Where to Focus First After the OPM Breach
The objective should be to protect the crown jewels of the U.S. government and its people—always.
The recent breach at the Office of Personnel Management (OPM) is a cyber event that has touched many of us personally in a way that other breaches have not. It is not simply government employment data; it is the most personal and detailed of information about many of us or our protégés or friends. It is information that can be used in so many insidious ways, it is difficult to account for or imagine them all. It truly is a national security hit of the magnitude of WikiLeaks and the Snowden case because of the millions of lives, careers, families, agencies and missions that it impacts today and well into the future.
The fact is this data was one of the “crown jewels” of the U.S. government, and yet it apparently was not given the appropriate interagency priority, nor did it receive the multilevel, encrypted data protection accorded to our most precious secrets. So while we know that the majority of government has made important cybersecurity and information assurance progress over the past 5 years, the majority of U.S. government organizations are not yet consistently resilient and successful at protecting their crown jewels.
While this is a most complex, fast moving and often overwhelming national security challenge, our industrial age government structures, processes and authorities are strangling our ability to move with agility and effectiveness to meet a key objective. The objective should be to protect these crown jewels, which include employee or personnel data, government sensitive security plans, intentions, methods and citizens. So frankly, it is meaningless if the U.S. government is better off than it was five years ago, but not successful. Between WikiLeaks, Snowden and the OPM alone, the United States has been dealt devastating blows with real impacts to come for a decade or more.
So where to start? Many successful government organizations and businesses focus on continuously keeping up with the crime trends and technology with several activities:
• Having an up-to-date cyber baseline. This entails knowing what they have in place today—continuous insight across their architectures and applications and processes—their information technology topography, provenance, instrumentation, and with real-time situational awareness of what activities are normal or abnormal. They do not implement any “improvement” without knowing what they have.
• Assessing, knowing and protecting their crown jewels first. This involves real insight into which information technology, applications and data sets impact their mission, business functions, revenue and reputation the most. Organizations should put their limited resources on protecting their IP/secret recipe, employee or customer data, financial or medical data, online support to customers or mission. So, when they are targeted, the company or government business functions may be disrupted but they are not stolen or brought down.
• Discovering, tailoring and transitioning commercial best technologies, practices and expertise. These include cutting-edge open architectures and continuous software upgrades, and enabling all to keep up new threat vectors by continuously leveraging top technology and process solutions at a lower cost. This brings the ability to operate through disruptive cyber events.
So what are some strategic approaches that already should have been put in place that could enable all of these recommendations?
The government should establish an interagency-wide cybersecurity clearinghouse and advisory council. This would leverage all proven baseline frameworks, best practices, vetted technologies and expertise from across government, industry and academia. It would enable all government entities to easily establish their cyber baseline and then access, vet, tailor and transition technology or approaches that enable them to protect their crown jewels within their budgets now.
This interagency cyber advisory council should be composed of operational, technical, research and business expertise from across the national and industry labs, the FFRDC’s, the commercial sector and academia. It would not be run like a formal board of directors, but instead run as a virtual way to tap into initiatives and expertise obtaining an outside sanity check on all major planning, resourcing, procurement and operational cyber-related decisions.
The government should refine, align and strengthen authorities for an executive agency (EA) approach for key cybersecurity functions. This would support and enable the majority of government entities—as they choose—that do not have the depth and breadth of expertise and years of experience across this space. EA areas could include architecture and supply chain; acquisition and refresh; information and data assurance; defensive operations; information sharing and situational awareness (.gov and .mil); cyber intelligence; cyber training and education certification; next-generation identity authentication government enterprise-wide; and strategy, policy and procedure living frameworks.
Industry can leverage the Information Sharing and Analysis Organization (ISAO) Initiative, finally establish a third-party, nonprofit, trusted agent to be the information sharing and cyber intelligence interlocutor between industry and government. This would enable these efforts to scale at the unclassified level and enrich the DIB, DHS, ISAC and InfraGard efforts that exist today—raising the bar for all. But please, let’s not start from scratch. Let’s take full advantage of veteran cyber nonprofit organizations that exist today so that we can scale quickly.
Terry Roberts, a former deputy director of Naval Intelligence, is the founder of CyberSync Inc.