Enable breadcrumbs token at /includes/pageheader.html.twig

Good Grief: Isn't Anyone Responsible Here?

The government must empower cyber professionals with both capability and liability.

We all have seen the news of the massive theft of information from the Office of Personnel Management (OPM). In a nutshell, with extremely high probability, just about anyone who does work for the government—or from one estimate, more than 21 million people, which includes yours truly—had very personal information stolen. In my case, this could mean that the last 35 years of my life, everywhere I lived, everywhere I worked, the names and contact information of my close relatives and closest friends, and virtually everywhere I traveled outside of the United States of America is in the hands of what is speculated to be the Chinese government. In some cases, of course other than myself, the information will include self-disclosed arrest information, drug and alcohol abuse disclosures, and whether bankruptcy was declared.

Good Grief! And, what do we get from those in charge of the OPM? Well, to my mind, it is exactly what the Peanuts characters hear when the adults talk: "waa-waa-waa." Translated for your benefit: The now-former director of the OPM says she does not believe "anyone is personally responsible." It is just this lack of personal responsibility as well as other cybersecurity failures that needs to motivate us to a new approach—one that recognizes that every business relationship today has its implementation foundation built on information technology.

Although the director of the OPM has resigned, there still is no real accountability or responsibility. Dozens of OPM government employees and contractors knew the state of their system and lack of protection. The problem is that these people know, with certainty, that there is no accountability and there is no responsibility. The chief information officer (CIO) has not resigned, and that person is directly accountable to Congress to sign-off that their systems are FISMA compliant. Go to the OPM Office of the Inspector General Report for 2014, and just read the summary page under "What Did We Find?" and you will be appalled.

There is some glimmer of hope on the trail to real responsibility. As reported in the Wall Street Journal CIO Report by Kim S. Nash, the OPM CIO had better obtain some lawyers as she is being sued. The legal threshold is high, but this is at least a step away from zero responsibility. Of course, if she loses in court, what exactly is going to be the remedy for the people impacted? She most likely has no money, even if that is a potential judgment. Would this actually change the environment to generate some real focus on cybersecurity?

The old adage is "you get what you pay for." In the business world it transforms into "you get what you measure,” and I contend that in the cybersecurity world, "you get what someone is liable for." In fact, the government gets precisely what is measures, preferring to award lowest cost technically acceptable (LCTA) contracts where in general there is no significant liability for cyber failure and, more importantly, no emphasis exists on actually grading the contractors during source selection against cybersecurity performance. In the OPM cases, the government hired a contractor to perform background checks and submit data. This contractor’s system became entangled in the government’s system. Because little emphasis existed on the cybersecurity posture of the contractor as part of the performance of the contract, the contractor’s system apparently was not well managed or secured; and when the attackers found a hole, it ran all the way into the government and enabled the theft of massive amounts of data.

Most likely, the system was built by a contractor many years ago—this is speculation—and still is in place because budgets and priorities always are about maintaining status quo and "working on" new solutions. In general, government finds it significantly difficult to abandon outdated or obsolete systems. On the other hand, industry does by investing in new modern methods and either sells or disposes of the old.

In the business environment, companies directly have to address the risk of doing business. This is represented by insurance for fire and theft as well as in many cases for other business related issues such as product liability. In the commercial world, poor business practices translate into higher business losses—such as product-related liabilities—and an increase in costs because of rising insurance rates along with potentially large expenses from punitive damages imposed by a court decision.

In addition, business executives directly are accountable legally, such as from legislation along the lines of Sarbanes-Oxley and HIPPA, and from their boards and stockholders. Accordingly, these executives can lose their jobs and even go to prison. Business leaders also are responsible for the entirety of their business—accounting, hiring, delivery, liability and profit to shareholders and owners. Hence, they know how it all works together, and they make decisions with the overall goal of business sustainment and growth as primary focus elements.

In the current government environment, and almost surely at the OPM, none of the normal commercial business pressures are at play, especially in light of comments that "no one is personally responsible." The problem is that when the government takes on the responsibility directly, in general there are virtually no administrative or legal repercussions for a massive failure. Assuming good faith of effort, organizations such as the OPM grow their government-supervised internal cybersecurity operation set-up processes, buying tools and then trying to keep up with the quickly morphing cyberthreat landscape. Miss one step in this activity, and a massive cyber failure takes place.

Cybersecurity technology is not the culprit here. It is the lack of understanding by leadership as to how to apply cybersecurity as an enterprise core competency where agency heads are not dazzled by the latest buzzwords but see the enterprise as a single architecture that includes its partners.

So what can be done? A good friend of mine loves to quote Peter Drucker: "There is nothing so useless as doing efficiently that which should not be done at all.” In this case, doing the internal cyber efforts of a government organization more efficiently is nearly a waste, and the reason is simple. Adding processes, tools and oversight does not make anyone actually truly responsible or liable in the legal sense of the word. What needs to be done is a complete shift of activity to an approach that selects providers that offer a warranty or service level agreement not only for the performance of the direct work—performing background checks—but also for all necessary information technology components. This is not just a selection by reputation, but a selection that is based on the company's willingness to "put its money where its mouth is."

The vision is that an organization such as the OPM will select a responsible party with a track record of performance demonstrating that it can do the job and standing by their work when there is a cyber event. Sign it up for real metrics, for example, on the time between discovery and reporting and for the number of days between major cyber events. Don't take the contractor’s word for it: hire an independent auditor, review the cyber performance every month or week, and hold it to its agreements and hit it with penalties and even legal action for failure.

However, liability just is one element. We must not perpetuate security as a separate function, so we need to do more. We have to get away from escape clauses that boil down to the contractors just doing what the government wants them to, and where the government supervises or even performs the assessment and authorization process for the systems. Without additional change, the liability melts away into the political morass and standard government CYA.

The solution to our problem is that we need the system provider, and its subcontractors, to provide the warranty just as they do today for their financial systems. Just as a company or the government may hire an accounting or financial firm, so do they need to hire their cyber firm—both need to be accepted and certified. Then the government needs to focus on monitoring and spot checks and not interfering in the contractor’s activities, because when they do, the liability goes back to the unaccountable.

Of supreme importance, this needs to expand to include when the government contracts for virtually any service. In the OPM’s case, the apparent root-cause system that enable the breach was associated with a contracted personnel background investigations company. The performance of the contract came with an information technology system that electronically interacted with the government system. It does not matter what service or product you buy, you are buying into that company’s cyber posture and how it manage its information technology and how it interacts into agency’s information technology. This is what the CIO needs to understand and address.

You might ask whether anyone would take on such an activity, but it happens every day. Certified public accountants and professional engineers have to sign their work. Maybe this approach will scare away some of the "Johnny-come-lately cyber expert” companies that give advice but take no responsibility for the actual result. Companies that have their act together and that genuinely understand the risks and technology will rise to the occasion.

Using this method, there will never be a time when someone is not responsible. True risk equals good reward for cyber companies and other providers that actually stand up for their work combined with information technology security results. Maybe “doing efficiently” our current approach should “not be done at all”—after all, it does not seem to be working.

Dr. Wesley Kaplow is the vice president, network solutions, and chief technology officer for Polar Star Consulting.