Donald Trump's cybersecurity comments last month caused a stir in the cyber community. When asked about cyber issues, the Republican candidate for president said, "Look, we’re under cyberattack, forget about them. And we don’t even know where it’s coming from... because we’re obsolete. Right now, Russia and China in particular and other places... I am a fan of the future, and cyber is the future."
This jumbled mess of a non-answer has engendered many articles and blog posts from the cybersecurity community, most consisting of despair at Trump’s ignorance on such a vital subject. The bigger picture, however, is being missed amid the hang-wringing. In truth, Trump's blatant ignorance is just another example of the countless instances of poor cybersecurity management by the United States. In numerous sensitive areas of the government, at the highest levels, the U.S. consistently falls short of implementing sound cyber policies or even understanding what they are. This is not a partisan issue, as the nation has collectively failed to engage in proper practices. Let us explore some examples and try to understand how far behind the U.S. government is in terms of information security.
The Senate cybersecurity report
In 2014 a U.S. Senate investigation was launched to determine the cause of numerous high-profile security breaches. These included an attack on private databases of the U.S. Army Corps of Engineers, penetration of servers belonging to the federal cybersecurity authority National Institute of Standards and Technology, and several others. The resulting report produced overwhelming evidence that "real lapses by the federal government" were to blame for all these security incidents. The Senate's 14-page findings concluded that many of the hacks exploited "mundane weaknesses, particularly out-of-date software" and went on to state that "failing to install software patches or update programs to their latest version create entry points for spies, hackers, and other malicious actors. "
Many times in my writings, I have stressed how human error is the cause of most security breaches. A large number of potentially debilitating cyber-attacks were caused by sheer ineptitude, as simple patch updates could have closed countless exploitable vulnerabilities. The theme of human error continued to arise throughout the 2014 report, as every federal agency audited (including the Department of Homeland Security) were guilty of poor practices, which helped to create conditions for successful hacks.
The report concluded that "agencies — even agencies with responsibilities for critical infrastructure, or vast repositories of sensitive data — continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information." This theme was true before this report surfaced, and it does not seem that governmental forces are engaged enough to change it.
CISA: Punishing citizens for governmental ineptitude
One would imagine that the government would have at least attempted to implement changes following the Senate report. This turned out to be a half-truth, as a bill that eventually passed in 2015 was touted as a route to improve cybersecurity. The half-truth was that the Cybersecurity Information Sharing Act (CISA) really did not focus on shortcomings of the U.S .government. Rather, it was mainly a further violation of civil liberties.
As ACLU legislative assistant Sandra Fulton wrote in a blog post, CISA allowed creation of "a massive loophole in our existing privacy laws by allowing the government to ask companies for ‘voluntary’ cooperation in sharing information, including the content of our communications, for cybersecurity purposes." As if the Patriot Act, NSA mass surveillance and other intrusive policies were not enough, this new law, passed in the name of cybersecurity, further violated privacy and data security.
The logical step would have been for the government to ensure that all federal agencies execute security protocols. Instead, lawmakers pushed through a bill that will not do anything significant in actually furthering information security. In a power grab, the U.S. government showed a glaring lack of concern for cybersecurity, something that has frustrated numerous individuals in this field.
The InfoSec private sector is the answer
While it is fun to joke about how stupid the government is, and believe me I love doing it, there are serious dangers here. The data stolen in these cyber-attacks can threaten national security, as it often falls into the hands of dangerous people. By ignoring every reliable solution that could actually improve U.S. defenses against cyber-attacks, the government is showing that it is both ignorant of the threats and unprepared to face them.
Here’s what needs to be done to avert catastrophe. The U.S. should bring private-sector InfoSec professionals into their inner circle. In my opinion, the best minds in the field of cybersecurity are not working for the federal government. Instead, they can be found in countless private firms that are contracted by the most powerful entities in the country. These professionals can advise the government in ways that would finally begin to close countless security gaps in the vast network of federal agencies.
I pinpoint private-sector cybersecurity experts as the solution for the simple fact that federal experts are useless. I say this in light of the evidence I have produced of countless instances of federal agencies, and high ranking officials within these agencies, showing blatant disregard for basic protocols. How can we honestly expect the FBI, CIA and other agencies to protect national security if they are too lazy to follow the rudimentary principles that every InfoSec expert should know?
Even though government officials of yesterday and today have displayed an ignorance that is similar to Donald Trump's, it does not have to remain that way. It truly cannot stay that way if the United States wishes to keep its citizens safe from the effects of the burgeoning cyberwar. On all sides of the political spectrum there has always been talk of the need to protect our infrastructure and our citizens. If the U.S. political sphere does not adapt and continues on its road of not employing a significant amount of outside help, I can confidently say we are not prepared to face a nation-state hack or other serious threat.