Tuesday, August 04, 2015

Hand In The Cookie Jar

South Burlington, VT

Today, I'll take a brief departure from the normal theme of the cruising life.   There is an extremely interesting current events story that you won't know much about unless you dig deep into certain news topics as I do.  It makes a fascinating story.

The topic is the recent hacking of the US Governments OPM (Office of Personnel Management) databases.  They acknowledge that the data of more than 21 people was stolen.  Including identification info and financial info, but also the results of security clearance background investigations.  That means any dirt that exists on those people, plus their circle of relatives, friends and associates.

This breach is extremely serious, not so much because potential credit card fraud, but more in terms of national security.  Anyone in possession of this info can track those 21 million people around the world using face recognition software.  They can make fake identification (including fingerprints which were in the stolen data, retinal scan data has not been mentioned so far).  They can blackmail or intimidate the victims and threaten their relatives and friends back in the old country.  That makes enemy espionage more effective in the future and American espionage more difficult.  The hackers are free to share or to sell that information to anyone. I'll stick my neck out to say that this breach is perhaps the most stunning intelligence victory in history. (meaning victory for the bad guys and loss for our side).   The USA can not recover completely from this breach unless it fires all of the 21 million and recruits 21 million replacements.

Apparently, the US Government has unilaterally defined three levels of seriousness of such incidents.

  1. Intelligence gatherings.  The US says everyone does this, including us, so no sanctions or retaliations result when someone is caught.  The OPM hack comes under this definition.  James Clapper was quoted as saying that if he could hack the Chinese equivalent of OPM, he would do so.  In other words, it is not an offense at all and there is zero cost for bad guys who attempt it. 
  2. Economic espionage.  The US considers this criminal behavior.  People caught are prosecuted as criminals.  The US brought criminal indictments against Chinese military hackers last year, but hasn't done anything more.  The US claims that it does not do economic espionage, but numerous leaked documents show that we have and we do.
  3. Infrastructure attacks.  An attack on the power grid or on our financial infrastructure is considered an act of war.   The US military can then retaliate in kind or not in kind.  For example, they could retaliate on a banking hack by sinking an enemy warship.   But Iran, attacked the US banks a couple of years ago.  That was clearly an act of war under this definition, yet no military retaliation has occurred.  This was another red line crossed without any significant response by the USA.
It is important to point out that this has nothing to do with the Snowden leaks.  I have no doubt that enemy governments were well aware of US offensive cyber attacks without Snowden's help.  It it the public, not the bad guys, who became informed by Snowden.  Also worth noting, is that there is no international support for the USA's unilateral three-level definitions.

So here is the point that the US government seems to have missed.  The USA has the most to lose in exchanges of cyber intrusions.  China probably has nothing equivalent to the OPM data base but the USA does.  So it matters not if our offensive skills are better than theirs.  In a continuing exchange of tit-for-tat cyber espionage sallies, the USA stands to lose much more than we can gain.


What the USA lacks is leadership with the political courage and the wisdom to properly define USA national interests in the modern cyber world, to devise policies to foster those interests, to enunciate our policies to the public and to the enemy, and then to implement those policies effectively and to have the backbone to invoke them when appropriate.

In the coming 2016 elections, I'll be on the lookout for those qualities in prospective leaders from any party. I urge you to do likewise.


No comments:

Post a Comment

Type your comments here.

Note: Only a member of this blog may post a comment.