As much as we appreciate the commitment and professionalism of so many dedicated public servants, it is apparent to us that the current state of information-sharing across the government is far from where it needs to be. It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy. While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.
One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down.
December 17, 2020
A moment of reckoning: the need for a strong and global cybersecurity response
[Free markets have their faults. But if you want something really messed up then have a government do it. Why else do you think they are so good at war? You send your government to some other country and they mess up that country.—Joe]
The USA has a long history of doing just that and it has caused a lot of grief and it accelerated after WWII with the establishment of the CIA and other unnamed three letter agencies.
We’re still living with the consequences of a decision made by the CIA in 1953 to arrange for the overthrow of a democratically elected Prime Minister Mohammad Mossadegh in Iran and to install the Shah.
And it goes back even farther. When the Western Powers after WWI created countries without regard for local cultures and tradition focusing only on dividing the spoils of war, they built the foundations for the many wars that have followed.
The smartest people in the room are often the most ignorant which is why any large bureaucracy in charge is to be shunned and despised. And this applies to many of our institutions – not just government ones. We should always choose small over large if they can get the job done to keep the mistakes smaller and more local.
One of our greatest achievements is the internet where no one is in charge and everyone can participate. IMO, that’s how we should run everything to the extent possible and that should include governments. Why should we elect even little ‘kings’ to make our lives miserable?
I view the work from home that COVID has forced on us as a step in the right direction. Small units interacting and corroborating with many others is the ideal.
Only a bureaucrat or elected official thinks making an organization bigger will increase efficiency and streamline the flow of critical information.
My boss used to tell me he would call his counterparts in the UK to find out what was going on in the program he was working on. Sharing information good or bad was frowned on internally. If you told someone you had hit a snag, it might be used against you later when budget money was allotted.
My own dealing with ,gov pre and post 911 were depressing. DHS added a layer or two of people without any added benefit. They need to be consulted, included in meetings and copied on reports but had no idea what you were working on. They also added their contractors to my budget. We would have a monthly meeting with 30 people in attendance and only 5 actually provided work.
I would estimate that 30% of the budget went to supplying a product to the end user. The rest was tied up in overhead, consultants and administration cost passed down to us.
Oh, swell, a Cybersecurity czar. That will help.
While I am not as sanguine about private sector action (witness the source of the article) as you are, there are clearly things that government can do to make things worse and Czars are at the top of the list.
I am not a security tech type so my advice is the generic advice I give about everything. QUIT PLAYING DEFENSE. If someone screws with key infrastructure, hurt them. Tit for tat is the strategy that works. If it is a non-state actor, consider going kinetic.
Ditto for a state actor. Sending some SEALs to take out the hackers would do wonders for deterrence. Those people do not expect to be at the receiving end of incoming fire.
Note that it’s critical to be sure of the target. Right now what we have is two cabinet secretaries saying “it seems to be Russia” and the President saying “but it might be China”. And for some reason math-challenged talking heads claim that those two statements are in conflict, which is obviously not the case. The evidence has to rise up to “it is actor X beyond reasonable doubt”. Unfortunately that’s going to be hard.
On Monday I listened in on a call with DHS type people on this particular security breach. The topic of attribution came up. The best guess at this point is still “the Russians”. But we really don’t know for certain. In many cases, including this one, accurate attribution is really, really tough. If that weren’t the case I’d be supportive of kinetic activity.
It’s also possible (I have not heard anything even hinting at this) that someone in our spook network knows the answer with near certainty. But, proving to the public we know with near certainty would cause serious damage to our sources.
Attribution aside, I would not support kinetic action against a state actor because that means war over a hack. If we are indeed talking about China or Russia, that becomes most dangerous. There are other ways to hurt such actors but hurt them we must. For non-state actors, we need not engage in such restraint.
As an aside, I wish we had a spook network that was on our side.
“it would mean war over a hack”. Not necessarily. It would be retaliation; whether it’s a war would be up to the receiving end.
Also, “hack” is like “prank”, a term frequently used to make a serious crime appear fun and harmless. In fact, so-called “hacks” are disruptive and costly, often result in destruction of property. In this case, they presumably also involve large scale theft of intellectual property, both privately held and government secrets. Lastly, it remains to be seen whether this one created the ability to do remote shutdown and/or insertion of false or malicious data. That last possibility could easily produce consequences that make Pearl Harbor look like a minor event.
The way to deal with enemy action is to counter more forcefully. Wimpy or nonexistent responses, which is what has been done to date (except to Iran under Trump) only encourages the bastards.
The gross incompetence, infighting and cross competition that makes the Fed Gov so grossly inefficient has one unsung benefit…..for the average citizen. It makes infringing our freedoms and enslaving us a more difficult task. If the Fed Gov worked with the efficiency and speed many wish it could our freedoms wouldn’t last a week.