By most counts, there are 45 government organizations managing dozens of cybersecurity initiatives right now in the U.S. Many of those initiatives impact you and your personal data directly. One of those initiatives, the U.S. Computer Emergency Readiness Team, or US-CERT, partners with private sector infrastructure owners and operators, as well as universities and other government agencies, to make sure America’s corner of cyberspace is protected.
US-CERT posts alerts on its site about high-level security threats, but they’re bits of information—like, say, a Google Chrome security update—that get published first on other websites. They’re not surfacing important cyberthreats as much as they are reporting what companies are already telling the public. Elsewhere on the site, resources intended to protect everyday people from persistent cyberthreats haven’t been updated since February 2013.
I realize the average person isn’t buying a new iPhone and immediately clicking over to US-CERT to learn about the latest mobile malware. The average person probably doesn’t even realize that such a government website exists. US-CERT describes itself as “collaborative, agile, and responsive in a dynamic and complex environment.” The problem is that those adjectives describe hackers, not our government agencies. Although US-CERT doesn’t exist simply to inform the public about hacker threats, the way information is relayed on its website is emblematic of a large organizational challenge that’s becoming more and more difficult to manage.
Cybersecurity is incredibly complicated, and the programs and tools through which hackers operate are always evolving. To complicate things, hacking isn’t linear. Hackers can infiltrate your home computer and hold your personal photos for ransom. They can infect the thumb drive you share with your co-workers. They can scrape credit card data from online retailers. They can send you fake tax returns. They can compromise our emergency alert systems.
Given the growing threats to our personal, business, and government data, it seems as though the government should establish a central office whose sole purpose is to coordinate cybersecurity protocols. That agency should be led by experienced white-hat hackers and computer scientists who also have ample experience in administration and management.
In a sense, managing our nation’s tech health is similar to managing the personal health and safety of American citizens, and we already have a dedicated readiness agency for that: the Centers for Disease Control and Prevention. It conducts research, deploys emergency response units, coordinates as needed with other agencies, and informs the public during critical disease outbreaks. We’ve seen the CDC in action during the most recent Ebola crisis; the CDC has been a primary source for journalists covering the outbreak, and it has communicated quarantine orders with other health agencies. Individual government units such as the Border Patrol don’t have their own independent teams dedicated to Ebola—instead, the Border Patrol follows a standard protocol, coordinating with local health officials, who then coordinate with the CDC.
When it comes to cybersecurity, there is no comparable central agency or standard protocol. I’m certainly not minimizing the severity of an infectious outbreak like Ebola, but I also wouldn’t minimize the threat of hackers infiltrating the U.S. Army Corps of Engineers databases. Data breaches that involve public infrastructure could cause harm to human life, too, and potentially on just as large a scale.
The CDC’s managers are physicians and scientists with extensive hands-on medical and public health administration experience. Their current director investigated drug-resistant tuberculosis and the H1N1 virus. The CDC’s chief operating officer, whose primary responsibilities are financial and organizational operations, also has an advanced degree in public health. But technology leaders in government aren’t expected to have commensurate expertise. Sure, there are some Department of Homeland Security officials with advanced technical skills. But the White House Cybersecurity Coordinator has no formal training in math and computer science. The acting director of the National Institute of Standards and Technology—the office that just handed down the White House’s official cybersecurity framework for protecting critical infrastructure—has a Ph.D. in chemistry.
In February, a Senate report described a number of security breaches that pose a threat to American citizens. Hackers stole data on our weakest dams, including those that could kill someone if they failed. They used the Emergency Broadcast System to broadcast zombie attack warnings—which might be funny if it didn’t underscore how vulnerable that system is to intruders. Even the National Institute of Standards and Technology got hacked, and its database of known software vulnerabilities was offline for days.
All of these agencies have their own internal auditors and inspectors general investigating their systems. In October 2012, the Department of Energy’s inspector general reviewed the Western Area Power Administration, which has oversight for 15 central and western states. The audit found that “nearly all” of the 105 computers tested needed to be patched. One of the servers was still using a default name and password, which “could have allowed an attacker with an Internet connection to obtain unauthorized access to an internal database supporting the electricity scheduling system.” Just a few months ago, hackers infiltrated the DOE and stole data on 100,000 people. The IG blamed that theft on outdated software. It turns out that an upgrade had been purchased; it was just never installed.
The DOE is just one agency. There are audits that reveal similarly troubling findings for other groups, including the IRS, the Nuclear Regulatory Commission, and the Department of Education.
My point is that government administrators in cybersecurity aren’t as effective if they haven’t been in the trenches fighting hackers. Maybe those DOE patches weren’t made because they seemed like those run-of-the-mill Windows updates on our home computers that we like to ignore. Leaders without technical experience and knowledge aren’t equipped to ask their staff important questions or make good proactive decisions. There’s just too much changing every day for a non-expert to be at the helm. As hackers poke holes in our existing tools, they reveal new vulnerabilities in our operating systems, our Internet browsers, our databases and servers. Rarely does any digital tool operate completely independently, which means that when one company releases an update, it may cause problems for the ancillary services it uses. An example: A browser might change its settings, causing a few lines of code on a banking website to behave differently. If left unchecked, that could potentially expose a user’s account information to hackers.
Consumers are buying and using technology at an unprecedented rate, and they don’t fully understand how the new digital equipment and tools they’re using can be compromised. At some point, there were government employees assigned to write, edit, approve, and post the 48 PDFs on US-CERT’s website. If someone thought it was important enough to create those documents, shouldn’t it be just as important to make sure that content is current? Maintaining a bunch of PDFs isn’t US-CERT’s main function, of course, but part of its charge is to keep the public informed—and if US-CERT can’t help consumers learn how to fend off cyberattacks, some other agency should take the helm and wage a comprehensive publicity campaign.
It’s time to treat our digital ecosystem the way we do public health. The solution is an agency staffed by cybersecurity experts who understand the delicate balance between national security and personal privacy. They must create protocol that’s proactive and have the authority to enact it. There should be a unified process in place for threats to critical infrastructure, one for which all private contractors receive ongoing training. Currently, there is no single organization that’s aware of all the cyber-related research and development work being funded by the government. An agency should be responsible for coordinating that research, making sure it’s not redundant across agencies and can actually be used.
Some of these ideas have already been articulated as part of the White House’s Comprehensive National Cybersecurity Initiative. It’s a well-crafted government report, with a lot of acronyms and official names. But the layers of offices and task forces and teams involved are a tangled mess compared with how hackers operate. In their world, they operate alone or in clusters. They’re nimble and fast. And they can cause havoc in an instant.