The Obama administration has found itself surrounded by critics for not doing enough to keep the federal government’s data secure, despite taking executive actions to shore up the nation’s electronic trove.
Calls from Capitol Hill for Obama to do more about the problem and make heads roll grew louder when the administration acknowledged that the Office of Personnel Management was actually hit twice by hackers since December, and not just once as previously revealed.
Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, said last week that OPM Director Katherine Archuleta “failed utterly and totally” to ensure that the sensitive information of as many as 14 million current and former federal employees was secure.
And California’s Adam Schiff, the House Intelligence Committee’s top Democrat, suggested that the Obama administration should have responded more quickly to earlier OPM attacks.
“They knew that this was a valuable source of information to others…the OPM has been hacked in the past,” he said. “The question is why didn’t they move more quickly to implement the security procedures?”
“It’s much easier to be on offense than defense,” Schiff added. “[A]ny open door, any vulnerability can be exploited…but in any of these systems, you’re only as secure as your least vulnerable point of entry.”
The administration appeared to have been caught flat-footed when the OPM Inspector General told Chaffetz’s committee that his office issued multiple reports since 2007 saying the agency’s computer systems were not meeting federal standards for cybersecurity.
Regardless of whether Archuleta hangs on or is forced out, the next question is what the Obama administration does about the problem.
Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security who testified before Congress last week, said that the Obama administration has been fairly proactive on cybersecurity, and now has some tools it can use.
“The administration has been pretty forward-leaning on cybersecurity issues,” Cilluffo said, pointing to an April executive order Obama signed allowing new sanctions for cybercrimes and new Defense Department and Coast Guard cybersecurity strategies.
“Will they follow through on these policies? This is pretty much the litmus test,” he added.
Since making the December OPM intrusion public, the administration has said it is willing to deploy its new tools once the investigation is completed and the perpetrators are identified.
“The president did sign an executive order earlier this year authorizing the secretary of treasury to make some decisions about designating for sanctions individuals who may be responsible for specific cyber intrusions or just merely benefit from those cyber intrusions,” White House spokesman Josh Earnest said recently.
“[I]t is not in our interest to telegraph in advance any decisions that we may be making related to sanctions, primarily because it gives those who may be targeted the opportunity to move around their assets to try to escape these sanctions,” Earnest said. But “this newly available option is one that is on the table.”
In a speech before the Aspen Institute last week, White House Homeland Security Advisor Lisa Monaco said the administration is weighing more than economic sanctions, which it imposed against North Korea after it hacked Sony Pictures Entertainment in November.
She said the administration could again pursue indictments, like it did last year against five members of the Chinese military. It could also take unseen diplomatic and intelligence actions as well, she said.
“These are a suite of tools that we want to make sure we have in our tool box for every eventuality,” she said.
Many lawmakers are eager to see the administration bring the hammer down on someone, especially China, sooner rather than later. But the administration is taking a cautious approach; steadfastly refusing to even officially say that it believes China is behind the OPM hacks.
Without naming China, Schiff said that the U.S. has to let adversaries know that there will be a steep price to pay for cybercrimes.
“We have to develop a deterrent capability…what could be considered an attack and what can be considered a proportional response, and on those policy questions, I think we have a lot of work to do,” Schiff said.
Pasi Eronen, a cyberexpert at the Foundation for Defense of Democracies, said the administration unquestionably has taken good steps to bolster cybersecurity, but he said being even more proactive is the key.
“One cannot expect to stay safe just by investing in more and better defenses, raising higher walls,” he said. “Someone will always figure a way to break through, climb over or dig under the defenses. Thus it would be important to change the attitude from being reactive to proactive, to begin shaping the events and the environment,” Eronen added.
Cilluffo agreed that offense is the key.
Calling the locksmith after the house has been broken into is too late, he said. Cilluffo said he would be watching to see if the White House would change the locks before he passes judgment on the administration’s cyber-record.
“I think that they have said this is a significant threat and an important policy issue,” he said. “Now is the time to follow through — more verb and less nouns.”
Susan Crabtree contributed to this report.
