Two years ago, I attended the Aspen Security Group discussions on cybersecurity, where government officials have made it clear that ".mil is secure, .gov is getting better, and .com is the problem." That is, the military had its cybersecurity act together, but even the lagging federal government was ahead of the poor security at American companies.
The past few months have shown the hubris of such strutting.
The National Security Agency and co-located U.S. Cyber Command has become somehow excellent at the most complex defensive operations, but strangely bad at some of the easiest. The disastrous security leaks of Private Chelsea Manning and Edward Snowden could and should have been prevented using commercial best practices. Manning downloaded 700,000 classified files to writable CDs and two years later, Snowden was allowed to repeat a similar trick.
According to a report released by NBC News Investigations, Snowden "didn't need to use any sophisticated devices or software [just] a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA's servers and take 20,000 documents without leaving a trace." Worse, Snowden could have posed "as any other user," including the head of both NSA and Cyber Command.
With billions of cybersecurity dollars being directed to the military and NSA, these were entirely preventable debacles.
Apologists for the National Security Agency, renowned to have the best security of all, often respond by saying both men operated in the grey zone inside the department's sophisticated defense. Snowden, after all, was a privileged system administrator. As one of my colleagues, put it, "a human with God-like access to sensitive systems and no access restrictions can cause you a whole lot of pain."
But this isn't news: the Government Accountability Office warned the Department of Defense in 1996 that "knowledgeable insiders with malicious intentions could pose a more serious threat than outsiders," and found in 1999 that the Pentagon had made little progress towards this and other threats. A Defense Science Board report from 2000 noted that system administrators like Snowden are the "ultimate insiders" who have the "Keys to the Kingdom" with their privileged access.
General Keith Alexander, the director of NSA and also commander of the warfighting U.S. Cyber Command, has belatedly instituted new controls, including locking server rooms, limiting who can download classified data onto removable drives and requiring system administrators to operate in pairs when handling such data.
If the DoD has known that sysadmins had dangerous access, why did it take 17 years to lock the doors to the server rooms? Why was NSA using systems with "antiquated" security that weren't being monitored? The time for such simple measures was 1996 or after the first teachable moment of the Manning incident in 2009, not 2013 and after Snowden.
When I worked in the finance sector, even as a member of the information security team – one of the watchers – I could not download files to any removable media without approval. Twice our email monitoring processes noticed me sending files outside the firm and I had to explain why this was innocuous to the head of regional information security. Webmail, which cannot easily be monitored, was blocked. Doors to server rooms were locked (or even had a more secure air-lock style door).
In the military, cyber defense has been consistently underappreciated as military and intelligence leaders have become ever more enamored by the possibilities of cyberspace for U.S. attacks and espionage. The basic blocking-and-tackling measures such as patching vulnerabilities – and locking server room doors – are overlooked for sexy talk of deterrence, attacking back and covert actions. This "cult of the offense" and "collecting it all" has been particularly strong in the eight years since Alexander took over as the director of the NSA.
In the private sector, when a chief executive is internationally embarrassed (as President Obama has been repeatedly) the best practice is to fire the official who overpromised and underdelivered. Unfortunately, it will likely be some time before the DoD follows that practice. In the meantime, keep in mind that U.S. national security has been hurt less by infrastructure attacks and digital Pearl Harbors than thefts from agencies defended by Alexander. Why is the "private sector" still considered the problem? Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council and the editor of the first military history of cyberspace, "A Fierce Domain: Cyber Conflict, 1986 to 2012." Follow him on Twitter, @Jason_Healey.