What's Wrong With America's Cyber Security Policy?

co-authored by Dr. Stephen Bryen, Chairman, Ziklag Systems

How is it that hackers are blasting away at U.S. government websites, compromising vital national security databases, and compromising virtually every mobile phone the government owns?

The U.S. has spent billions on cyber security, yet the problem is worsening. America's political leaders worry about a cyber "Pearl Harbor." Secretary of Defense Hagel, in his first major speech on the subject, is promising to triple the staff working to combat cyber terrorism.

But will it work? Can adding more people solve the problem?

There are three major reasons why a beefed-up workforce is not going to be of much help.

The first reason is that having more hands is no substitute for understanding the threat. If the threat is not understood, the battle is lost from the get go.

The Pentagon argues that they know that foreign governments, hostile organizations (some of them terrorists), and venal hackers are the problem.

But this assessment is only partly correct. It identifies the possible perpetrators, most of whom operate outside the U.S. Most of the time the cyber vandals don't operate in a void -- they have lots of overt and covert government support. But because they are both remote and protected, the chance of shutting them down is rather small.

Notwithstanding that our government sort of knows who is trying to destroy our computer networks and steal our information, without sound policy on what to do about it, the U.S. is like a ship on the sea at night without a captain.

The second reason the Pentagon and other government agencies have failed in their mission is they have not adequately protected all their networks, computers, mobile devices, and communications.

The truth is, they are light years behind in a comprehensive approach to the problem, and it is getting worse not better.

Our government is not just the actual governing bodies and bureaucracy. Our government is a network of public and private employees and public agencies and tons of contractors.

Want to find out? Apply for a passport. The State Department is in charge of issuing passports. But they don't do the work. They farm it out to a company you never heard of, run by people you don't know which lacks strong security. There are multiple points of failure in this arrangement, and it is not alone. Critically important information is routinely farmed out for processing by multiple government agencies and by the military. No one knows or can say how the web is spun, but even an amateur can tell it is highly vulnerable to cyber attack.

The third problem is truly the blockbuster. The government is mandated by law to protect classified information. It has no consistent laws or enforceable regulations to deal with non-classified information. Big deal?

Indeed. Most of the data that flow through government and contractor networks are not classified. Most of the crucial policy and tactical military conversations are over open lines. It is not because our public officials and our contractors are stupid. It is the system that is at fault. Unless you "qualify" for a secure phone (most of which are antiquated), you are compelled to talk on an open line. That's how one hapless Assistant Secretary of State got caught murmuring her opinion about the European Union and Ukraine's emerging leadership.

It is also how Lockheed managed to "lose" millions of pages of vital documents on our most important military stealth aircraft program, the Joint Strike Fighter. The winner? Almost certainly China, which has gotten a windfall from only a relatively small investment in a hacking cadre devoted to attacking U.S. government organizations, contractors -- even financial institutions. After all, you need to steal some money to pay the hackers, don't you?

The fundamental disease afflicting our cyber warriors is the now outmoded, synthetic and counterproductive separation of classified and unclassified information, a policy gleefully enforced by the NSA. The NSA likes to be in charge of all security systems, and they do that by permitting control only over classified systems, which NSA manages. This approach literally is killing the United States and making our response to cyber warfare irrelevant or worse.

The time has come to change U.S. policy on protecting government information -- including what is entrusted to contractors and to individuals. The government needs a policy to protect 100 percent of its information flows, not just 5 percent as it now does.

Right now there is no mandate for the change. The entrenched, ossified institutions that run the system now don't want it to happen. Can this be changed?

In the "fat" years the United States could allow the leakage of information and technology, export millions of its jobs abroad and still have ample resources to cover its blunders. Those days are over (although a good part of our government refuses to acknowledge the change). If we want to avoid a Cyber Pearl Harbor, U.S. policy on information, data and communications needs radical change and time is not on our side.