6 July 2015

We’re Losing the Cyber War


L. GORDON CROVITZ

The huge theft from the Office of Personnel Management comes after years of Obama administration passivity despite repeated digital attacks. 

The Obama administration disclosed this month that for the past year China had access to the confidential records of four million federal employees. This was the biggest breach ever—until the administration later admitted the number of hacked employees is at least 18 million. In congressional testimony last week it became clear the number could reach 32 million—all current and former federal workers.

The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers of the U.S. Office of Personnel Management. Among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas—giving Beijing a new tool to identify and suppress dissenters.

That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information on federal employees and private contractors who apply for security clearances. That includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.

Since 1996 the Defense Department has considered 18,272 appeals from contractors whose security-clearance applications were denied. Decisions in these cases are posted, without names, on a Pentagon website under the heading “Industrial Security Clearance Decisions.” These are detailed case assessments on whether these individuals can be trusted or whether something in their background disqualifies them. China now knows who they are.

One man kept his security clearance despite admitting a 20-year affair with his college roommate’s wife, about which his own wife was unaware. Another accessed pornography on his work computer and didn’t tell his wife “because he feels embarrassed by his conduct.” Another admitted shooting his teenage son in the leg. Other cases detailed spousal abuse, drugs, alcoholism, tax evasion and gambling.

OPM director Katherine Archuleta tried to dodge blame for the security lapses. “I don’t believe anyone is personally responsible,” she told a Senate committee last week. “If there’s anyone to blame, it’s the perpetrators.”

That’s bunk. It’s normal for governments to spy on each other. “If I, as director of the CIA or [National Security Agency], would have had the opportunity to grab the equivalent in the Chinese system, I would not have thought twice,” Michael Hayden, who has headed both agencies, told a Wall Street Journal conference this month. “So this is not shame on China. This is shame on us for not protecting that kind of information.” Current director of national intelligence James Clapper said last week: “You kind of have to salute the Chinese for what they did.”

What can the U.S. do to limit the damage to people with clearances and national security? One inevitable consequence is that U.S. intelligence and law enforcement will enhance the monitoring of Americans with security clearances, including their digital and telephonic communications. Millions of patriotic Americans entrusted with national secrets are going to lose much of their privacy because their government was unable to protect their confidential personnel records.

That loss of privacy dwarfs the hypothetical risks from the NSA that have dominated the headlines about intelligence and surveillance in recent years. The Edward Snowden leaks distracted Washington from the pressing challenge of using intelligence better to prevent foreign hacking of Americans—a challenge only the NSA has the range of tools to meet.

The Obama administration passively endured years of cyber attacks leading to these most recent hacks. It only reluctantly named North Korea as the culprit in the hacking of SonyPictures. A federal prosecutor indicted five Chinese military hackers, but the defendants remain safe in China. Mr. Obama got authority to order Treasury Department sanctions against anyone involved in a cyber attack that poses a “significant threat” against the U.S. or an American company, but he has not used the power.

Mr. Clapper says it’s time for the U.S. to get tougher by outlining in advance what the U.S. response will be based on the seriousness of a hacking incident. He proposes specific punishments for crossing various hacking “red lines.” The downside is that nobody believes this administration when it speaks of red lines.

Americans expect their government to protect them in the digital, as much as the physical, world. The next president should accept the responsibility to fight back against cyber war before more is lost.

No comments: