Announcing “Sunshine Week: In Celebration of Open Government,” the administration’s effort to highlight progress in improving the administration openness, particularly regading the Freedom of Information Act (FOIA).
The announcement reads:
“In our democracy, FOIA, which encourages accountability through transparency, is the most prominent expression of a profound national commitment to ensuring an open government.”
It should be. Yet Americans requesting documents under FOIA are getting less information because of an executive order issued by the president on December 29, 2009. It allows the government to classify certain types of information related to national security after it has been requested. Presumably, since then anything-old or new-the government doesn’t want out there can be made non-FOIAble.
It seems that this Sunshine Week was for Chinese, Russian and Iranian hackers to celebrate the open windows to our national secrets.
The General Services Administration (GSA) warned U.S. government vendors earlier today that it has “recently identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA.”
SAM registration provides all vendors the ability to view all “identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information,” of everybody listed.
The GSA mobile notification advised “Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft.”
Today’s notice came on the heels of a week full of the administration’s statements admonishing China’s hacking.
National Security Adviser Tom Donilon, speaking at the Asia Society on March 11 in New York, gave a major speech telling China to stop hacking. He described the problem as ‘a key point of concern and discussion’ at ‘all levels of our governments’. He suggested that ‘Beijing should take serious steps to investigate and put a stop to these activities,’ and he urged the Chinese to recognize ‘the urgency and scope of this problem and the risk it poses – to international trade, to the reputation of Chinese industry and to our overall relations’.
He went on to clarify that the cyber attacks should not be used “to derail President Obama’s second-term effort to improve ties” with China.
Over the past few weeks, in addition to denying doing anything wrong, the Chinese have added accusations of U.S. hacking. According to them, two major Chinese military websites, including the Defense Ministry, were subject to more than 140,000 hacking attacks during one month last year, almost two-thirds of them from the United States.
Beijing’s response to Donilon on March 12, was an offer to talk about the cyber problem (in a worldwide sense). Chinese Foreign Minister Yang Jiechi called cyberspace ‘a community of common destiny,’ adding: ‘What cyberspace needs is not war, but rules and cooperation.’
While Donilon was talking, others focused on the results of the Defense Science Board’s (DSB’s) 18-month study on U.S. military cybersecurity, and Director of National Intelligence James Clapper’s Hill testimony on security threats.
The DSB reported on the dismal vulnerability of our military. It called the military a “magnet to US opponents” and, among many other things, noted that during war-game exercises, some “adversaries” were able to hack into U.S. military networks with ‘relative ease.’ The conclusion is that the cyberthreat to our military has not been met, and it hasn’t been challenged by the administration.
Clapper gave the Senate Select Committee on Intelligence aworldwide threat assessment, in which cyber led the list (2-3 pages worth). As with the Obama White House, his emphasis was on threats to U.S. public infrastructure. However, these he judged to be minimal in the next two years, first, because of the sophistication involved and, second, because those with the ability now-Russia and China (he forgot to mention Iran)-“are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.” Clapper also left the door open for some sort of diplomatic solution to cybersecurity:
“The growing use of cyber capabilities to achieve strategic goals is also outpacing the development of a shared understanding of norms of behavior, increasing the chances for miscalculations and misunderstandings that could lead to unintended escalation.”
With this, the administration has given yet another sign that it is not averse to some kind of international Internet control of the sort the Chinese have been advocating–inviting the cat to guard the butter jar.
The picture we draw here is intentional. We believe that the U.S. response to the Chinese cyberthreat-and all cyberthreats to our government and economy-is not what it should be. But the news turns out to be worse than that. We’ve known about the Chinese threat longer than we’re willing to admit, but seem determined to do nothing real about it.
Writing in the Washington Free Beacon, security expert Bill Gertz reports that two years ago President Obama rejected a series of tough actions against China. The options were presented to the president over a three-month period beginning in August 2011. The agent was the White House Interagency Policy Committee, a working group directly supporting the National Security Council. According to Gertz,
“The options that eventually were presented included using bilateral and multilateral diplomacy, conducting covert computer network attack operations, levying economic sanctions, and taking legal action against the Chinese government and military. The officials said the options developed by the committee covered the full spectrum of statecraft, including diplomatic, military, intelligence, and economic measures designed to pressure China into halting the cyber attacks.”
In response, the Obama administration, in late 2011, decided against approving a comprehensive strategy regarding Chinese cyberthreats. Officials have told Gertz that the administration prefers to limit its response to diplomacy and law enforcement efforts: “The officials said the strategy deliberately played down China’s role in the theft of trade secrets and ducked effective action to avoid upsetting relations with China.”
For example, the White House strategy says senior U.S. officials will raise trade-secret theft in meetings with foreign leaders while the State Department will track economic spying and “deliver appropriate messages to their foreign counterparts.”
If there is a red line that China may not cross cyber-wise, the U.S. is avoiding telling China what it is. As with terrorism, the U.S. government is treating cyber attacks as mainly a criminal matter best addressed through law enforcement. More serious attacks, it believes, should be dealt with by diplomacy.
Not surprisingly, the administration remained silent on the Mandiant report, and informed sources believe the government has kept secret most of its information on Chinese cyberespionage regarding our private sector, i.e., the stealing manufacturing and trade secrets.
In addition, we found out that the White House is sitting on an Office of Management and the Budget report that was due March 1 on the security of federal government computer networks. Sen. Tom Coburn of Oklahoma told a joint hearing of the homeland security and commerce committees that “There’s no reason for (the delay), other than (the report) shows significant criticism of the government’s performance in keeping federal computer networks secure.”
Meanwhile there are other related developments. The most dramatic was Reuter’s notice that the Obama administration is drawing up plans to give all U.S. spy agencies full access to a database that contains financial data on all American citizens and others who bank in the U.S. Never mind that the FBI already has access to this information. It is to be expected that once this becomes more widely known, the general public will protest the government’s hacking into U.S citizens’ bank accounts.
Secretary Janet Napolitano said last week that since its creation in 2009, her National Cybersecurity and Communications Integration Center “has responded to nearly half a million incident reports and released more than 26,000 ‘actionable cybersecurity alerts’ to state and local governments and private sector companies.” She added that the department had “prevented $10 billion in potential losses through cybercrime investigations and arrested more than 5,000” suspected cyber criminals.
The numbers are dramatic. Five-thousand legal actions? But why do we doubt such large numbers given the paucity of news about them? Of course, what we don’t know are the profiles to those who’ve been charged. Petty hackers? Crabby members of Anonymous? Major foreign governments? Surely not major foreign governments. James Clapper said they wouldn’t dare.
In the meantime, the U.S. cybersecurity picture remains dismal and our response to Chinese hacking all the more so. The Obama administration continues to obscure what it’s doing and not doing.
Ken deGraffenreid, former Reagan administration White House intelligence director commented about the long-term strategic challenge of Chinese cyber to the US:
“Unfortunately, historically, the U.S. has found it difficult to respond to long term strategic threats in a consistent way. The strategic policy immaturity and incompetence offered by the Obama administration makes this challenge even more problematic.
“[A serious response to China] would encompass an integrated strategic use of all of the tools of statecraft and begin with an honest, forthright presentation to the American people of the stakes involved in every aspect of our national life. The U.S. cannot prevail in this arena on the cheap; fiscally, intellectually, or politically.”
Further Reading:
1. FORBES: Obama Administration Needs To Stop Avoiding C-Word On Cybersecurity
2. GOVTECH.COM: Are Governments Ready to be Buyers of Cybersecurity Insurance?