Obama’s War on Hackers

President Barack Obama meets with members of this national security team and cybersecurity advisers in the Roosevelt Room of the White House in Washington,Tuesday, Feb. 9, 2016.

President Barack Obama meets with members of this national security team and cybersecurity advisers in the Roosevelt Room of the White House in Washington,Tuesday, Feb. 9, 2016. Pablo Martinez Monsivais/AP

The federal action plan calls for a new commission, public service campaigns, and funds for replacing old, insecurable government IT.

Hackers are now probing the deepest secrets of every federal agency, according to the Department of Homeland Security's cyber chief. But it's OK: The intruders are from DHS.

It’s part of an exercise the agency is undertaking to test vulnerabilities in federal computer systems full of sensitive data that are prime targets for the actual bad guys.

Agencies recently took stock of IT tools and databases that would upend government operations if tampered with.

“We are now putting those through our red teams, which is people that know how to break in," said Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications.

The authorized hacking is part of a civilian agency cybersecurity strategy precipitated by a real-life breach of an Office of Personnel Management background check system. The attack exposed not only intimate details on 21.5 million U.S. national security professionals and their families, but also vulnerabilities in OPM's IT environment that date back to the Reagan era.

On Tuesday, that strategy was folded into a grander action plan, the Cybersecurity National Action Plan, unveiled earlier this week in conjunction with President Barack Obama's 2017 budget. Among other things, the new plan calls for a commission, public service campaigns, and funds for replacing old, insecurable government IT.

The plan also includes a $19 billion funding request to support cybersecurity activities, on top of the $14 billion sought last year and $59 billion spent on federal agency information security, alone, since 2010.

Last-Ditch or Capstone?

There’s a long, mostly ill-fated history of presidents declaring war on complex, thorny issues, including Richard Nixon’s War on Drugs and Lyndon Johnson’s War on Poverty. This effort may not quite be Obama declaring “war on hackers.” He hasn’t used the phrase and, in today’s jargon-laden Washington, officials mostly refer to this new effort by its official acronym, CNAP (pronounced, unfortunately, “See-Nap.”).

But the new plan does symbolize Obama’s last chance to prove progress in an ongoing effort -- costing $73 billion since fiscal 2010 and counting -- to strengthen the nation’s online security.

This is not Obama's first attempt to defend the nation against organized cybercrime.

During his first year in office, the president commissioned a 60-day Cyberspace Policy Review and appointed the first White House cybersecurity coordinator, aka "the cyber czar."

In 2013, Obama signed a critical infrastructure cybersecurity executive order to shore up the power grid, banking system and other vital U.S. networks, 90 percent of which are owned by the private sector. Late last year, he enacted legislation making it easier for government and industry to exchange threat tips, despite a controversy over potentially exposing the digital footprints of innocent Internet users.

Backers describe the latest cyber initiative as a reaction to a danger that is not letting up, even with everyone's best efforts to address it.

"This is really a capstone effort that had been building for some period of time and what we're really saying is that, in effect, we're doubling down on what we'd been doing and trying to accelerate it because of the growth in the threat," said the current cyber czar, Michael Daniel.

Making Systems More Secure -- By Design

During the latest high-profile strike against federal systems, an unidentified hacktivist allegedly leaked contact information on some 9,000 DHS personnel and 20,000 FBI employees retrieved from a Justice Department computer.

The concept of turning on multibillion-dollar IT systems and security -- at the same time -- only recently became a reality.

For decades, protections were engineered after the fact and checked up on every three years. In March 2010, Vivek Kundra, the first-ever U.S. chief information officer at the time, testified to House lawmakers that it was wrong to "bolt-on security afterward," adding that "security investments are best when they are actually baked in to the systems."

This week's plan proposes Congress spend $3.1 billion on a new pot of money to replace or upgrade antiquated IT. Agencies will vie for a piece of the pie by submitting blueprints for systems that, among other requirements, would be shared across multiple departments.

So-called shared services could help with a cybersecurity talent shortage by allowing agencies to tap the same pool of existing cyber pros instead of "diluting their capability,” Daniel said. He and Schneck, along with other federal cyber leaders, spoke at a Thursday forum in Washington hosted by the New America think tank.

Shared systems also could shrink the network perimeter the government is trying to defend, the officials said.

The very foundation of the World Wide Web needs some retooling in order to support 21st-century protections, officials noted.

The federal government will work on the "security of the same basic fundamental protocols on which the Internet is built -- things like the way that packets [of data] are routed to their destinations, and the way that computers synchronize with each other and agree on what time it is -- these turn out to have very significant security implications," said Edward Felten, the White House’s deputy chief technology officer.

Another Commission?

But to skeptics, a new "Commission on Enhancing National Cybersecurity," sounds destined to fail, as most commissions in Washington do.  

Daniel, responding to this concern, said the commission is partly aimed at offering advice in the final days of Obama's term to the next administration.

There are questions, too, about expending more money on a governmentwide intrusion prevention and detection system, dubbed EINSTEIN, that could not see the OPM hack as it was happening. The federal firewall was just the subject of a brutal audit that reported the system didn’t detect 94 percent of commonly known vulnerabilities and was incapable of checking Web traffic for malicious content, among other things.

Administration officials want to invest $471 million in EINSTEIN next year.

Schneck, a computer scientist who left McAfee to join DHS in 2013, said she’s aware the system is not cutting edge.

When she arrived at the department, colleagues asked her to "look at this EINSTEIN thing and tell us about it, and by the way, the technology is 10 years old," Schneck recalled. "So I studied it for a long time . . . it basically blocks things that it knows are bad," and that technology, as she informed her coworkers, “is not 10 years old -- in fact, it's about 25 years old."

Still, she characterizes EINSTEIN as a vital part of the government's information security toolkit.

The system captures "all of the traffic," with privacy protections in place, "that comes in and out, day in, day out, 24-7 of every federal agency that we protect."

Based out of a newly christened DHS Silicon Valley outpost, staff soon will consult with startups about novel mechanisms to make EINSTEIN smarter, Schneck said, adding she "launched" the department's first operations employee out there Feb. 2.

Another shortcoming of the action plan, some observers say, is that it does not concentrate on the international aspects of the Internet security problem. Only one bullet point describes an intention to "further bilateral and multilateral commitments" to agreeing on norms of behavior in cyberspace.

The effort, Daniel said, "has a strong domestic focus because that's where we need to put time and effort," adding that the administration is very mindful of the global dimensions of the challenge.

Daniel told reporters after the event that America is at times more at risk in cyberspace than land, sea, air or outer space.

"The adversaries are beginning to learn that it's actually sometimes easier to attack us in the cyber domain than in any other sort of area," he said. "If we want people to take advantage of and really extract the value from electronic health care records, we've got to trust that they're information is going to be protected, not just by the government but by the companies" that store them.

In fact, the national security implications of cyber assaults were referenced by Obama himself on Tuesday, when he released the budget and established the new commission.

"More and more, keeping America safe is not just a matter of more tanks, more aircraft carriers; not just a matter of bolstering our security on the ground,” Obama said. “It also requires us to bolster our security online.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.