Those of at least middle age may remember the television commercials for medical alert devices in which elderly people, lying broken-hipped at the bottom of a set of stairs, wailed, “I’ve fallen, and I can’t get up!”
That is the United States government’s position today, having been ravished by Russian intelligence services after repeatedly getting the same treatment from China’s intel services. Perhaps Iran or North Korea will be next.
As has so often happened over past decades, our government may helplessly claim an inability for self-imposed bureaucratic or ersatz “legal” reasons to perform its basic national security functions. But the reality now is that the U.S. would likely lose a military conflict with Russia or China only because of America’s repeatedly demonstrated failure to secure our information systems.
Press reporting indicates that the SVR, successor to the KGB’s elite First Chief Directorate, has penetrated the unclassified systems of basically every sensitive U.S. department or agency. A racetrack bettor might lay smart money on such a penetration, also giving Moscow some further access to secret, and perhaps even top-secret or special, compartmented information networks. Let us pray that “air-gapped” networks such as the CIA’s operational cables and the military’s nuclear command-and-control and continuity-of-government systems are still immune.
Moscow and Beijing will know what we plan to do before we do it and, as importantly, what we are just not willing to do. This is because they will have also discovered exploitable vulnerabilities among our security clearance holders and, hard men that these adversaries’ intel officers are, they will blackmail possessors of classified information into telling the SVR or China’s Ministry of State Security all they know.
These horses of the apocalypse having already left the barn. The urgent question is what to do next.
In the private sector, if you lose sensitive client information through negligence, you face significant financial penalties through litigation and regulation. Even if your mistake is indemnified through insurance as a corporate director or officer, your bottom line still suffers, especially if you are an equity holder. But likely no one in the government, even at the senior executive or intelligence service level, will lose a dollar from his paycheck for this latest disaster.
In the military, if Pvt. Snuffy accidentally loses his rifle, it is a career-ending event for his team leader and squad leader, his platoon sergeant and leader, and maybe even for his first sergeant and company commander. And if the lost weapon is subsequently misused, his command sergeant major and battalion commander may also start sweating. But no one in the government will likely lose his or her job from this latest Hindenburg-type event.
Senior federal civilian officials should feel the heat from international, balance-of-power shifting cyberevents, ones that threaten the entire U.S. It should be at least as much heat as felt by a 25-year-old, first-year associate at a law firm who missends an email with privileged information or a 20-year-old corporal whose 18-year-old soldier misplaces his rifle. The Royal Navy’s 1757 execution of Adm. John Byng for poor performance during the Seven Years’ War “to encourage the others” is, to say the least, a bit brutal for current manners and mores, but the British admiralty’s firmness sets a tone. Fire someone already.
Additionally, Russian and Chinese penetration of U.S. government information systems may be so deep and persistent at this point that America simply needs to begin from scratch and just try to protect secrets going forward. Not only the government but also the companies that very expensively provide its software may be so riddled with foreign intelligence sources that we just need to start over.
Ignoring the badly broken federal acquisitions system, outfits such as the military’s Defense Innovation Unit and the intelligence community’s In-Q-Tel could ask newer U.S. companies with security-vetted American employees to build a more secure national security information systems architecture, beginning with the most sensitive networks and working their way down.
None of this is to dunk on the good men and women of the National Security Agency, FBI, CISA, and elsewhere who did yeoman’s work in substantially keeping Russia’s FSB and GRU from again coming in the front door and interfering with our 2018 and 2020 elections, as Moscow did on-line in 2016. But meanwhile, their SVR colleagues were apparently coming in like cat burglars through an upper-story back window.
After President Trump foolishly gave classified intelligence information to the Russian foreign minister in the Oval Office in May 2017 while proclaiming that the “great pressure” he faced “because of Russia” was “taken off” by his firing then-FBI Director James Comey, the intelligence community was understandably reluctant to brief a possibly compromised president on Russian threats. Trump’s unwillingness to listen even in private to any criticism of Moscow’s spies, much less his inability to either confront Vladimir Putin face to face or publicly criticize his regime for murderous misconduct, made it difficult for career government officials to address sensitive issues such as this with their commander in chief.
As with our air and naval forces after Pearl Harbor and our intelligence and law enforcement agencies after Sept. 11, the entire federal cybersecurity system now clearly needs to be reconsidered from top to bottom. And this needs to be done with the help of cold-blooded outside scrutiny, including from results-oriented, commercially successful, private-sector experts.
Whatever our government and its usual corporate partners have been doing is clearly not working.
Kevin Carroll served as senior counselor to the secretary of homeland security (2017-18) and the chairman of the House Homeland Security Committee (2011-13), as well as a CIA and Army officer. He is a contributor to the Washington Examiner’s Beltway Confidential blog.
