June 22, 2015

Poor Federal Cybersecurity Reveals Weakness of Technocratic Approach

Summary

To truly improve cybersecurity preparedness, unsuccessful top-down technocratic measures should be replaced by self-organizing collaborative security approaches that emphasize flexibility, evolution, consensus, participation, and incrementalism.

A comprehensive assessment of federal cybersecurity reveals a landscape rife with institutional uncertainty, office redundancy, and suboptimal agency outcomes. This year’s catastrophic breach of the Office of Personnel Management’s (OPM) unencrypted database exposing the Social Security numbers, addresses, financial information, and security clearances of over 14 million current and former federal employees, intelligence and military personnel, contractors, and countless other family members, friends, and associates listed in federal background checks serves as only the latest reminder of these ongoing and dangerous vulnerabilities. The typical federal response to information security vulnerabilities has been to increase spending, create new bureaucracies, or institute new rules and standards, rather than focus on results. This approach has served largely to increase the confusion of the people charged with implementing federal cybersecurity policy, to the detriment of outcomes.

This paper will review the laws and standards governing federal cybersecurity policy and will highlight how overlapping responsibilities and unclear lines of authority have accompanied increasing rates of federal information security failures. The paper will then describe how these systemic cybersecurity weaknesses demonstrate the federal government to be an especially poor candidate for managing national systems, and it will explain the shortcomings of a top-down, technocratic approach.

Uncoordinated Bureaucratic Growth

The federal government has tried to coordinate effective public and private information system management through several legislative and executive means over the past two decades. President Clinton’s Presidential Decision Directive 63 (PDD-63) in 1998 developed an outline for a public-private partnership to “eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.” Clinton’s National Plan for Infrastructure Protection (NIPP) of 2000 addressed in more detail “critical infrastructure assets” deemed so vital to the nation that their incapacity would have a crippling effect on the country. Congress passed the Federal Information Security Management Act (FISMA) in 2002, which outlined legislative milestones and increased federal investment in agency information security systems in an effort to meet the newly established standards by the end of the decade. In 2003, President Bush implemented a new and slightly different national cybersecurity initiative called the National Strategy to Secure Cyberspace, which prioritized cybersecurity threat identification, response, and notification. It did not mention PDD-63 or the NIPP once.

Five years later, Bush’s classified Comprehensive National Cybersecurity Initiative (CNCI) again attempted to outline an authoritative federal cybersecurity strategy emphasizing threat detection and information sharing. President Obama has likewise contributed to the thicket of federal cybersecurity, first by issuing a Cyberspace Policy Review in 2009 that encouraged a unification of overlapping policies and increased investment, education, and cyberthreat information sharing among public and private entities. In 2013, Obama issued an executive order calling upon the National Institute of Standards and Technology (NIST) to develop cybersecurity standards for critical infrastructure assets, called the “Cybersecurity Framework.” A spate of cybersecurity bills were signed into law in late 2014, which separately defined the National Cybersecurity Communications Integration Center as the main federal cyber information sharing hub, authorized NIST to facilitate the Cybersecurity Framework, amended the FISMA reporting processes, and increased cybersecurity workforce examinations and placements. Now, Congress and the White House have developed proposals to increase federal influence over private cybersecurity practices by extending legal liability to private corporations that share sensitive customer data with federal agencies. Yet the existing problems plaguing federal network security are substantial, unaddressed, and likely to undermine the effectiveness of these proposals.

Federal Cybersecurity Policy Lacks Focus

In spite of, or perhaps because of, these accumulating efforts and offices, federal cybersecurity policy has lacked a unified focus for as long as it has existed. The growing mass of information security procedures and rules already “vary in terms of priorities and structure” while at the same time do not “specify how they link to or supersede other documents,” nor “describe how they fit into an overarching national cybersecurity strategy,” reports the Government Accountability Office (GAO). Priorities and responsibilities change in tandem with evolving technology and security concerns. However, the complexity and inconsistency of federal cybersecurity initiatives is such that implementation has tended to diverge from the intended strategy. Additionally, basic goal metrics like milestone and performance measures, cost projections, and specific roles and responsibilities for each agency are rarely considered in strategy documents. Confused or overwhelmed personnel have struggled to comply with new iterations of federal cybersecurity policies, as annual FISMA reports demonstrate. GAO investigations of federal incident report procedures find that agencies do not effectively or consistently follow procedures in roughly 65 percent of reported incidents.

Similarly, the federal government lacks public resources detailing the total number of federal cybersecurity offices. An initial investigation finds a total of 62 separate federal cybersecurity centers as of fiscal year (FY) 2015. Of these, 20 prioritized facilitating information sharing among federal offices or between public and private entities; 14 were housed by the Department of Defense (DOD) and specifically focused on “cyberwar” training, preparedness, and missions; 13 were dedicated to education and research programs; ten were tasked with maintaining federal network security or overseeing FISMA; and the remaining 5 offices were dedicated to fighting cybercrime under the direction of the Federal Bureau of Investigation (FBI). 

Many of the offices were identified to operate under nearly identical mission statements with no clear distinction in operations. The GAO has reported for years that such overlapping and unclear responsibilities in federal cybersecurity policy have limited the offices’ ultimate effectiveness. Often, various agency representatives interpreted their responsibilities in a different way than outlined in the text of a law. Merely imposing new policies on top of old ones, therefore, is unlikely to rectify the systemic barriers to security compliance that have bedeviled personnel for so many years.

Additionally, the National Security Agency (NSA) assumes a larger role in federal cybersecurity than is often publicly acknowledged. The NSA’s intelligence culture and byzantine organization adds another level of confusion and complexity into federal cybersecurity policy that ultimately flummoxes coordination and undermines outcomes. Former NCSC director Rod Beckstrom said he resigned partially because the NSA’s dominant influence in cybersecurity policy crowded out his office’s efforts. Additionally, the NSA has been unable to stem state-backed hacking despite its considerable tools of data extraction and surveillance. In June of 2015, the New York Times and ProPublica revealed that the NSA and FBI had joined forces to track online activities of suspected state-backed cyberterrorists overseas by directly extracting data from the backbone of Internet traffic. Still, the massive OPM hack of critical federal data was not identified by the NSA, but by an ordinary product sales demonstration. More generally, it bodes poorly for security outcomes that a clandestine agency with a known bias toward weakening encryption standards should take a leading, but hidden, role in cybersecurity provision.

Confusion and Noncompliance Stymie Effectiveness

It is not surprising that, given the chaos of existing federal security directives, the rate of reported federal information security incidents has significantly increased over the years despite billions in increased FISMA investments. OMB’s annual report on federal information security practices and incidents for FY 2014 revealed that the total number of reported federal information security failures had increased by an astounding 1,169 percent, from 5,503 in FY 2006 to 69,851 in FY 2014.

Some information security failures are the direct result of personnel noncompliance with established policies. Policy violations, where federal employees fail to follow prescribed data management practices, constituted the largest bulk of reported failures last year behind the catchall “other” category and noncyber incidents involving physical media. The OPM, for example, did not even encrypt the sensitive datasets that were recently hacked. On the other hand, compliance on paper with established federal procedures does not always translate to good security outcomes. The National Aeronautics and Space Administration (NASA) received high scores for FISMA compliance, yet reported the highest number of information security failures of all agencies in FY 2014. This suggests that FISMA compliance alone does not ensure better security outcomes, so agencies that focus on optimizing FISMA metrics may be ignoring fundamental security vulnerabilities more in need of attention. 

In many cases, agencies do not properly train employees in general preventative cybersecurity practices. Several agencies reporting the lowest levels of personnel training—including the State Department, Department of Health and Human Services (HHS), and DOD—are prime targets for malicious hackers because they manage large and sensitive datasets, including personally identifiable information of personnel and civilians. Each of these agencies has suffered from major database hacks in recent years.

Similar challenges plague even federal cybersecurity professionals. Communication problems between agency human resource departments and information technology managers result in poor outreach to qualified hiring candidates and ultimately an underqualified federal information security workforce. Additionally, Chief Information Officers (CIOs) for federal offices report that compensation packages available for personnel lag far behind prevailing private sector incomes and prove inadequate to attract the “best and brightest” cybersecurity and information technology talent. After hiring, many agencies—including HHS, DHS, the Department of Justice, and the Department of the Treasury—did not require cybersecurity professionals to undergo training or certification programs for several years. The most recent IT Workforce Assessment for Cybersecurity study, a self-reported survey of federal cybersecurity professionals undertaken by the Federal CIO Council, finds that lowest average proficiencies of cybersecurity personnel are in digital forensics, threat analysis, and cyber operations—areas critical to robust cybersecurity provision. 

A Case Study in Technocratic Weakness

The federal government’s continued failures to secure its own information networks indicate a fundamentally flawed approach to cybersecurity. Sweeping technocratic solutions are iteratively imposed every few years with little-to-no understanding or continuity with previous policies. Abstract consistencies in top-down planning break down on the human level as personnel struggle to make sense of redundancies and eventually ignore complex reporting and procedural standards. Fundamental issues of talent recruitment and personnel training go relatively unaddressed as offices struggle to keep up with the changing security checklists, which may or may not actually translate to good cybersecurity outcomes. 

Merely increasing the number of resources or procedures dedicated to federal cybersecurity is unlikely to improve a system built on fundamentally flawed assumptions and processes. Recent proposals to expand the federal government’s role in private cybersecurity provision are more questionable still, given the federal government’s failures to adequately protect even its own systems. To truly improve cybersecurity preparedness, unsuccessful top-down technocratic measures should be replaced by self-organizing collaborative security approaches that emphasize flexibility, evolution, consensus, participation, and incrementalism.