The recent Office of Personnel Management (OPM) hack reveals that the US Government needs to significantly “up” its security game. Upping the game means that government security staff needs to impose greater restrictions on information access. But, one should ask, “Why were these secret documents so easily accessible to intruders?” And why wasn’t the information encrypted or encoded? The greatest threat to national security isn’t that the hackers now have the Social Security numbers of perhaps four million current and former government workers, it’s that they possess the agency’s database of SF86 forms. For those of you who don’t know, the SF86 form is the 127-page extensive background document used to grant or deny national security clearances to applicants.
If you don’t realize the sensitive nature of those forms, you need to know that they are in-depth, deep disclosure forms that contain extensive information about the applicant. How extensive, you ask? Imagine that you have a best friend whom you’ve known from birth and she applies for a national security clearance. These forms and associated investigations contain information that you don’t know and that her mother doesn’t know. And that information includes extensive information about you too. That’s right—the form covers information on friends, neighbors, grades, arrests, travels, and more. So, if you’re a friend or neighbor of someone who wants a security clearance, your information goes into the form and chances are very good that an investigator will contact you for an interview focused on the applicant.
Albert Einstein once said, “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.” A war fought with 1s and 0s might surprise Einstein, but it doesn’t surprise security researchers who have stated in unison that the next war will be fought in Cyberspace. Government security professionals call it “Information Warfare.” Consequently, the Department of Homeland Security uses a detection system called EINSTEIN to locate breaches such as the OPM hack. The EINSTEIN system screens Internet traffic into and out of government facilities to identify these threats.
As far back as 1999, the US considered electronically removing money from Serbian leader Slobodan Milosevic’s bank accounts, but decided against it due to legal concerns. Perhaps it’s time to adopt Frank Smedley’s attitude of “All’s fair in love and war” and redefine our rules of war.
To that end, here are 10 tips for a safer government cyberspace:
- Forget about standard rules of engagement and Geneva Conventions—this is cyberspace and bad guys don’t play fair.
- Protect our data by any means necessary, including proper change auditing —theft is theft and it’s a crime.
- Don’t be afraid to fight back—launch counterattacks. This is war after all.
- Turn off the hacker’s Internet access—call it a cyber-sanction.
- Put private data on secure systems on private networks.
- Setup multi-factor authentication—or multi-person, multi-factor authentication.
- Keep around-the-clock security personnel on the job—bad guys attack when we’re asleep, so we shouldn’t sleep.
- Don’t offshore our security—let’s keep a few things to ourselves.
- Create some new encryption algorithms and then don’t tell anyone what they are.
- Create an international cybercrime task force to enforce laws and impose penalties on cybercriminals.
Cybercrime is uncharted territory for governments, but that has to change. A government has to protect its citizens on the ground, in the air, on the sea, and in cyberspace. We have to deal with cybercrimes and cybercriminals, even if it’s other governments that perpetrate those crimes, in the same fashion that we deal with all criminals: due process, conviction, and sentencing. When information itself is the new currency, we have to protect its value, its exchange, and its owners.