Failures in Cybersecurity

On the Bush administration’s watch, China — and other nations — have succeeded in penetrating countless sensitive and “secure” U.S. facilities, ranging from Congress to military sites, intelligence programs to critical industrial centers, using largely untraceable cyber attacks. Beijing denies the allegations, but U.S. officials have revealed classified information identifying the sources of the attacks within China. Before September 11, 2001, the Bush administration demonstrated little regard for funding the nascent cybersecurity initiatives, and other counter-terrorism efforts, undertaken in the waning 18 months of the Clinton administration. Those efforts were designed to stem vulnerabilities in America’s critical information infrastructure: data services involving transportation, energy, government, finance communications, public safety, health and the military. The list of nightmare scenarios included phone systems crashing and financial records disappearing. “Our information infrastructure . . . increasingly is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries,” Director of National Intelligence Michael McConnell reported to Congress in February 2008. Among the adversaries, McConnell said, were Russia and China. China alone has downloaded from the Pentagon 10 to 20 terabytes of information from “sensitive” computer networks, according to Major General William Lord of the Air Force's Office of Warfighting Integration. In 2007, there were more than 80,000 attacks against Department of Defense computer systems, which “reduced the U.S. military’s operational capabilities,” according to congressional testimony in March 2007 by U.S. Strategic Command Chief General James E. Cartwright. A Department of Homeland Security (DHS) spokesman did not respond to a request for comment, but Jerry Dixon, director of the DHS’s National Cyber Security Division, told Congress in April 2007 that “while significant progress has been made to enhance the network security of federal departments and agencies, more can and will be done.” The department, he continued, will “work towards achieving greater overall cyber security with our federal, state, local, tribal, international, and private sector partners.”

Follow-up:
President Bush signed two “presidential directives” in January 2008 creating the Comprehensive National Cybersecurity Initiative (CNCI), an aggressive plan to fund and fight cyber attacks against the nation’s critical infrastructure. But even those who had long cried out for more attention to cybersecurity issues were critical of its secrecy and direction. Two Senate committees (Armed Services and Intelligence) viewed the proposed budget — reportedly around $17 billion — as misdirected, and the House Permanent Select Committee on Intelligence — noting that the CNCI is “the single largest . . . and most important initiative” in the FY 2009 budget — complained that the proposal was excessively classified and ordered that no more than 25 percent of the proposed funding be authorized until every member of the committee was fully briefed on the CNCI’s proposed covert actions. Briefings of committee members will not occur until sometime in 2009.

Photo credit: Department of Homeland Security

Next Failure: Too Close to the Edge on Torture

Previous Failure: A Failure of Whistleblower Protection