from the that-old-thing... dept
Two recent statements made by top intelligence community leaders again should raise questions about why these guys have been put in charge of "defending" against computer attacks. First up, we have the head of the NSA, Admiral Mike Rogers. Back in August, we noted that Senator Ron Wyden had asked the National Counterintelligence and Security Center (NCSC) if it had even considered the OPM databases "as a counterintelligence vulnerability" prior to these attacks. In short: did the national security community who was in charge of protecting computer systems even realize this was a target. As Marcy Wheeler pointed out last month, Admiral Rogers more or less admitted that the answer was no:
After the intrusion, “as we started more broadly to realize the implications of OPM, to be quite honest, we were starting to work with OPM about how could we apply DOD capability, if that is what you require,” Rogers said at an invitation-only Wilson Center event, referring to his role leading CYBERCOM.In other words, the guy who is literally in charge of the "US Cybercommand" organization that is supposed to protect us from computer-based attacks didn't realize until after the hack that this might be a relevant target.
NSA, meanwhile, provided “a significant amount of people and expertise to OPM to try to help them identify what had happened, how it happened and how we should structure the network for the future,” Rogers added.
Then, fast forward to last week, where Rogers' boss, Director of National Intelligence James Clapper, testified at a Congressional hearing about the hack. After admitting that CIA employees had to be quickly evacuated from China after the hack, he more or less said that the US shouldn't retaliate, because this was "just espionage" and that the US has basically done the same thing back to them. At least that's the implication of his "wink wink, nod nod" statement to the Senators:
Director of National Intelligence James R. Clapper Jr., testifying before the Senate Armed Services Committee, sought to make a distinction between the OPM hacks and cybertheft of U.S. companies’ secrets to benefit another country’s industry. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”Now, he's actually making a totally valid point concerning what the US's response should be. Escalating this issue by hitting back at China isn't going to help anything. Rather, of course, the US government should have done a much better job protecting the information in the first place.
And, he said, “We, too, practice cyberespionage and . . . we’re not bad at it.” He suggested that the United States would not be wise to seek to punish another country for something its own intelligence services do. “I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks.”
But when you look at these statements together, it shows the somewhat cavalier attitude of the US intelligence community towards actually protecting key US assets. And that's because the US intelligence community is -- as Clapper basically admits -- much more focused on hacking into other countries' systems. For a while now, people have questioned why the NSA should be handling both the offensive and defensive "cybersecurity" programs. The theory has long been that because the NSA is so damn good at the offensive side, it's better positioned to understand the risks and challenges on the defensive side. Yet, given that the NSA's overall mission is so focused on breaking into other systems, it seems that whenever the two conflict, the offensive side wins out and less is done to protect us. The simple fact that the US intelligence community is basically admitting that we do exactly these kinds of attacks on China, yet never considered the same might be done to us, should raise pretty serious questions about why we let the intelligence community handle protecting us against such intrusions in the first place.