On the Bush administration’s watch, China — and other nations — have succeeded in penetrating countless sensitive and “secure” U.S. facilities, ranging from Congress to military sites, intelligence programs to critical industrial centers, using largely untraceable cyber attacks. Beijing denies the allegations, but U.S. officials have revealed classified information identifying the sources of the attacks within China. Before September 11, 2001, the Bush administration demonstrated little regard for funding the nascent cybersecurity initiatives, and other counter-terrorism efforts, undertaken in the waning 18 months of the Clinton administration. Those efforts were designed to stem vulnerabilities in America’s critical information infrastructure: data services involving transportation, energy, government, finance communications, public safety, health and the military. The list of nightmare scenarios included phone systems crashing and financial records disappearing. “Our information infrastructure . . . increasingly is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries,” Director of National Intelligence Michael McConnell reported to Congress in February 2008. Among the adversaries, McConnell said, were Russia and China. China alone has downloaded from the Pentagon 10 to 20 terabytes of information from “sensitive” computer networks, according to Major General William Lord of the Air Force's Office of Warfighting Integration. In 2007, there were more than 80,000 attacks against Department of Defense computer systems, which “reduced the U.S. military’s operational capabilities,” according to congressional testimony in March 2007 by U.S. Strategic Command Chief General James E. Cartwright. A Department of Homeland Security (DHS) spokesman did not respond to a request for comment, but Jerry Dixon, director of the DHS’s National Cyber Security Division, told Congress in April 2007 that “while significant progress has been made to enhance the network security of federal departments and agencies, more can and will be done.” The department, he continued, will “work towards achieving greater overall cyber security with our federal, state, local, tribal, international, and private sector partners.”

Follow-up:
President Bush signed two “presidential directives” in January 2008 creating the Comprehensive National Cybersecurity Initiative (CNCI), an aggressive plan to fund and fight cyber attacks against the nation’s critical infrastructure. But even those who had long cried out for more attention to cybersecurity issues were critical of its secrecy and direction. Two Senate committees (Armed Services and Intelligence) viewed the proposed budget — reportedly around $17 billion — as misdirected, and the House Permanent Select Committee on Intelligence — noting that the CNCI is “the single largest . . . and most important initiative” in the FY 2009 budget — complained that the proposal was excessively classified and ordered that no more than 25 percent of the proposed funding be authorized until every member of the committee was fully briefed on the CNCI’s proposed covert actions. Briefings of committee members will not occur until sometime in 2009.

Photo credit: Department of Homeland Security

The numbers and details are staggering: Over the course of four fiscal years, at least 5,000 pieces of property, including computers, all-terrain vehicles, and digital cameras worth about $15.8 million, were lost or stolen from the Indian Health Service (IHS), a division of the Department of Health and Human Services (HHS). Following a whistleblower’s tip in June 2007, Government Accountability Office (GAO) investigators began looking into the IHS, which is meant to provide personal and public health services to American Indians. They found a division plagued by a “weak internal control environment,” which demanded little accountability for property and held little regard for protecting personal data. Some of the electronics that went missing were used to store personal information. For instance, a computer containing a database of uranium miners’ names, along with their Social Security numbers and medical histories, was carried out of an IHS hospital in New Mexico. Though IHS attempted to contact the miners, the agency didn’t issue a press release. And throughout the course of the investigation, “IHS made a concerted effort to obstruct our work,” GAO investigators reported, including lying to investigators claiming that IHS had recovered about 800 of the items reported missing. In addition to the waste of taxpayer money, the loss and theft of property denied the recipients access to critical items, like Jaws of Life equipment that can save lives after automobile and other accidents, Jacqueline L. Pata, the executive director of the National Congress of American Indians, told The Washington Post. An IHS spokesman refused to comment beyond reactions the agency provided to the GAO, which are documented in the report.

Follow-up:
The GAO released its report documenting rampant IHS mismanagement in July 2008. The GAO made 10 recommendations to IHS, including investigating “circumstances surrounding missing or stolen property, instead of writing off losses without holding anyone accountable.” HHS disagreed with the recommendation to track all sensitive equipment that went missing, even if it falls under a certain value threshold or contained sensitive information.

A series of audits by the Department of Justice (DOJ) has documented stunningly lax security for laptop computers owned by federal law enforcement agencies. A 2007 report by DOJ’s Inspector General pegged the number of laptops lost, missing, or stolen from the Federal Bureau of Investigation (FBI) at 160 over 44 months. In many cases, the FBI “could not determine whether the lost or stolen laptop computers contained sensitive or classified information.” A 2008 DOJ audit of the Drug Enforcement Administration found 231 laptops went missing over 66 months. Another audit that year of the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) found 418 laptops gone over 59 months. The reports are strewn with examples of missing or stolen computers that went completely or partly undocumented, making it difficult to determine if the laptops held secure information. And in many instances, the missing laptops had not had encryption technology installed that would keep someone from accessing sensitive information — on criminal targets or government informants. According to a 2008 Government Accountability Office (GAO) report, about 70 percent of laptops and handheld devices across the major government agencies lack recommended encryption software. Ultimately, these missing, unencrypted laptops increase the risk that national security might be compromised or that Americans might have their identities stolen.

Follow-up:
The GAO reported in June that agencies are working on installing appropriate encryption software, though “none had documented comprehensive plans.” As a result, said the report, “federal information may remain at increased risk of unauthorized disclosure, loss, and modification.”

Photo credit: Federal Bureau of Investigation