As I See It: How Did Cyber Security Get So Bad?
January 25, 2021 Victor Rozek
It was Paul Newman who said: “If you find passion in one area of your life, it will bleed into all the others.” Apparently the same can be said of incompetence.
Two years ago Michael Lewis wrote a book called The Fifth Risk. Its premise was singular and prophetic: “What are the consequences if the people given control over our government have no idea how it works?” That, as he meticulously documents, was the case four years ago when the incoming administration—which did not expect to win — was unprepared to govern. It failed to fill many key federal posts and delayed filling others. Those who were appointed often had no experience or understanding of the functions they were being asked to manage — and worse — according to Lewis, they showed no interest.
There are about 500 top jobs in the federal government, many of them heading agencies responsible for the health, safety, and welfare of 350 million Americans. From cyber security to food safety, weather prediction to fisheries, from conducting the census to tracking black market uranium sales, the awesome responsibilities of governance were under new, impromptu management.
As is the custom, the outgoing administration readied for meetings with the incoming transition team. From cabinet-level secretaries, to civil servants across the vast expanse of government, briefings were prepared that would never be heard; briefing books compiled that would never be read.
Elizabeth Sherwood-Randall was then deputy secretary of the Department of Energy. She recalled, “The election happened . . . and then there was radio silence.” Across all departments similar stories were playing out. No one came. The few that did were uninformed. Some threw away their briefing books. Willful ignorance was the new normal.
Shortly after the new administration took office, information started disappearing from government servers. Climate change data, USDA inspection results, records of consumer complaints against financial institutions, crime statistics, FEMA reports that detailed access to drinking water and electricity in Puerto Rico after Hurricane Maria, all manner of public data were deleted and links to scientific research were removed. It was a strategy driven by what Lewis describes as “a perverse desire to remain ignorant.”
Budgets were cut, senior staff fired or reassigned, departments hollowed out. By the time Reuters reported the story that Russian hackers had breached some 250 U.S. government agencies and businesses including Treasury, Commerce, Homeland Security, the National Nuclear Safety Administration, the State Department, and the National Institute of Health; the agency entrusted with Cyber and Infrastructure Security (CISA) had already been damaged. Billions of dollars of funding had been diverted to build the border wall, and some of its best people were forced out.
Heather Cox Richardson writing for Moyers on Democracy reports that since the 2018 Russian hack of our electrical grid “administration officials have deliberately forced out of CISA key cybersecurity officials (including director Christopher Krebs). The destruction was so widespread, according to Dr. Josephine Wolff, a professor of cybersecurity policy at Tufts University’s Fletcher School who holds her PhD from the Massachusetts Institute of Technology (MIT), ‘they signify the systematic decimation of the personnel most directly responsible for protecting critical infrastructure, shielding our elections from interference and guarding the White House’s data, devices and networks.'”
Almost like it was being done on purpose.
Various officials called the hacks “a grave risk to the federal government,” and “the worst hacking case in the history of America. They got into everything.” The Russians apparently had undetected access to a considerable number of important and sensitive networks for up to nine months. Tom Bossert, Trump’s former homeland security advisor, stated in a New York Times op-ed that the president is “on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government.” (As I write this, Microsoft announced that its source code was also compromised.)
For his part Trump said it was no big deal, everything was under control, and besides it was probably the Chinese who did it. And then he went back to playing golf. Thus the Trump presidency ends as it began — with Trump denying the reality of Russian cyber attacks and serving as an apologist for his role model in the Kremlin. In Lewis’ words, “If you want to preserve your personal immunity to the hard problems, it’s better never to really understand those problems.”
So the answer to how it got so bad is this: The woeful state of our cyber security is the result of deliberate and systematic dismantling of effective government, fueled by a hostility toward experts, and a chronic, purposeful disconnect from reality.
But a second interesting question remains: Why does it seem that the most repressive nations — like Russia and China — are also the ones that excel at hacking? Of course we don’t have a valid comparison because, generally, our own military will want to keep its successful hacks a secret. Although, sometimes, as was the case involving the Stuxnet computer virus attack on Iran’s nuclear enrichment facilities in 2010, word leaks out. Still, the latest Russian attack was impressive in its stealth and scope.
The answer may be that the repression itself fuels the ability to excel.
In another time and context, Ayn Rand, the Russian-American writer, Alisa Zinov’yevna Rosenbaum by birth, had an interesting theory — which may be relevant here. She pondered why Russians were, for decades, so dominant in competitive chess. She posited that in a repressive society the brightest, most creative people are often either stifled in their expression by regulation and censorship, or outright exploited by the regime. In communist Russia, many of those people, Rand believed, found refuge in chess, a game that requires great intellect and imagination, and the playing of which cannot be usurped by a state-appointed apparatchik.
Successful hacking on a global scale also requires great intellect and imagination. It’s equally plausible that some of the brightest minds in repressive societies take refuge in computers. Hacking allows them to play a form of virtual chess against the world’s best, on a board that crisscrosses the globe. Under normal circumstances they would be formidable opponents, but it doesn’t help when the leader of our squad, sides with the other team.