Picks of the Week: Government Struggles with Cybersecurity Vulnerabilities
How the Story of Hillary Clinton’s Emails Has Changed | The New York Times
AP Exclusive: Under Clinton, State’s Cybersecurity Suffered | Associated Press
Teen Who Hacked CIA Director’s Email Tells How He Did It | Wired
While Hillary Clinton continues to face scrutiny for her email practices and the use of a private server during her tenure as Secretary of State, other government officials have recently had other problems with their email. This week, a hacker claimed to have broken into the personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson. It remains unclear whether the officials were using their personal accounts to conduct government business or if they simply used them to occasionally store email and documents from work. Nonetheless, the hackers were able to access highly sensitive information, such as the SF-86 application Brennan had filled out to obtain his top-secret government security clearance, which is similar to the millions of SF86 applications that were obtained when hackers broke into the networks of the Office of Personnel Management (OPM).
News of this latest breach came on the same day as the Associated Press reported that the State Department was assessed as being among the worst agencies in the federal government at protecting its computer networks. Although inspectors generals have expressed concerns about the cybersecurity posture of the State Department since 2009, these deficiencies point to a broader problem in the government’s handling of security issues and sensitive data that can be difficult to correct, according to experts and official reports. Indeed, another report released by the Government Accountability Office (GAO) back in September had identified “persistent weaknesses” in information security and the lack of strong cybersecurity measures in over 20 federal agencies.
OPM, for instance, was harshly criticized over the summer after acknowledging that breaches of government databases exposed sensitive personal information of over 22 million people. Months later, we still get reports revealing the hack was worse than previously disclosed. Just a few weeks ago, OPM admitted that five times as many fingerprints were stolen as originally estimated!
While the State Department may be a higher target for foreign intelligence services than other government agencies due to the sensitivity of the information exchanged, the latest breaches are indicative of government-wide security problems that need to be addressed. The Department of State’s inspector general, in fact, identified many of the same basic cybersecurity shortcomings found in other agencies, and there is really no oversight to make sure individual agencies follow even basic compliance.
Policymakers and other government leaders will continue to struggle to be taken seriously in this space as long as their own defenses remain so bad and the agencies they lead or work for do not improve their cyber deficiencies and implement effective risk management programs. As I have argued before, our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information. This means that politicians and public officials at the highest levels need to have a basic understanding of cybersecurity, and—critically—that we can’t let important cybersecurity lessons be lost in a political turf war. Unfortunately, few of them have actually taken the time to educate themselves about the most pressing cyber threats and the basics of cybersecurity, and even fewer are taking proactive steps to make cybersecurity a priority.
During the first Democratic debate, for example, candidate Jim Webb was the only one to mention cybersecurity as one of the major threats facing the U.S. right now, and former Florida Governor and Republican candidate Jeb Bush is the only one to have articulated some kind of plan on his website for dealing with it so far. All presidential candidates, however, should be more articulate and proactive on cybersecurity issues, just like they are on issues from debt to foreign policy to immigration. The future president, regardless of the party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a priority for their administration and think of this issue in terms of both national security and economic stability. – Francesca Spidalieri