Co-authored by Dr. Stephen Bryen, Founder & CTO, FortressFone Technologies
The U.S. government doesn't protect the personnel information of its employees. The military doesn't protect information about its soldiers; nor the Navy about its sailors, or the Marines about its Marines. The Social Security Administration can't keep a secret -- thus, everyone's social security information is at risk of being stolen, leaving Americans wide open to identity theft and bank account heists. The Defense Department leaves most of its weapons data exposed to foreign predators, who have been having a field day with our defense budget. And the Patent and Trademark office's records are exposed to foreign and domestic competition. The situation has gotten so bad that trust in government is plummeting. Nothing is safe.
Why?
There are three reasons why the situation is so dire and why it was a piece of cake for hackers to rip off more than 4 million personnel records from the little known but important Office of Personnel Management (OPM).
The first reason is that computer systems storing all this information are easy prey for even amateur hackers let alone professional, well financed foreign government sourced attacks. That's because most commercial software was built primarily for entertainment, not for security. Have you ever wondered why Microsoft is constantly patching its Windows operating systems? The reason is that from a security standpoint, it is Swiss cheese. Or why the WIFI router in your home or business is leaking your information? It's because it uses flawed "open source" code for security. Unimaginable? Think again.
Second, the government is very slow to improve security on its computers and networks. Many of the computers the government is using are antique. For example OPM still has 12-year old Windows XT as an operating system for its computers. Microsoft no longer supports XT and any vulnerability that develops is the problem of the user, not of the supplier. But even if the old stuff was upgraded it won't help much because the systems are really clumsy amalgams of disparate parts which as a "system," have never been properly vetted for security.
Even worse, most software is developed without any vetting of the people doing the coding. It is a made in heaven opportunity for exploitation. The truth is that in our software and applications industry there is no security discipline and zero incentive to make code safe.
But the third reason is perhaps the most egregious. The truth is, the government could easily protect information if it encrypted it. But it doesn't. Why?
The issue is an institutional morass. Most of the data we are talking about falls into a "category" of Sensitive But Unclassified (SBU, to use gov-speak). SBU is not classified information and in the eyes of the government it does not qualify for treatment with the same security given to information that is classified. This, of course, is a policy error of gigantic proportion, but the government is simply unable or unwilling to fix the problem.
The NSA does not sponsor encryption for SBU, only for classified information. And the National Bureau of Standards (NIST) that supports encryption for private sector use, such as AES (Advanced Encryption Standard), has nothing to do with SBU information and, in any case, has got dirty hands for slipping spy code into random number generators for elliptical curve encryption systems used by industry.
So what should be done? It is obvious that all Federal information needs to be encrypted for protection. Encrypted information is worthless if it is stolen. Neither Russia, nor China, nor anyone else has the computer horsepower to crack good encryption.
Accepting that this must be done, and done now, the question arises as to who should oversee the process and make sure it is done the right way? NSA is disqualified because it is a spy agency. You can't have the fox protecting the chicken coop. The National Bureau of Standards could possibly do the job, but one has to worry about its willingness to act on behalf of NSA in spy operations. The best solution is an independent non-partisan National Cyber Security Agency (NCSA) that would have only one mandate: protecting SBU information. Instead of Congress passing countless Computer Security Acts which have achieved next to nothing, setting up an NCSA and giving it modest funding would empower it to start putting encryption systems into government departments and agencies.
A pro-active NCSA could save the day by protecting sensitive information. Will someone in Congress or the administration step up to the plate?