US Cybersecurity Policy in One Sad Cliche: "People Who Live in Glass Houses Shouldn’t Throw Rocks"

Illustration for article titled US Cybersecurity Policy in One Sad Cliche: People Who Live in Glass Houses Shouldn’t Throw Rocks

The US doesn’t have a problem punishing foreign hackers. The government killed an ISIS hacker with a drone in August. It quickly sanctioned North Korea following the Sony hack. So why hasn’t the United States retaliated against the OPM hackers?

Advertisement

Watching the Senate Armed Services Committee hearing on US cybersecurity policy on Tuesday, it seems like the people making decisions are as confused as the rest of us.

At one point, Sen. John McCain (R-AZ) asked Deputy Secretary of Defense Robert Work if there was a policy in place to deal with incidents like the hack of the US Office of Personnel Management.

Advertisement

“First is to try. First we deny and then we first find out-we do the forensics,” Work said. He spoke with impressive confidence, as if the words he said weren’t a stream of nonsense.

“I’m not asking the methodology, I’m asking the policy,” McCain interrupted, asking Work if the US would respond to OPM-like hacks by counterattacking, or by some other measures.

“That may be one of the options,” Work said.

Director of National Intelligence James R. Clapper Jr. was equally vague when McCain questioned him about responding to hacks like OPM debacle.

Advertisement

“I think it’s a good idea to at least think about the old saw about people who live in glass houses shouldn’t throw rocks,” Clapper said, noting that the US also practices cyber espionage. This bears repeating: The Director of National Intelligence strongly implied that the US shouldn’t punish other governments for tit-for-tat attacks. Clapper’s argument here is “we spy, they spy back.”

McCain was not happy with that response. “So it’s okay for them to steal our secrets that are most important because we live in a glass house?” he said. “That is astounding.”

Advertisement

McCain’s frustration was warranted, but high-ranking government officials dodging senate hearing questions is a little too commonplace to call “astounding.” Water on Mars is astounding. These answers from Clapper and Work are simply cagey and evasive.

What came off as confusion is a ploy to hide the clumsy brinksmanship that happens between superpowers. Clapper, McCain, and Work are dancing around the fact that the US isn’t responding to the OPM hack because it’s not strategically advantageous for it to do so, period.

Advertisement

The theft of 22 million federal employees’ background checks, fingerprints, and other sensitive data is a real threat to national security. The stolen information can be used to blackmail, hack, and track federal employees, including State Department officials. The US doesn’t know exactly whose information was stolen, making it harder to identify potential targets. It certainly qualifies as the type of intrusion President Obama condemned in an executive order authorizing sanctions for cyber-threats earlier this year:

With the new Executive Order I’m signing today, I’m for the first time authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, economic health or financial stability of the United States.

Advertisement

No matter how elegant Obama’s cadence is as he discusses protecting the US from digital threats, it’s not simply how bad a hack is that determines a response. It’s who did it, and whether fighting back is convenient.

That means this breach will probably go unanswered. Even after reports that the US considered economic sanctions on China and pulled CIA employees from the US Embassy in Beijing following the theft, the US has not even officially blamed China. Instead, during Chinese President Xi Jinping’s recent visit to the US, Obama and Xi announced an agreement that neither government would digitally hijack the other’s intellectual property.

Advertisement

This ensures that China and the US can continue to digitally hijack the other’s intellectual property without escalating the situation further than that. US inaction helps maintain the status quo, which is HELLA SPYING.

We just lost a spy game. The best option may very well be to act like good sports. But this incident highlights an unsettling truth about the rules of cyber warfare: The personal data for citizens will, more often than not, be collateral damage in a game of chicken.

Advertisement

[Washington Post]

Advertisement

Share This Story

Get our newsletter

DISCUSSION

This is a question I dont expect anyone to have the answers to (if only everyone was as ridiculously knowledgeable as Tyler), but I think it needs asking anyway:

Between the NSA, NRO, CIA and others we must spend wayyyyyy more on cybersecurity/electronic warfare than any other country, have way more advanced equipment, and have a larger and more knowledgeable pool of talent to draw from. But, it seems that barring a few very specific cases (STUXNET, although Israel may have pushed that along), and aside from droning the occasional terrorist, we have used those vast resources to merely set up a gigantic, passive data collection and snooping operation. One that has had a very questionable impact on actual national security, while allowing everything else to fall by the wayside. Is this accurate? Is this just another example of government programs being taken over by the lobbying-industrial complex that focus almost exclusively on using resources instead of focusing on how to defeat real-world threats?

It just seems like we are spending almost all of our resources on hunting for termites when people are in the street throwing torches onto our roof.