Along with millions of other former and current federal employees, I'm fairly certain criminal hackers now have my personal information. As an assistant secretary at the Department of Homeland Security until earlier this year, the government stored many of my personal and professional details – Social Security Number, addresses, employment history, security clearance information – and facts about my family, too.
The scope of the Office of Personnel Management breach is now reported to involve as many as 14 million people. On it's own, that's a devastating network compromise with vast implications. But taken together with other major breaches at the federal level, it represents a total security fail.
There's not much we can do now to take back what's been stolen, but the government can make a few easy to implement changes that'll vastly improve network security – and help prevent the next hack.
First, scrap the government acquisition system for cybersecurity. Simply put, the speed of innovation in cybersecurity has made the current multiyear government systems acquisition process irrelevant. Likewise, government acquisition risk-management models, which highly favor mature technologies, are rendering acquired technology obsolete as soon as it is fielded. As David Cowan of Bessemer Venture Partners recently said, “There is no such thing as a mature cybersecurity technology.”
The government must be free to jump to where the best companies are going, scrapping massive integrated systems in favor of a nimble architecture for information technology and cybersecurity. In that architecture, cybersecurity features are purchased as a service and incorporated as an application program interface, but only for so long as the technology actually meets the threat.
Second, the government needs to get venture capitalists into the game. Every industry, including the technology industry and its major cybersecurity players, are outsourcing research and development in whole or in part to startups. This means that venture capitalists serve as a screening mechanism for bringing new technologies and innovations to the market, or to incorporation as features into larger products. Venture capital firms and even In-Q-Tel – essentially, the intelligence community’s investment arm – share the risk involved with developing new technologies.
Working with these communities should be job No. 1 of the proposed Defense Department and Homeland Security offices in Silicon Valley so that government can leverage what venture capitalists and start-ups are already doing for industry.
Finally, Congress needs to continue to give strong authorities to DHS and the Office of Management and Budget to truly enforce basic cybersecurity standards for the federal government.
Last year’s reforms to the Federal Information Security Management Act were a good start, but adoption of new technology, meeting minimum standards for cybersecurity, and making networks available for intrusion prevention, detection, and investigation activities cannot be optional on the part of each federal department and agency. Too much time is being wasted as federal departments and agencies argue over who gets what access to what networks, and how quickly new technology has to be deployed. DHS’s first cybersecurity directive to close critical network vulnerabilities, issued to all federal agencies in May, is a good first start, but this needs to be the first of a much more aggressive series of directives aimed at closing critical cybersecurity gaps.
For the sake of my personal information and that of all of my former colleagues, let’s stop waiting around for the next breach and act now.
Alan Cohn is of counsel in the national and homeland security practice at Steptoe & Johnson LLP and a consultant on security, technology, innovation and government. He was formerly the Assistant Secretary for Strategy, Planning, Analysis & Risk at the Department of Homeland Security.