Is the U.S. government doomed to repeat its past cybersecurity mistakes?
That’s the big question currently plaguing Sen. Ron Wyden (D-Ore.), the Senate’s leading privacy advocate, as Congress begins to consider another piece of cybersecurity legislation in the wake of the largest cyberattack in U.S. government history.
Before Congress passes the major cybersecurity bill that’s on its plate, Wyden wants to analyze what went wrong in the massive data breach at the U.S. Office of Personnel Management (OPM). In the shadow of evidence showing that OPM’s vulnerabilities were known internally as far back as 2007, Wyden sent a letter to William Evanina, the head of the National Counterintelligence and Security Center, asking how aware the agency was of these flaws.
The NCSC leads the federal government’s counterintelligence efforts and has primary responsibility for securing government servers against attacks. If anyone agency were aware of a threat in advance, it would be the NCSC. But one month after he sent the letter, Wyden still hasn’t received a response.
Now, as the Senate prepares to debate the Cybersecurity Information Sharing Act—which would let the public and private sectors share data, including customer information, to combat cyber threats—Wyden is warning that Congress should slow down and learn the right lessons before it compounds the problem and exposes more sensitive data to theft.
In a phone interview on Friday morning, Wyden reacted to a House Intelligence Committee hearing, held last Thursday, with four top intelligence officials and explained why the fight over CISA was even more important in the wake of the OPM hack. Authorizing new data sharing without fixing data vulnerabilities, he said, was “like responding to a bear attack by stockpiling honey.”
What struck you the most about Thursday’s testimony from senior intelligence officials?
Sen. Ron Wyden: What was striking to us about yesterday is there was some interesting discussion about going forward. But if you’re really going to attack this issue, so it doesn’t create another, similar kind of problem, you’ve got to look at what happened in the past, and particularly as we’ve been unpacking this—and as you know, in August, I asked the NCSC, the counterintelligence and security center, whether the agency identified OPM as a potential security risk prior to the hack, and what steps it took. We haven’t gotten a letter back. And the reason, ultimately, I thought that was important, is the inspector general, their own inspector general, the OPM inspector general, had identified real risks to OPM’s security practices as early as 2007.
“I believe we have capabilities today that we did not have in the run-up to 9/11. We also have a burgeoning set of threats that are more serious today.”
So you say to yourself, and this is what we all did when we unpacked it … is, by 2007, the inspector general is saying, “Hey, there are some real problems at the crown jewel of U.S. personnel information.” And I want to see what was done to address those problems that were identified. In effect, NCSC is tasked with an important job: to defend U.S. classified information and assets from foreign adversaries. Given the fact that this [CISA] debate is coming up, it’s troubling that we can’t get an answer from them.
Let’s cut to the end of it: This all relates very much to the debate about the cybersecurity legislation coming up. I’ve been watching as this goes forward—there’s this phrase going around the cybersecurity community, “If you can’t protect it, don’t collect it.” Now, there is never going to be a system that’s 100 percent safe. But what I’m going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you’ve addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that’s like responding to a bear attack by stockpiling honey. That’s going to be how I open the debate.
Director of National Intelligence James Clapper mentioned that the U.S. needed to create “both the substance and the mindset of deterrence” to prevent another hack like OPM. What are your thoughts on that? Do we need to be more muscular and more vocal about deterrence?
Obviously, you need to have consequences when you’re attacked. But this idea that your only policy is going to be to just attack back—I think there’s got to be more to the equation than that, a more encompassing range of options.
Admiral Mike Rogers, the director of the National Security Agency, mentioned at the hearing that U.S. authorities for offensive cyber operations were murkier than their defensive authorities. Does that worry you?
I certainly intend to follow that up, because it is very murky. Rogers, according to the media reports—because we’re not talking about anything classified—said that [NSA officials] weren’t called in by OPM until, in effect, after the attacks. These are the press reports. I think it’s constructive that the admiral was specific.
But going back to this, again, the fact that [these] very security network vulnerabilities were identified when the OPM inspector general started talking about those seven [or] eight years ago, and they weren’t recognized by the agency, I think, is where you have to start. The reality is, especially in Washington, and in the intelligence field, everybody wants to say, after something is brought to light, “We’re going to take care of it in the future. Yes, something’s got to be taken care of in the future.” But to me, you also have the fact that, so often, even going forward, there are holes in the argument about what they’re recommending going forward.
For example, after the OPM hack, we had all kinds of senators saying we’ve got to “do something” to respond to cybersecurity threats. And that’s one of the reasons why the sponsors wanted to bring CISA back. But two things: First, just because you put the word “cybersecurity” in the bill doesn’t necessarily make it a good idea. Number two, the sponsors themselves have now been quoted in publications I’ve seen that what they’re talking about really wouldn’t respond to the OPM attack.
You’ve asked me several questions about going forward. I think that there are clearly policies that need to be addressed, and certainly [that includes] the murky state of the law and policies that Admiral Rogers is talking about. But it seems to me that, if you’re going to get this right, you’d better learn from mistakes when you’re trying to move forward. And right now, we can’t even get the key intelligence agency to respond in writing to what they did given the inspector general’s report of 2007.
“First, just because you put the word ‘cybersecurity’ in the bill doesn’t necessarily make it a good idea.”
So if you don’t get answers in writing, what are your options? Will you try to convince the Senate Intelligence Committee’s Republican majority to subpoena the NCSC director to testify?
I’m prepared to say, “Look, I asked for this a number of weeks ago. This is, to me, the kind of matter that the national counterintelligence and security center should respond to quickly, because it affects a debate coming up.” In other words, there are lots of matters that you ask about that may relate to a debate in six months or a year. We’re going to have a debate on [CISA] in a matter of weeks, which is why I thought it was important the NCSC put this up at the top of the inbox and respond to it. I’m certainly going to talk to colleagues about this. I think we ought to be spending more time on this, trying to get answers to what happened in the past, than the discussion that we had this week about how we’re going to cut off amendments [on CISA].
Obviously, this question of poor agency coordination and missing the signs calls to mind to the Sept. 11, 2001, attacks and the intelligence agencies’ failures then. Are we in a better position right now to assess mistakes in cyber defense, or are we at the cyber equivalent of Sept. 12, 2001, right now?
Well, two things. I don’t think there’s any question in my mind that we have capabilities today that we did not have in the run-up to 9/11. So let’s just be clear about that. I believe we have capabilities today that we did not have in the run-up to 9/11. We also have a burgeoning set of threats that are more serious today—particularly, I would say, in terms of the number of cyberattacks, the number is greater than in that pre-9/11 period—and that’s why getting to the bottom of what seems to have been missed in the OPM followup is so important.
FBI Director James Comey said that there was no evidence that the OPM stolen data has been used to hurt Americans directly. But officials recently told the Los Angeles Times that a “clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result.” I know you can’t go into specifics of classified information, but does Director Comey’s statement ring true to you? Or is there evidence of actual harm to Americans from the hack?
That is an area that I intend to follow up on. I did catch the fact that there does seem to be something of a gap here. But I’m speaking literally from news reports, not from anything beyond that. And as you know, I’m somebody who spent some time following up what happens when there are gaps between what authoritative people have to say on these kinds of matters, and we ought to do that and will do it.
There was a lot of talk at Thursday’s hearing about backdoors and other issues that concern privacy experts. Do you see any sign, amid these warnings about cyber threats, that intelligence officials are softening their stances there? Or are they just doubling down on their desire to collect everything and see everywhere?
I think our coalition that is coming back to the point that we have an opportunity to promote policies that give us both more security and more liberty—that we’re growing. I mean, just think of all that has happened this year. Very shortly, the federal government is going to stop having a federal human-relations database put together by the fact that it was empowered to collect millions of phone records on law-abiding people, and [it] will have to go through conventional means, with warrants, in the private sector.
It wasn’t very long ago when the group of us that cared about this, we could have met in a phone booth. And look at the number of amendments that have been offered to the cybersecurity bill. This is particularly striking because I know the sponsors of these amendments, and they think there’s a real cyber problem out there. They think it’s really serious. And they want to come up with a bill that actually works. And I’ve talked to a couple of them about the fact that the sponsors [of CISA] said in the news media over the summer [that] they think their bill wouldn’t do anything with respect to OPM.
So I do think that support for our side is growing, number one, based on what we’ve seen with the cyber amendments. Number two, if you look at the short time between when I warned on the floor of the United States Senate that there was a problem and … the federal government no longer running a federal human-relations database, I think it’s pretty impressive. And finally, when I talk to colleagues, they understand that the backdoor is going to be increasingly a threat, because they are seeing, as I’ve picked up in our conversations, that the communications system of tomorrow will be increasingly integrated from a global standpoint. It already is. But it will be increasingly integrated from a global standpoint. And that will mean that, when you use authorities like [Section] 702 [of the FISA Amendments Act], you’re going to have Americans swept up. When you target a foreigner who ought to be targeted, you have to be concerned about Americans who haven’t broken any laws being swept up in searches.
If you don’t get votes on your CISA amendments, are you prepared to filibuster this bill, and if so, will others join you?
Let’s put it this way: I will not casually give up these amendments that are so important to making a flawed bill better. I’m not going to say anything more than that. But I consider this an enormously important piece of legislation. I’ve made it clear I think cyber’s a problem.
“I will not casually give up these amendments that are so important to making a flawed bill better.”
I had a major constituent employer hacked. Solar World, [which] manufactures solar materials, was hacked by the Chinese—they were part of the indictment that our government levied against the Chinese. They were hacked because they insisted on enforcing their [property] rights, and the Chinese were cheating in terms of the countervailing duties in the duty system.
By the way, I also got a letter from OPM saying that my records [were] part of those that were hacked. So these are not abstract kinds of questions. This is a serious issue, but at a time when Americans want policies that make us safer and protect our liberty, I’m not going to casually say, “Okay, let’s go along with policies that don’t do either, that really don’t contribute much in the way of security and jeopardize liberty.”
Illustration by Max Fleishman