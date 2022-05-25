A quarter century may seem like a blip of time or a lifetime, itself. The year was 1997. A truly low-rent, animated series called “South Park” hit the air waves, air waves still having been an acceptable way to watch TV. Will Smith was, perhaps, beginning his 10,000 hours of fight training in “Men in Black.” In 1997, Princess Diana met her fate; the Jerky Boys were nearing the height of their prank calling shenanigans; and Orenthal James Simpson spilled his juice as a jury found him liable for the death of Ron Goldman, and for battery against Nicole Brown Simpson.
What else? Oh, in 1997 the U.S. Government Accountability Office for the first time added cybersecurity to its High Risk List.
In 1990, the GAO began a reporting tradition that remains active today since it created and now revises and submits the High Risk List to Congress. The list includes risks that tend to affect substantial resources. The goal, once something is known to be such a High Risk, is of course to correct the problems caused by it. Some risks on the current list include the government-wide personnel security clearances processes, the financial viability of the U.S. Postal System, and a new entry about small businesses’ emergency loans. Currently, the list is 37 items long, five of which share the fact that they’ve been there since its inception: enforcing tax laws, NASA acquisitions, and DOD issues are some of these stalwarts. Some occupants of the High Risk List do, in fact, wend their ways off the list, but that’s rare.
The U.S. Department of Defense, America’s largest agency, is represented five times on the list, and those are risks directly attributing to the millions of personnel and systems meant to defend this land. Many other risks, without expressly being described as posing a risk to DOD, also are prone to add to its challenges. Take the aforementioned, quarter-century occupant in its more formal designation as “Ensuring the Cybersecurity of the Nation.” Of course, cybersecurity risks might impact any of the government’s agencies, but there might be especially sensitive sentiments about its risks to our military endeavors, from the Space Force to the National Guard. Nearly 5,000 places on earth are home to the millions of DOD operatives. Quite a target on many levels.
Last week the GAO issued a report about DOD’s information technology systems that, surely, implicates the cybersecurity threat on its grander scale. Cybersecurity’s being part of the High Risk List also implicates its influences beyond DOD functions. Defense manages a mass of information that is, literally, indescribable. At least for those of us without the highest echelon of security clearance—recall … another High Risk area itself—we cannot describe all of DOD’s data due to a lack of access, not to imply that any one person living one lifespan can even contemplate knowing it all.
So much of DOD’s data, I’m presuming, can be classified as Confidential, Secret, or Top Secret. There are more categories than those. Some, again limited to my own presumptions, are above the levels of those more commonplace classifications. “Above” may not be the right word since, according to public knowledge, Top Secret is the highest clearance. Su-u-ure. No matter a personnel's clearance level, Top or another, some information might be classified as Sensitive Compartmented or as being part of a Special Access Program. There, only one question might be “How high is the potential consumer cleared?” Then, the question if that bar is passed, becomes, “Are they privy to that compartment, or that program?”
An equally incalculable amount of DOD’s information is less than confidential, and some is known as Controlled Unclassified Information. I home in on its first descriptor: controlled. In an academic sense, your privacy—healthcare information, financials, information that tends to personally identify you—invokes that same word: control. If you truly enjoy some level of privacy over your personal information, that equates to being the controller of it. You decide who else can access it. You control it for quality and have the means and ability to correct any errors. You determine who cannot gain access. That, my friends, is privacy. Privacy equals control.
When Defense categorizes information as CUI we, the people being defended after all, should find solace and comfort, and peace, in the agency with almost a trillion dollars pumped into it for nothing other than defense. For privacy, in today’s sense, defenses over its own controlled information. Now, gather some cushions up to place behind you if you’re standing up….
After 25 years of High Risk, after trillions of dollars of financial losses in the private sector, after millions of ruined lives post-cybersecurity incidents of identity theft, fraud, and crime, cybersecurity standards at DOD, and even limited to the control over CUI, are wanting. In fact, last week's GAO report summed up this risk explaining that across all CUI transmitted from thousands of sites amongst millions of personnel, “none of the components” of cybersecurity controls were in compliance.
Was CUI information properly categorized as such? No. Were systems properly authorized to operate in CUI on their networks? No. Were the baseline security requirements implemented? No. The trend followed.
I’m unclear about whether these results reflect on the level of sophistication of the hackers, the level of competence of DOD’s cybersecurity forces, or simply, and cynically, the fact that cybersecurity represents such an opaque, ill-defined, unknown phenomenon that it will only ever be an ideal. Such is “risk” itself: We’ll never live in a riskless world. Mitigation is as best we can strive for cures to so much risk. If the utter mass and force of the U.S. Department of Defense can’t get further than that … Woe to we small fries, watching decades fly by without solutions bearing security out.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
