Modernized technology and formal standards like FISMA won’t be enough -- mindsets must change, too.
Jeff Gould is president of SafeGov.org and CEO and director of research at Peerstone Research.
In the past five years, the U.S. Navy has removed nearly 100 commanding officers from their positions. While the offenses motivating the dismissals covered a wide range of misconduct, including keeping a live goat on board a guided missile cruiser, the majority was removed for operational failures.
In the Navy, running your ship aground gets you fired. Such harsh discipline may not always be fair, but it serves an essential purpose. When a leader’s misjudgments can have catastrophic consequences for a ship, its crew, or the nation as a whole, it is essential these leaders accept their obligations of diligence and personal accountability. No system is invulnerable to attack. But a federal IT culture that emulates the Navy by embracing the principles of accountability and continuous improvement will make us safer than we are now.
In today’s federal IT establishment, accountability is not the rule. After what is likely the most dangerous and destructive cyberattack the United States has ever suffered, the director of the Office of Personnel Management, where the attack took place, recently told the Senate, “I don't believe anyone is personally responsible.”
It is time to change the rules, and hold federal IT organizations accountable for their missteps. The OPM breach, which the Obama administration says was the work of Chinese hackers, exposes every current and former federal employee to blackmail, identity theft, phishing attacks, espionage and untold other forms of harassment. While no lives have been lost, the OPM attack is undeniably a national catastrophe whose consequences will be felt for years to come.
Accountability means more than just removing leaders who put their ships on the rocks.
Accountability means IT organizations must place the interests of their users above their own. The flaws in the OPM’s cyber defenses were apparent before the attack. An audit by the OPM’s Office of the Inspector General last year revealed “major security problems” at the agency. The IG also reported, “OPM has a history of struggling to comply with FISMA (Federal Information Security Management Act) requirements.”
Director Archuleta at least agrees with this point, as she told Congress that FISMA compliance would not have prevented the breach. But it gets worse. A new “flash audit” by the IG predicts the agency’s current plan for fixing its security vulnerabilities will fail.
OPM has so far refused to disclose to the public or to Congress exactly what went wrong. But crucial details have leaked. We know the stolen files were not encrypted, for instance. Director Archuleta stated in her testimony to Congress that OPM’s COBOL-based legacy mainframes were “too old” to support encryption.
Just how old were these machines? IBM mainframes have had hardware-assisted encryption since at least the 1980s and public key encryption since the 1990s. And the COBOL programming language, which should have been retired from federal IT systems long ago, is nevertheless not incompatible with encryption.
There is no technological magic bullet that can guarantee our safety from the cyberattackers that will continue to come out of the woodwork. A former CIO of Homeland Security testified before Congress that the problems afflicting OPM are widespread and we should expect to find similar breaches in other federal agencies.
The security risks at OPM, and in the federal IT establishment as a whole, stem as much from obsolete patterns of organization and behavior as from outdated technology. The OPM breach demands a radical rethink of federal IT culture. Personal accountability from leaders is an indispensable first step.
We have been down this road before – and not so long ago, either.
Few in Washington can have forgotten the disastrous launch of HealthCare.gov. In the wake of that mess, the Obama administration responded with an admirable willingness to think outside the box. Two innovative units were formed with the express intention to disrupt traditional federal IT development practices: GSA’s 18F and OMB’s U.S. Digital Service. Both units promote an approach known as agile development, whose foundational values include close cooperation between users and technologists, rapid response to change, and continuous improvement.
Agile is chiefly a development methodology, but it can in fact be applied to cybersecurity as well. The key insight of approaches like those promoted by 18F and USDS is that change is as much a question of what is in people’s minds and how they work together as of what technology or formal paper-based standards they use.
Let’s hope those responsible for steering the OPM’s future – and that of federal IT cybersecurity as a whole – are ready to learn this lesson. The time has come to follow the example of 18F and USDS and create a new organization charged with bringing fundamental change to federal IT security culture.