Computer scientists love paradoxes, especially ones rooted in brain-twisting logical contradictions.
As progressively worse details leak out about the Office of Personnel Management (OPM) breach, baffled and outraged observers contend with another thorny paradox – why is cybersecurity simultaneously so hot and yet so devastatingly neglected?
Upon closer expression, however, the paradox is revealed to be illusory.
Despite the immense amount of energy and activity that we pour into understanding the nature of cybersecurity and cyberpower more broadly, we persist in ignoring boring but immensely consequential flaws in our information architecture.
The longer we refuse to examine real cyber threats rather than fantasies of super-hackers and apocalyptic scenarios of cyber-doom, the more vulnerable we become to hackers like those that carried out the OPM breach.
We hear all the time about the importance of cybersecurity. Throughout the government and broadly public policy sectors, cybersecurity and cyberwarfare are the hottest topics of interest. Attach the prefix “cyber-“ to something and the wonkosphere goes gaga.
A naïve observer watching all of this cyber-related activity would conclude that the powers that be have recognized the problem and are doggedly trying to make us all more safe. Cyber is hot, the smart people are working on the problem, so nothing to fear right?
Since 2011, the White House has put out a raft of initiatives and policy documents concerning cybersecurity. Since 2009, the Department of Defense has operated a cyber command. The Department of Homeland Security has been heavily involved in combating cybercrime.
Technology and security is a growth area even in post-Sequestration DC, with high demand for skilled cybersecurity workers in government and industry. The Defense Advanced Research Projects Agency runs a cybersecurity challenge and is managing several large cybersecurity-related projects.
Every military service is retooling its doctrine and personnel for cyber conflict, and some even want a new cyber-oriented military service branch. The Federal Bureau of Investigation and the Central Intelligence Agency are both scrambling to integrate more cyber-related functions into their organizations.
And some of our nation’s oldest public policy institutions have built up cybersecurity expertise and initiatives. In a (frequently moronic) nod to the cultural penetration of cybersecurity, even police procedural TV dramas have replaced their usual crew of hard-bitten cops and forensics geniuses with law enforcement coders.
But the OPM breach contradicts this rosy picture. Everything – from the decaying legacy systems that the agency maintained to giving privileged access to China-based subcontractors – suggests systematic failure of staggering proportions.
It doesn’t help that the White House cyber czar is a man that has publically bragged about his lack of technology experience or expertise. Security experts have blasted the government’s crusade against encryption and view its new security proposals with scorn and suspicion.
As software engineer and Slate columnist David Auerbach pointed out, the government also – when compared to the private sector - - has nonchalantly ignored the lessons of a stream of hacks that preceded the OPM debacle.
Related story
The cybersecurity analyst Brian Krebs assembled a pre-OPM timeline of shame in the last year alone, with (to name a few) intrusions into the government’s now-defunct main background check provider and the company that replaced it. OPM also predictably ignored security warnings from the Office of the Inspector General prior to the hack.
So if cybersecurity is apparently so important, why is it so neglected? Is all of DC’s cyber boom just hot air or a cruel joke? Why are the actual results of all of this cyber-hustling so thoroughly underwhelming?
It might not be as fundamental to computing as the Halting Problem or as philosophically rich as debates over whether machines can have minds and think, but one might nonetheless regard the glaring disjuncture between the prominence of all things cyber and fundamentally unacceptable and humiliating incidents like the OPM hack surely ranks as one of computing’s most puzzling mysteries.
A closer look, however, suggests that there may be an answer to the paradox: the government sector cares about cybersecurity, but many within it live in a fantasy world populated by shadowy super-hackers and the alleged threat of a catastrophic “cyber Pearl Harbor.”
Public officials spin tales of cyber-apocalypse, warning of hackers shutting down the power grid or causing stock market chaos. Catastrophic cyber-attacks are regularly predicted. Every prominent hack is dubbed a “cyber wake up call,” that most trite and useless of phrases. When one fights a phantom, measuring progress or failure is by definition impossible.
Hence it is easier to posture as if one cares about cybersecurity if the metric of success is whether or not one has prevented an event that many believe is a myth.
After all, if President Obama were to declare that he is standing up a new agency to prevent a catastrophic surprise attack by Godzilla, how would we judge his progress toward such a goal? After all, no giant fire-breathing Japanese monsters have attacked us yet, right? How could one judge success or failure in preparing for a science fiction scenario?
Unfortunately, this is exactly what we have done in regards to how we think about cybersecurity.
Additionally, no harsh choices or sacrifices are required to mobilize against a myth. In contrast, cleaning up the systematic dysfunction in OPM and other agencies will require a harsh and swift hand and plenty of pink slips.
Fantasizing about super-hackers and visions of cyber-doom are more fun than the boring but necessary drudgery, for example, of modernizing a decrepit and decaying federal information technology base or ensuring that basic security protocols are observed.
The failure to sweat the small stuff stems from the romance of being a soldier in the war to prevent Cyber Pearl Harbor being vastly more appealing than the tedium of ensuring that high-end government systems aren’t running COBOL, an old programming language that fewer and fewer coders know how to use.
And if the government is worried about attracting top Silicon Valley talent, it could start by trying to ensure that the desired talent’s security clearance information won’t be leaked to foreign intelligence services if they decide to work for Uncle Sam.
The first clear step towards cyber-sanity is directing the enormous governmental and extra-governmental cyber apparatus towards measurable, clear goals. As Auerbach says, outsiders must carry out unsparing audits of key agencies and systems, and the government should use such problems to solve quantifiable, measurable problems that it actually has.
The longer that our government cyber-specialists chase the shadow of looming cyber-doom and ignore the festering wounds and gaping weaknesses in its own information architecture, the more that something genuinely cyber-catastrophic occurring becomes a self-fulfilling prophecy.
Adam Elkus is a Ph.D. student in Computational Social Science at George Mason University. He also currently serves as a Technology Research Analyst for Crucial Point, LLC, and a National Cybersecurity Fellow at the New America Foundation. Follow him on Twitter.
