No Patch For Incompetence: Our Cybersecurity Problem Has Nothing to Do With Cybersecurity
On Wednesday, June 17, Reuters reported tersely that the White House “continues to have confidence” in the beleaguered Office of Personnel Management (OPM) chief Katherine Archuleta. This came on the heels of new information that, among other things, the devastating OPM hack may have had something to do with OPM running high-end systems coded in a semi-obsolete programming language without built-in support for modern security practices. Or that OPM gave root system access (for those that don’t speak UNIX, root is privileged system access authority) to foreign contractors in China. No matter, the White House has “confidence” in the woman that ignored a direct warning from the Office of the Inspector General (OIG) cataloging key vulnerabilities in OPM systems, and who also happens to have worked as the national political director for President Obama’s re-election campaign.
It is time to dispense with the smoke and mirrors surrounding the discussion of cybersecurity. For too long, we have persisted in the delusion that cybersecurity and cyberwarfare are difficult and serious threats due to their technological novelty. We have taken refuge in fantastical fears over the looming, Hollywood movie-esque threat of catastrophic cyber-doom. Breathless articles are penned declaring that “cyber” will “change warfare more than the machine gun.” By defining the problem solely in terms of technology, such musings suggest that the solution is technological. This suggests all we need to do is get the best technical talent on the job and things will be fine. However, while patches are issued all the time for bugs and vulnerabilities in computer systems, there is no patch or security update for systematic, glaring incompetence.
The OPM hack demonstrates that cyber-silliness may be far more damaging to American national security than even the most fevered scenario of cyber-doom. Put bluntly, the problem lies not in some esoteric computer science problem. Rather, it is a matter of continuously selecting for and rewarding incompetence. Heads have rolled in government for far lesser setbacks than the OPM hack, yet the administration evinces “confidence” in the woman that presided over the wholesale theft of millions of government workers’ sensitive information.
The fact that the White House still has confidence in Archuleta is not surprising. After all, Obama’s cyber czar is a man that boasts about his own technological illiteracy. Cyber czar Michael Daniel believes that such petty little things as information technology coding and system details are a “distraction” from policy big-think. Yes, dear reader, I am not cyber-shitting you. Daniel, a man tasked to oversee computer systems of enormous complexity and importance, believes that the details of how they work are a “distraction” from his real job: thinking Big Cyber Thoughts.
Certainly no one expected Daniel to have written his own Linux kernel, and government executives obviously should not be subjected to Google-style whiteboard coding exercises to get hired. However, “[a] man’s got to know his limitations,” Clint Eastwood laconically observed in Magnum Force. As former Defense Intelligence Agency Chief Technology Officer and Joint Task Force-Computer Network Defense veteran Bob Gourley noted, Daniel ought to have regarded his own knowledge gaps as something to rectify or compensate for, not spin as a personal advantage.
OPM director Katherine Archuleta is also an unfortunate case in point. Archuleta bragged about thwarting “10 million [cyber] attacks a month,” a claim that computing professionals and cyber policy specialists greeted with open ridicule. As the New America Foundation’s P.W. Singer tweeted, this is a “[u]seless, meaningless number … My pinkie stops 10 million germ attackers every microsecond. Not a measure of health.” Archuleta’s faux-metrics notably gloss over some other numbers of interest — the amount of vulnerabilities Archuletta ignored, the age of OPM’s legacy systems, the numerical user group classification for root access (given to foreigners physically located on the home territory of a U.S. rival), and the number of up-to-date security systems, practices, and protocols that OPM did not use to protect its data.
Despite all of this, the White House is still confident in Archuleta. After the OPM hack, one shudders to think what she would have to do in order to lose the administration’s confidence. Give the Chinese and the Russians secure shell access into the nuclear command and control system computers, maybe? Subcontract out the job to fix OPM to Edward Snowden or the Islamic State’s web development team? Put the full source code of the dwindling number of National Security Agency programs that Snowden hasn’t revealed on Github and invite Iranian hackers to make a pull request?
Unfortunately, there is no patch for systematic incompetence. No amount of money, new cybersecurity authorities and organizations, or smart hackers lured away from Silicon Valley firms will compensate for the depressingly obvious realization that our government does not care about technical expertise or cybersecurity outcomes writ large and is not at all interested in accountability. We cannot simply run the policy equivalent of a software update and solve our cybersecurity problems without grappling with the disturbing nature of what Daniel and Archuleta represent — our policy elites’ tendency to cry “cyber Pearl Harbor” and nonetheless tolerate massive, systematic, and completely unacceptable levels of stupidity.
Adam Elkus is a PhD student in Computational Social Science at George Mason University and a columnist at War on the Rocks. He has published articles on defense, international security, and technology at CTOVision, The Atlantic, the West Point Combating Terrorism Center’s Sentinel, and Foreign Policy.
Photo credit: Another Believer (adapted by WOTR)
Tom 
strategicservice 
Cassandra 
Dr. Sixpack 
John Amble 
BSabre 
Alex 
mmcgannon 
Steve D 
Emmett 
Steve 
Empress Trudy 
The only thing wrong with this piece is that it had to be written in the first place. I take that back: that it wasn’t written months or even years ago. It’s so beautiful and accurate, it makes me want to cry. Bravo to you, Adam Elkus.
Well written and sadly, terrifyingly true. To paraphrase Aliens, “Put him [aelkus] in charge!”
Thank you for writing this; it’s a tiny bit of clarity on an issue where most people do not understand the implications. The reality is that the long-awaited “cyber Pearl Harbor” is preventable – just like the real one was – and the reality is that we have no one to blame but ourselves when it happens.
I can vouch for all of this, down to the lower levels of cyber administrators in the DoD. It’s bad, and we’re just sitting here.
Surely you mean Michael not Mitch.
Absolutely right. Fixed.
This has been a continuing problem, at least since FEMA’s Mike Brown and Katrina. At least he had the good grace to resign.
People have been supposedly “fired” when in fact they have were merely reshuffled around to hide them, allowed to retire 5-6 months later instead of being tossed out of their office, or had the Adminstration express “confidence” in them, only to turn around and fire them after the uproar grew too much.
Archuleta should have already been frog-marched out of her office by US Marshals, with a cardboard box full of her effects in her hands. And she should only be the latest in a parade of incompetents.
Spot on. It is nearly impossible to hire great people to work in government IT, and those who are hired don’t stay there long precisely because the environment tends to punish, not reward, effective behavior (the ‘Dead Sea Effect’ writ large). That leads to large-scale outsourcing of Federal IT work, which in turns leads to travesties such as this. And, as noted, it is nearly impossible to fire a Federal worker, especially those who aren’t at the top. The real issue isn’t Archuleta — it’s everyone below her.
bfwebster: I also have heard that it’s easy to stay in once you are in (the Federal Government), however, I’m not familiar with your claim. Could you explain in a little more detail what you meant by your last statement?
Thanks!
So why haven’t Katherine Archuleta (Director) and Patrick E. McFarland (Office of Inspector General) been fired yet? Why are they not under federal charges for gross negligence and fraud as clearly they had no business being in charge of a federal organization?
These two clowns need to spend some time in federal prison, anyone associated with the decisions on their network security need to be held accountable
One reason I retired as a professor, instead of staying on, was it was professionally insulting to be evaluated by students who had no idea what the course was about and couldn’t even remember to bring a pencil to an exam. “Accountability” as commonly applied will merely deter competent people from taking on a job because their performance will be judged by technically illiterate media and politicians. Case in point: Eric Shinseki, who got sandbagged twice, once for telling Bush things he didn’t want to hear about Iraq, and a second time because he couldn’t work miracles at the VA. Being accountable to idiots while utterly incapable of holding your subordinates accountable? Gee, how can I refuse?
I’m pondering the clearance process I went through and wondering why that data is even in a readily accessible database?
The only thing anyone needs to see after my clearance is granted is a flag and an expiration date indexed to my name or unique identifier.
Low tech and easy.
They can even comply with the Paperwork reduction act by slamming all this data on a removable drive under lock and key.
Writing and building a Linux kernel are two very different things. I think you meant “built.”
The is how security has changed in the commercial space as well. It is no longer about technology or analysis at all. It’s about lawyers, litigation and financial risk management. In a few years computer security will have as much to do with technology as the insurance business. As someone who’s worked in the field for a long time I could not in good conscience tell anyone with an IT background to get involved in security. The only technically related jobs will be low level shift drones. The only career path in security will be in legal, financial and actuarial work.