
Reuters reported last year, simple stolen health information goes for around $10 on the black market, “about 10 or 20 times the value of a U.S. credit card number.” And a full health-identity profile can go for as much as $500, Politico reported. The stolen data can be used for anything from obtaining prescriptions to submitting fraudulent insurance claims. Cyberattacks targeting health-care data have doubled in the past 15 years, according to the Ponemon Institute.
Despite this clear threat, the cybersecurity records of both HealthCare.gov and several state exchanges are spotty and plagued by numerous glitches that might have put the personal information of enrollees at risk.
Shortly before the latest enrollment period, the Government Accountability Office released a report detailing myriad security vulnerabilities on the federal exchange. It discovered that password controls and Internet-access restrictions were lacking, in addition to other problems.
The GAO wrote, “Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternative processing site to avoid major service disruptions. While CMS [Centers for Medicaid and Medicare Services] has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the [federal exchange].”
The Health and Human Services inspector general reported last September that it had found one critical vulnerability in HealthCare.gov and two critical vulnerabilities on the servers. HHS said it was working on fixing all of these, but the inspector general’s report noted that “these critical vulnerabilities placed the confidentiality, integrity, and availability of [personally identifying information] at risk and could have allowed unauthorized access to consumer [personally identifying information].”
There’s evidence that agency leaders knew about these vulnerabilities and the risks posed by them before HealthCare.gov launched. A memo from the Medicare chief, obtained by The Associated Press, reported that scant testing before the rollout “exposed a level of uncertainty that could be deemed as a high risk.”
Not only was the system vulnerable, it has been hacked. In July 2014, hackers actually broke into a HealthCare.gov server and uploaded malicious software. However, the Department of Health and Human Services didn’t discover the breach until late August.
Rather than inform enrollees that their information was threatened, HHS kept the incident secret. When they were questioned about their failure to act, HHS said it did not believe hackers had accessed enrollees’ personal information during that breach.
HHS also defended its action of not informing the enrollees because no law requires HHS to notify the public of a breach. HHS has also refused to include a provision guaranteeing disclosure in case of a security breach.
There have also been breaches in state health care systems, including California, New Mexico, and Nevada.
Ignoring the Warnings
OPM, and the government as a whole, have received numerous warnings about its lack of adequate security. “U.S. Was Warned of System Open to Cyberattacks,” reported The New York Times on June 5, describing OPM’s 2014 security as “a Chinese hacker’s dream.”
The 2014 OPM Inspector General’s report was based on an analysis conducted between April and September of 2014. While the administration has said that the attack occurred in December of last year, The Wall Street Journal’s Damian Paletta and Siobhan Hughes wrote of the first reported attack: “Investigators believe the hackers had been in the network for a year or more” when it was discovered in April.
That IG report stated that OPM’s status was “upgraded to a significant deficiency” due to a planned reorganization, and that it had “material weakness in the internal control structure” of its IT program.
Will there be Change in American Cybersecurity?
Obama and the White House have been slow to call attention to computer weaknesses and other cybersecurity failures. The website FastCompany this week published “an exclusive and wide-ranging conversation” with Robert Safian in which “the President explains his take on Washington’s technology problems – and his solutions.” Yet the interview never once addressed, or even mentioned, the OPM breach of federal employee data.
As far as cybersecurity goes, Obama briefly talked about HealthCare.gov, which he said had occurred largely because “you couldn’t use traditional procurement mechanisms in order to build something that had never been built before and was pretty complicated.”
These events show that the federal agencies tasked with protecting American’s data are unwilling to take dramatic steps. That being the case, who can change the inertia in Washington?
Although Congress is holding hearings on the issue, these agencies are under the executive branch and answer to Obama and the White House. However, given his answers in the FastCompany interview, he is not willing to pressure his subordinates.
It appears that this cybersecurity threat has grown worse under Obama. The 2013 OPM Inspector General report indicated a lack of IT security policies and procedures that worsened in fiscal year 2009. They noted that as of fiscal year 2013 instituted reforms had “only been partially implemented.”
“If OPM is behind on cybersecurity, which it is, it has plenty of company,” reported the Washington Post on June 7. Almost all, 23 of 24, major agencies cited these security issues as a “major management challenge for their agency,” it reported. The Government Accounting Office indicated last year that the number of breaches involving personally identifiable information has more than doubled between 2009 and 2013, according to the Post.
The New York Times article cited an unnamed former Obama administration official as saying, “The mystery is what took the Chinese so long.”
Currently the White House seems to underestimate the cybersecurity threat. When asked about the IG reports, White House press secretary Josh Earnest insisted on setting the cited reports aside, because “there is risk associated” with using any computer network. The White House press secretary also used vague language to describe security upgrades after the first cyber intrusion was reported. He cited “ongoing efforts” to “update our defenses and update our ability to detect intrusions” and blamed Congressional inaction.
Some have concluded that Obama isn’t interested in pushing security reform because it might require firing some government employees, a critical segment for the Democrats. Others say it might be fear that a fired employee might turn whistleblower and reveal some embarrassing scandals within the executive branch.
Given Obama’s interest in other issues and the fact that he no longer has to worry about being reelected, this issue appears to be headed to the back burner. To admit that there needs to be a push to improve America’s cybersecurity is to admit that the government has failed to do its job in the last seven years. And, the White House has proven to be extremely loath to admit failure.
Cybersecurity will improve as agencies are forced to react to hacking and other cyber-intrusions. However, there appears to be no unified effort for the foreseeable future.
PUBLICATIONS
Millennials and U.S. Foreign Policy: The Next Generation’s Attitudes toward Foreign Policy and War (and Why They Matter)
By A. Trevor Thrall and Erik Goepner
Cato Institute
June 16, 2015
The Millennial Generation, those roughly 87 million adult men and women born between 1980 and 1997, now represent one quarter of the U.S. population, out numbering the Greatest Generation (1913–1924), the Silent Generation (1925–1945), the Baby Boomers (1946–1964), and Generation X (Gen Xers) (1965–1979). In addition to being far more likely to have posted a “selfie”on social media than other generations, the Millennials also have distinct attitudes toward a range of important foreign policy issues. With those on the leading edge of Millennials now hitting their mid-thirties, this cohort is becoming increasingly influential. Just as the generations before them, the Millennials’ worldviews owe a great deal to early life experiences and the foreign policy issues that dominated their childhoods. The main drivers of Millennials’ foreign policy attitudes fall into two major categories. The first category comprises the trends and events that started or occurred before the Millennials came of age and provide their historical context. This includes the end of the Cold War and the evolution of the global distribution of power,the development of the Internet, and the acceleration of globalization. The second category includes major events that have occurred so far during the Millennials’ “critical period,” the period between the ages of roughly 14 to 24 when people are most susceptible to socialization effects. Most obviously these include the attacks of 9/11 and the wars in Afghanistan and Iraq.
The Death of AQAP Leader Nasir al-Wuhayshi
By Thomas M. Sanderson, Joshua Russakis and Claire McGillem
Center for Strategic and International Studies
June 16, 2015
On June 12, 2015, al Qaeda in the Arabian Peninsula (AQAP) leader and al Qaeda Core (AQC) deputy director Nasir al-Wuhayshi was killed in a CIA drone strike in southeastern Yemen in the coastal city of al Mukalla. On Tuesday morning, AQAP’s al Malahem media outlet released a recorded video statement confirming his death; the video appears to have been made on June 15, 2015. Confirmation of this strike comes only a day after an allegedly successful strike in Libya that is thought to have killed long-sought Algerian jihadist and al Qaeda (AQ) loyalist Mokhtar Belmohktar. These strikes against high-value al Qaeda members come at a time when the larger organization is facing competition for global influence and notoriety from ISIS, whose operations have demonstrated far greater capability and impact than anything carried out by the al Qaeda network since the attacks of September 11, 2001.
The Military Balance in a Shattered Levant
By Aram Nerguizian
Center for Strategic and International Studies
June 15, 2015
The war against ISIL and the civil war in Syria have highlighted the importance of the military balance in the Levant and the extent to which it has an impact on Iraq and the Gulf, the flow of global energy exports and the world economy, and international terrorism. Aram Nerguizian has prepared a comprehensive analysis of the changing military balance in Syria, Egypt, Lebanon, and Jordan that updates our previous analysis and reflects extensive research in the region and work with security experts in the US and Europe.
Stop decapitating, start interrogating
By Marc A. Thiessen
American Enterprise Institute
June 17, 2015
The Washington Post reports this morning that the missile strike that killed al Qaeda leader Nasir al-Wuhayshi in Yemen is not likely to have a lasting impact: “[T]he continued spread of al-Qaeda’s ideology and the emergence of brutal new offshoots, including the Islamic State, have underscored the limitations of a US strategy that remains largely reliant on “decapitation” strikes…. White House spokesman Ned Price said that Wuhayshi’s death “removes from the battlefield an experienced terrorist leader and brings us closer to degrading and ultimately defeating these groups.”
How much closer, however, remains unclear. Many officials and experts in the US counterterrorism community now see the destruction of al-Qaeda and its progeny as a more distant goal than at any time since the Sept. 11, 2001, attacks.”
Did Iran’s leaders admit they are intellectually bankrupt?
By J. Matthew McInnis
American Enterprise Institute
June 16, 2015
Iran is perhaps facing its most ominous security environment since the Iran-Iraq War, yet Iranian leaders are being surprisingly open and frank about the severe challenges they face and their need to find better strategies in response. Parliament Speaker Ali Larijani said on June 10 that the war against terrorists was “more difficult” than the war against Israel. Former Islamic Revolutionary Guard Corps (IRGC) Commander and current Expediency Discernment Council Secretary Mohsen Rezaei even suggested the next day that regional insecurity brought on by ISIS may “last 5 to 10 years.” In addition to concerns of internal legitimacy, the increasingly unstable region has raised fears that Iran’s claim to leadership of the Islamic world—a foundation of its foreign policy and political identity—may be mortally threatened by ISIS, the growing sectarian conflicts in the region, and domestic weaknesses, in addition to the usual concerns over Western power.
Leave It to Europe: Why Iran Is Not (Solely) America’s Responsibility
By Cornelius Adebahr
Carnegie Endowment
June 8, 2015
National Interest
Even before a nuclear deal with Iran has been signed, the debate in Washington has shifted to the regional implications of a possible accord. But lessons learned from the success of the nuclear negotiations so far help explain why the United States should not lead international efforts to bring about regional cooperation with Iran. Instead, Washington should let its European allies take the initiative. After all, it was the European Union—particularly France, Germany and Britain—that laid the diplomatic groundwork since 2003. They brought China, Russia and the United States on board and, in close transatlantic coordination, pursued a two-track approach of sanctions and diplomacy that led to the current nuclear talks.
Iran Strategy Brief No. 7: Iran’s Various Voices
By Ilan Berman
American Foreign Policy Council
June 17, 2015
Is the Islamic Republic of Iran a country or a cause? For decades, the question is one that has bedeviled Western observers. Foreign politicians and diplomats long have struggled to reconcile the Iranian regime’s radical rhetoric and destructive international behavior with its pragmatic participation in numerous treaty arrangements, and its prominent role in various multilateral forums.
A Campaign in Saudi Arabia Challenges Young People to Rethink Their Biases
By Joseph Braude
Foreign Policy Research Institute
June 2015
A three-minute video, posted by a Saudi government-backed organization to YouTube on June 4, has garnered 150,000 views in 48 hours and sparked a discussion in the kingdom about how to stem sectarian conflict. In “The Hidden Killer,” a voice speaking Saudi-inflected Arabic asks the viewer to guess the identity of a force “worse than disease, natural disasters, and famine” which kills not only innocents by the hundreds of thousands but also entire states… The King Abdulaziz Center for National Dialogue, which commissioned the video, was established in 2003 in the wake of the September 11 tragedy and a subsequent series of Qaeda-linked terror attacks in Riyadh which claimed more than 40 lives. It aimed to offer a platform to “debate reform and suggest remedies” for the terror indoctrination which had precipitated the attacks, and mitigate sexism and sectarian incitement through dialogue. As is often the case with such efforts, the impact is hard to gauge. But last month’s suicide bombings of two Shi’ite mosques in the kingdom’s Eastern Province, for which the Islamic State claimed responsibility, have thrown the enduring problem into stark relief.
Riyadh Looks to Moscow
By Simon Henderson
Washington Institute
June 17, 2015
On June 17, Saudi deputy crown prince and defense minister Muhammad bin Salman (a.k.a. MbS) arrived in Russia to meet with President Vladimir Putin. The visit, which was kept secret until a few hours before he left the kingdom, follows a series of recent communications between Putin and the prince’s father, King Salman. In April, the two spoke by telephone, and on May 27, a Russian special envoy met with the king the day before the new Saudi ambassador presented his credentials in Moscow. Speaking this week, the Saudi envoy spoke of the “deeply rooted historical ties and the permanent evolution” of the relationship between the two countries. In reality, bilateral relations have been awkward if not antagonistic. King Salman’s father, King Abdulaziz, loathed “godless communists” and broke diplomatic relations with the Soviet Union in 1938. It was not until 1992 — after the Red Army’s defeat in Afghanistan at the hands of Saudi-backed mujahedin fighters and the subsequent collapse of the Soviet Union — that ties with Moscow were reestablished.
