Home » Articles posted by Ronald Marks

Author Archives: Ronald Marks

Is There A Cyber Doctrine in the House?

The rites of post-election spring in D.C. are constant. Newly elected politicians struggling to get a handle on their job. The blooming of new rumors with regards to who is taking what undersecretary job and who is against them. Like the cherry blossoms bursting forth here in April, it is a dependable ritual.

Another cherished ritual is trying to figure out exactly what kind of policy direction the new Administration needs to pursue on infinitely complex matters – ones that seemed so easy in the campaign. In the case of cyber space and the U.S. intentions and actions therein, it is extraordinarily complicated.

New issues – 21st century issues – are hard to deal with in D.C. This town was born in World War II and its bureaucratic structure is a tribute to mid-20th century organization charts – layered and stove-piped. And they certainly not meant to deal with private sector issues beyond taxation and regulation. But, the cyber world we live in today hardly fits the U.S. Government model.

President Obama was the first to experience cyber space – and its connecting systems of the internet – full blast. Within his eight years, Obama was whipsawed by a world-wide social media explosion, the rapid decline of “old media” information providers, an acceleration of the decline of traditional “brick and mortar” business replaced by virtual offices, and a rapidly expanding “gig economy” for a new generation of young people.

The Obama Administration also experienced a domain in which America lost its position as the dominant player – with less than ten percent of the world’s users and shrinking — that could be outmatched and outwitted by smaller, more agile players from North Korea to groups like Anonymous and WikiLeaks. They exposed our public and private secrets. They reached into our inadequately secured systems. And they did it with relative impunity.

Other larger nation states sensing our vulnerability – particularly Russia and China – have used cyber space to their advantage. While controlling its use over its own population, Moscow and Beijing have gleefully used it to steal our secrets and to exercise power in our elections. They have literally built armies to exploit this new domain. America might be powerful on land, sea, air, and space. But we are more than equaled by them in cyber space.

At home, complicating our actions has been the development of a huge cyber culture. Eighty-five percent of cyber space is held in private hands. Five of the six top U.S. companies by market worth are tech firms ranging from Apple to Facebook to Microsoft. Mark Zuckerberg, Steve Jobs, Jeff Bezos, and Bill Gates are household names. And with them has come a libertarian generation who view all government as inept, and value information security above issues of national security.

So, What Is a Government to Do?

The Obama Administration did what governments traditionally do. They reacted big time. They set up “public-private partnerships.” The cleaved a Cyber Command out of the body of the NSA. They engaged in a series of meetings with international players – governments and corporations – to establish rules of the road in cyber space. And they set up department functions at FBI, DHS, and elsewhere to address specific issues with another in a line of relatively powerless White House czars – always forgetting what happened to the last czar of Russia.

And after all that effort, how is the USG doing? Well, the Russians stuck their noses deeply and freely into their first American election. Security in cyber space remains somewhat of a joke with endless breaches and continued thievery of information. The public-private partnership is a morass of disappointment for both the public and private sector. The internal USG bureaucratic struggles march onward over who is in charge of what and can reach out to whom. Mark Zuckerberg, further solidifying America’s cyber culture, wants to run for President. And we have a President who tweets.

It seems to me the time has come to establish a clear U.S. based doctrine for cyberspace. What does the USG want for our country from cyber space? In the Cold War, we pursued a series of strategies around a doctrine of Containment. We did not want the USSR to make the world communist. We would not allow another country to become communist. We would try to change over the ones that were. And we wanted to tip over the USSR. Not easy. Lots of failed strategies and some pretty successful ones. Took nearly 45 years. But we did it.

So, what about a Cyber Doctrine that simply says America needs to protect itself and its interests at home to maintain a free and secure internet for Americans – a National Cyber Security Doctrine.

First of all, recognize it’s going to take time to build success and we need to be flexible. We are in the earliest stages of cyber world. It’s like trying to determine air power strategy in 1914. In 20 years, we’ve gone from dial-up modems to the Internet of Things. Artificial intelligence is just in its infancy. We don’t know what we don’t know.

Second, understand that we are simply internationally outgunned on this one. There are four billion users of cyber space and the number continues to rise every day. There are 325 million Americans. We are big. But China and India are bigger. And so are the populations of the Middle East, Latin America, and Africa. And most of them don’t have a libertarian viewpoint of the world. We can continue negotiating internationally, but it is going to do little good for now.

Third, the White House needs to ask what can government do to make a secure and free internet at home. Follow the money. Appoint a National Cyber Director based in the Office of Management and Budget and as part of the National Security Council who will direct with money and program control over what the USG will do and will not do. That money and program power is crucial. Otherwise, no one in the USG will pay attention to them one bit.

Fourth, and finally, stay out of the direct intervention business with the private sector. Stay above the fray. You set standards. Provide tax breaks to get corporations and people truly interested in developing security for cyber space. Set legal penalties for when they don’t. For instance, the Internet Service Providers have been lax regarding security practices by their customers. (When is the last time you changed your password into something secure, not 123546 or password.)

A USG focused on security and access to cyber space at home is the best approach in a domain over which we have little practical control. Sometimes doing a little is the hardest thing to do. But a restrained National Cyber Doctrine is much better than doing too much.

Reality and Perception: How the Russians Won an American Election

Americans really don’t get the Russians. We are a people who pride themselves on divided government, openness, and the exposure of corruption – almost to the point of obsession. The Internet has allowed those truly American attitudes an even greater sway in the its body politic. Now, everyone can be their own “loudspeaker of truth.” In Russia, the story is quite the opposite.

Russia has a 500-year history of oppression from their “leadership.” It started with Czar Ivan the Terrible and continues today under Czar Vladimir the First. Russia is country run by central control; a state that views opposition as criminal and traitorous. And one of the most important parts of state power is controlling what people “think” through the information they are provided.

Thanks to the Internet, the Russians can more easily manipulate information than ever before. And Moscow is now applying gleefully that ability to their overseas goals. Most recently, Moscow been accused by Washington of desiring to control and influence our Presidential elections. And to a limited extent, Moscow have succeeded by the very effort. In the domain of worldwide Internet, perception is reality.

This type of information manipulation for political result is not new. In the Cold War between the U.S. and Russia, perception was often reality. The United States used covert means to supply information to friendly overseas sources to reinforce its positions. Occasionally, such as in Vietnam, it even deluded itself and the American people into believing that a limited, winnable war was possible.

The KGB, Russia’s Cold War spy service, was expert at planting damaging information about the U.S. around the world. It was a way of undermining our influence and the perception of wrong doing was all that mattered in the war of minds. Sometimes it worked quite well and the damage persists to this day. For instance, it was the KGB that floated the idea that American experiments to dominate the Third World created AIDS.

And so it goes today. We deal with Russia relying on old habits reinforced and facilitated with new technologies. The Internet with its hidden corners of attribution is a hard place in which to fight rumor and innuendo. Instantaneous transmission makes it impossible to control or counter the initial message. The very fact the Russian are releasing information about American candidates is damaging to the perceived integrity of our elections. The idea they could fool with our vote count is even more upsetting to the legitimacy of an already spooked electorate.

So, the first game of perception management goes to the Russians. There will be a section of the U.S. population already unhappy with the election results that will forever believe the system is now vulnerable to massive rigging. The reality is that there are several thousand different voting systems – ranging from paper ballots to electronic voting gear rarely updated to the 21st century. Hacking on a mass scale is unlikely though some minor efforts may be made. But that does not really matter. Even a few hacking attempts could be enough to poison perceptions.

So, for this round, the Russians have won an American election. It will be up to a new Administration to make Moscow pay for this interference. The games have only just begun.

The Cyber Business We Have Chosen

For those of us of a certain age, The Godfather movies represented a cultural touchstone and an endless source of “tough guy” quotes. “Leave the gun, take the cannoli.” “I’ll make him an offer he can not refuse.” And, my favorite as one of the lead characters ruefully comments on another’s death, “this is the business we have chosen.”

When I heard about the Yahoo data breach of some 500 million accounts, I was expecting public outrage. What I’ve seen from the public so far is a shrug of the shoulders and a sigh. For cyberspace, leaked information seems to be the cost of doing business. And, so far, the public seems willing to accept it.

I think this dull reaction is a combination of three problems – two technical and one social. The first is the ubiquity of an Internet that was never meant to do what it is doing. Security was not a consideration because the original development was done in national security installations. Thus the issues of outsider break-in and insider threat were not really considered. We are retrofitting security, which makes people feel better – more complex passwords and anti-hacking systems galore. But they are expensive and it is hard to judge their effectiveness versus their cost. But it appears to be a panacea to many concerns for many concern for now.

There also remains in the socially powerful Silicon Valley – a producer of much security software — an interesting 1960’s attitude toward free sharing of information and anti-government interference. This has produced a generation of younger libertarian people who expect their information to be protected from government surveillance and is outraged at government efforts to “surveil” them. In consternation to my generation of national security types, the breaches don’t seem to bother them as much.

The third problem is simply the problem of the public’s lowered expectations. The continuous drumbeat of breaches from OPM to Sony to Yahoo and hundreds of others have conditioned the public to accept this level of lax security. And until individuals are hit with some sort of personal cost – stolen credit card charges, fake bank accounts, and damaged credit – the cost does not really come home.

Some like former NSA head Michael Hayden have suggested a “high side” secure Internet. Many others are adopting forms of encryption – much to the pain of a government charged with national security in an Internet age when the bad guys use the Net.

So, unless there is some form of real and extensive public outrage, we are likely to continue in this pattern of a stream of security breaches and temporary wringing of hands. This may be the cyber business we have chosen, but paraphrasing The Godfather characters, it’s about time we make the illegal hackers an offer they can’t refuse.”

The Cyber Odd Couple of DC and Silicon Valley

Playwright Neil Simon wrote a play called “The Odd Couple.” It was the story of very different two men trying to share a NY apartment. Oscar was a total slob who was a top sports reporter. Felix was a total neat freak who was a top photographer. Yet, somehow they arrived at an accommodation though living in constant disagreement. In cyber world, Oscar is Silicon Valley and Washington is Felix. And, paraphrasing the opening of the Odd Couple – can they share cyber world without driving each other crazy?

If you had to pick two nearly opposite cultures, Silicon Valley and DC are it. The former is new, entrepreneurially brash, libertarian and a child of the open and easygoing lifestyle of the West Coast. It also strongly internationalist and driven by money as a metric and has loads of money made sometimes too easily in a market less devoted to results than “flipping a company” to gain more money. Still, it has become the creator and driving force of arguably one of the greatest technological and innovative bursts in mankind’s history.

In contrast, Washington is a staid place that is hugely powerful – arguably the capital of the most powerful nation on the planet for 70 years. It is filled with people drawn from around the country who are lawyers, social and hard scientists that do their best not to “stick up” from their surrounding fellows. Well established, it is a place of bureaucracy and order. Progress is not measured in money and quick results. It is measured in holding office and position – both of which provide power. It is also measured in compromise and a balancing of different interests for what is determined to be for the “public good.” Speed of decision is not its forte.

Not unexpectedly the first 15 years of the 21st century have constituted a long, drawn out sniping war between the two places. Washington pursues its national interests and Silicon Valley pursues its international interests. Washington thinks in terms of regulation and regards cyberspace as a public utility to be overseen. Silicon Valley loathes the DC oversight and fears the damage to its international business and independent spirit.

As time moves forward, however, the Oscar and Felix are beginning to see some common ground. While they argue vehemently over the use of encryption to secure cyber space, both DC and Silicon Valley recognize the constant barrage of cyber attacks as bad for public confidence.

Moreover, despite their internationalist viewpoint, Silicon Valley is beginning to feel the pinch overseas from nations who are not so happy about the free sharing of information or lack of control over content. As Facebook and Twitter are finding, for instance, China, Russia, Brazil, and UAE are not as welcoming to their efforts. Even India – the largest open market in the world now that China has stepped hard to regulate cyberspace – is balking at various proposals by Silicon Valley to break open India’s cyber world. These are arenas where the US government can help, if not necessary solve the challenges by pushing for international standards of openness and trade.

From the US Government standpoint, it is woefully behind the rest of the world – indeed the country – in terms of its own cyber security. The largest data leaks in the world have taken place in the US Government – from NSA’s Snowden to the Office of Personnel Management leak. Moreover, nation states and non-nation states — like China, Russia and innumerable private hackers with various agendas – have stripped sensitive technological information out of our most important projects. It needs Silicon Valley’s expertise to move beyond its 20th century, hide bound hierarchical structure and comprehensively adapt Silicon Valley’s new technologies and some of its spirit.

The Obama Administration’s recent high-level outreach to Silicon Valley is a good start to bridge that gap. Silicon Valley is also beginning to understand that it must better present its case in Washington.

Perhaps like Oscar and Felix, both sides can understand they live in the same cyber world and need each other.

Omnibus legislation: the cyber sausage gets made

Otto von Bismarck, the master politician who built modern Germany in the late 19th century said that “laws are like sausages, it is better not to see them being made.” The Omnibus bill that Congress is passing to fund the US government through next September is one huge, ugly sausage. Filled with chunks of budget, it is equally stuffed with a number of new laws. One of those chunks is the Cybersecurity Act of 2015, which includes an updated compromise version of the Cybersecurity Information Sharing Act (CISA). And a lot of people do not like the taste of this one bit.

CISA has been kicking around Capitol Hill for a number of years. Proponents say it is about sharing cyber threat and Internet information traffic between the government and the private sector. Opponents have labeled it a civil liberties danger with vast amounts of personal information being controlled and shared among government agencies with little oversight. Now, with a dash of oversight protection by Inspectors General and the Government Accountability Office thrown in, CISA was made part of the omnibus appropriations bill. And thus cyber sausage is made.

To add fuel to the cyber debate, Senate Majority Leader Mitch McConnell has said recently the legislative agenda for next year will include a review of the revisions to the PATRIOT Act from last year – pre-San Bernardino. The cyber industry response was swift and negative with one major lobbying organization calling such actions “reactionary.” An opposing wit compared the cyber industry’s reaction to the National Rifle Association – the Internet does not kill people, people kill people.

So where does this leave us in December 2015? The pressure post-San Bernardino to increase surveillance on the Internet and within social media next year is going to be huge. You can guess how each side will argue the debate based on previous positions. White papers are being drawn up. Metaphorical cyber wagons are being circled. And Presidential year politics will be filled with bombastic arguments on both sides.

Let me suggest, however, that in the middle of this debate the most important thing to keep in mind is what do we need to do to keep our citizens safe — safe from terrorists and safe from massive government intrusion in our lives.

This is a balance and it always will be a balance. If we now err on the side of more collection then it needs to be done with better oversight than we’ve had so far. Frankly, whatever you may think of Edward Snowden, he brought home the ugly truth that massive, legal collection was taking place. Few knew how massive and fewer were providing something beyond rubber stamp oversight.

However, we also need to remember that there is no such thing as 100 percent security. We can collect every cyber haystack looking for terrorist needles and still miss the leads to a pending event.

Still, as heated, as the debate will be in 2016, it is better done in the open with both sides having at it and reaching some form of working agreement that will likely please no one. As Bismarck also said, “politics is the art of the possible, the attainable – the art of the next best.” No matter what we decide, nothing will be 100 percent satisfactory to everyone.

The Twilight Struggle With Radical Islam

The scenes from Paris after Saturday morning’s attacks are sickening, angering, and disheartening. They are also not totally unexpected and will likely occur again. We, the West, can lull ourselves into a feeling of safety narrowing the reasons and the regions of trouble. However, let me be clear – we must stop whistling through the graveyard regarding our worldwide war with ISIS, Al Qaeda (AQ) and other forms of radical Islam.

President John F. Kennedy said in his inaugural address in 1961 something about a similar struggle with Communism and the Soviet Union. Kennedy was a realist who understood the burdens facing the West. He said, “now the trumpet summons us again, not as a call to bear arms, though arms we need; not as a call to battle, though embattled we are – but a call to bear the burden of a long twilight struggle…” It took another 30 years for us to win that war – already 20 years old. Make no mistake; we are in similar long, twilight struggle with ISIS and all other forms of radical Islam.

There are many reasons why this war – and it is a war because they think it is a war – will not go away soon. Fundamentally, radical Islam is based on the belief that the Westernization of the world has gone to far and offends the premises of Islam. The acceptance of women as social equals, the open social mores of the West, the separation of religion and state, and the existence of Israel are all a part of the witches’ brew of this anger.

We are also faced with a generation of young men in the Middle East (and some in the West) who are underemployed and disconnected with their society. One of my friends calls them “dude fighters.” In a previous generation, they would have been hanging on street corners, smoking weed, going to the gym, and chasing girls. Some still do.

However, the cause of jihad appeals to these “dudes” deeply. It is about them and their heritage and feelings of being dispossessed. And those who are 20 years old with nothing to live for are willing to die for causes because they think it will be their glory. For those in the West puzzled by this, think about Lee Harvey Oswald, John Wilkes Booth, and the Tsarnaev brothers among others. Dispossessed from their society, angry, and in their 20’s. A cause was all they needed to act. And they did.

Europe must also do some soul searching. Immigrants there are treated with the same lack of respect we inflicted upon African Americans in the south during the Jim Crow period. They are marginalized, stigmatized and ghetto-ized. The housing projects of Western Europe are petri dishes for the development of radicalism.

As for the United States, we are in this war whether we like it or not. The Presidential decree that the war on terrorism was over sent the wrong message. We looked like we were quitting the field and radicalism won a major victory. Setting red lines in Syria and stepping back also allowed a Petri dish of radicalism to develop and metastasize into an area that would allow the existence of an ISIS.

I have no fear that we will win the battle with radical Islam. I also believe it will be a long, drawn out affair taking place on battlefields worldwide. And it will increase focus on “soft” civilian targets. But, history is not on their side. The last 250 years have been about people looking for more freedom and less oppression. ISIS and AQ are an aberration. But to defeat them, we must show continued strength, resolve, and wisdom in dealing with a different culture. We are in a twilight struggle that can be won.

Terrorism — The Old Fashioned Way

Mark Twain once said the history does not repeat itself, but it does rhyme. So, when I heard about the Russian flight blown up over the Sinai, I immediately thought of Pan Am 103. Blow up over Scotland by Libyan bombers in 1988; I had friends who knew people killed on that flight. One acquaintance lost his son.

I suspect it will take less time to find out the perpetrators of this travesty thanks, in part, to the 21st century level of electronic surveillance available and the inability of people to stay off their 21st century cell phones. All evidence points to a group of Islamic State terrorists from the Sinai. In 1988, the identification of the Libyans took a lot longer and involved some great Scots police work and an inch-by-inch ground search – finally turning up a small piece of a circuit board that set off the bomb.

So what lessons are we to take from this most recent bombing? First of all, no matter what kind of physical and electronic security you introduce, there is no such thing as 100 percent security. People have decried the security at Sharm El Sheikh as they decried the security in Frankfurt for Pan Am 103. Granted in both cases, the security was not good. But as the IRA terrorist once said, you have to be right every time and we only have to be right once.

Second, for now, this attack does not appear to be a function of cyber. It is an old fashioned mass murder committed though the timing on any device; likely as simple as an alarm clock or, possibly, a cell phone. For those of us who live in cyber world, this provides little comfort. It is only a matter of time until the Internet of Things into which we are hurdling is used to cause mass murder. Let this event over Egypt not turn our eyes away from that ugly, soon to be, fact.

And, finally, the loss of the Russian plane is a reminder that we are in a long, dirty struggle with Islamic radicalism. Make no mistake that what happened in Egypt can and will be exported by “foreign fighters” returning to the West or “wannabes” here as well. History will rhyme and we need to gird ourselves for it.

Bored, Alienated And Islamic

There have been any number of scientific studies and anecdotal evidence to indicate that the most dangerous human beings by age are bored, drifting young males in their mid to late 20’s. A line from the Marlon Brando biker movie “The Wild Ones” best expresses it. When asked what he is revolting against the bored young biker Brando responds, “whaddya got?” The participants in the recent military recruitment attacks and the Boston Bombing seem to confirm the theories about young men. And the narrative of Islamic radicalism is what they’ve “got.”

The perpetrators of these violent are young men with Islamic backgrounds who lived in the United States for extended periods. They seem to fit in somewhat with their new country. Still, they also hang out with friends, play modern music – yet they feel alienated from society by upbringing and first generation communities that often do not understand their problems. And they also often have strong issues with US authorities on policy regarding the Middle East and Islam writ large. Thus, the appeal of fighting for Islam is strong and ISIS presents a tempting thing in which to believe.

There was an old radio show that opened with the line “who knows what evil lurks in the mind of man?” Psychologists will give you varying answers from alienation to the society to a desire to belong to something bigger than them. But no one can give you the exact moment and person that will step over the line to violent action. But violent action is on fertile ground when young men are bored and alienated.

As we try to deal with these young men, US officials are knee deep into areas where the US government and America itself has grown uncomfortable since the end of the Cold War. We seem to lack an appealing narrative about who we are.

Oh, we’ve got the against terrorism business – and we arrest and kill on a daily basis to emphasize that point. And, I know we’ll never get 100 percent of these young men with us. But, we are heading into deeper waters as ISIS recruits these “dudes” aggressively online and trains those that make it to the Holy War. They have no problem with their narrative.

So what does that mean for us? It means we have to do things with which we are most uncomfortable. First, we must say who we are and what we believe in. Clearly, distinctly and repeatedly. And we need to do it through the social media that is being used every day. A few thousand twitters from State Department are simply not enough. We need to respond in the millions that our freedoms are their freedoms. That all humans have rights. And that disagreement cannot end with a belt bomb or a beheading. This is against the fundamentals of all societies – Islam, Christian, Jews, or any others.

In this effort, we need to reach out and embrace the social media in the United States and elsewhere. This is difficult given the libertarian streak of the cyber world and the stiff-necked approach of the Feds to them, but it is mutually beneficial to both sides. The Feds need the outlets, and the outlets need credibility that they are not transfer mechanisms of hate and destruction that can be pointed at them as well as the rest of the society.

Second, we also need to work more openly and closely with the Muslim community in the U.S. The latter have been concerned but relatively quiet about this behavior. First generation settlers in the past have also had problems criticizing their misbehavers. Anarchist movements, Nazi sympathizers, and Communist agents some time found the support of silence in their communities. However, in each case, brave people began to stand up and counter their narratives and changed and took away their base of support.

And finally, we need to integrate these young people into our society. This also requires working with local communities to find these young men a purpose whether helping their communities or serving their religion through mosque-guided efforts. Their efforts and energies need to be focused as Muslim-Americans socially and politically active here in the 21st century in America — not pursuing some 16th century violent chimera of a Caliphate.

None of this is easy nor is it short term. But, we face a clear and present danger in a radicalization of young people that is going unchecked. We have pledged in our Constitution to “ensure domestic tranquility, provide for the common defense.” This now requires more than the necessary law enforcement and military action. We have provided successful narratives and have integrated immigrants in the past. We need to do it again.

Bouncing off the cyber walls

In the movie “Apollo 13,” the saga of the near fatal moon mission, there is a harrowing scene toward the end of the film that has reminded me of the last several days in cyber world. Two of the exhausted astronauts get into a horrific argument over their plight. The commander, Jim Lovell, equally tired tells them to “stop bouncing off the walls” as their problems will remain the same after whatever time they waste yelling about it. So, it is with our current beatings taking place over the OPM information breach and its potential consequences.

Whatever the finger pointing and vituperative remarks, there remain four fundamental issues that must be addressed in our Federal government’s cyber world, or the mistakes of the past will continue to be repeated:

First, we need to the address the “ignorance” of senior managers regarding their IT systems. This problem lies with the challenge of getting government IT guys wrapped in their own world to better explain exactly what the risks are to their management and their personnel. Legacy systems and no centralized buying procedures have been a bane of IT people within the government and that needs to be fully explained as well. But, also, it would not hurt for the senior managers to take some time to listen and fully engage with their IT people.

Second, contractors must be able and willing to tell the truth about the vulnerability of their systems and government procurers have to stop beating them up for it. No contractor – no matter how good they are — wants to say their product can’t fully protect the system they are bidding to install and/ or proposing to protect. The government must also understand that there is no such thing as 100 percent security in any system – no matter what the promises.

Third, everyone needs to understand the challenge of internal threats and outside capabilities to break into systems will exist no matter what. This is a simple case of risk management in a risk averse age. No matter what we spend on security, how often we give background checks or polygraphs to the information handlers, something is going to happen. If you don’t want your “crown jewels” stolen, limit your access to them. But realize that there will always be some form or way to get to them.

Fourth, and finally, this is the moment for a true public-private partnership on the subject of IT security. Both sides need to come together to discuss best practices in a comprehensive way now. The government simply cannot do this on its own. There is too much going on that is cutting edge in the private sector, and government ignorance of the full field of what is available is costing us too much in privacy and in national security threat to its employees.

As much as it is a feel good exercise to beat up OPM, bouncing off the cyber walls gets us nowhere. We know the problems. It is up to senior members of our government to act swiftly to take care of them.

Ronald Marks is a member of the GW Center for Cyber & Homeland Security’s Board of Directors.

Paying for Non-Secrets

Former Director of Central Intelligence George Tenet famously said when asked about so-called open source (unclassified) intelligence, “we only pay for secrets.” He spoke with the confidence of a man born and raised in the world of the 20th century spy and the Cold War. With the massive leak of government employee information from the Office of Personnel Management (OPM), Director Tenet’s statement has been proven quite wrong for the 21st century. China and others are willing to pay for “non-secrets” and they matter.

As data breaches go, the OPM break in was not the biggest one experienced in the past few years. Target, JP Morgan Chase and a few others were larger in breath and scope. But, they did not contain information that could be used to target and engage in spying on the US government.

As an old spy, I wanted information. I wanted people’s background: where they live and had lived, who their relatives were, and what personal problems they might have. That way I could figure out how to develop a successful “relationship” with someone who would spy for me. And, also, target more successfully – not waste time on someone who did not matter.

You see, the real trick is human intelligence is finding people with access to important people and their information. I don’t want to recruit the Secretary of State — too big, too awkward to meet and not likely to be recruited. No, I want someone on his staff or someone who has access to his staff and especially their work product.

The OPM leak contains millions of personnel files that will help China do just that. Files on government employees and their contractors with a summary of their backgrounds and what programs they have access to is quite sufficient for my targeting purposes.

In the 21st century, information contained in files like OPM need to be treated like the old fashioned state secrets were. I am sure whatever investigation there is will turn up either woefully inadequate IT security, inside actions, or both. I am not going to debate that right now.

What I am going to say is it up to the current Administration and those going forward to understand why data breaches like OPM are so dangerous to the national security of this country. Just because something is unclassified does not make it unworthy of security.

Welcome to 21st Century cyber conflict. Information is a weapon to use and target and cyber space is the battlefield. So far, if OPM is the indicator, the U.S. government is getting skunked.