Would a centralized cyber command have prevented the Office of Personnel Management breach, which exposed the personal information of more than 20 million individuals? Republican presidential hopeful Carly Fiorina suggests it could have.
Fiorina, the former CEO of Hewlett Packard, proposes standing up a centralized cyber command that would be responsible for all aspects of government IT security response, according the conservative news and opinion website Breitbart News Network.
"Part of standing up the command, is understanding who dropped the ball and why. And there needs to be consequences for that."
The U.S. Cyber Command, a subordinate to the U.S. Strategic Command, already oversees the cyber defense of the military; it's commanded by Navy Adm. Mike Rogers, who's also director the National Security Agency. But Fiorina seems to be suggesting formation of another organization with broader responsibilities. A news report from another conservative website, The Blaze, cites Fiorina as saying the cyber command would be headed by an appointed director under the authority of the Defense Department or NSA. A spokeswoman from the Fiorina campaign did not reply to a request for clarification.
Designating control of government IT security to the military - the NSA is part of the Defense Department - could upset many in Congress from both major political parties who want federal cybersecurity to remain under civilian authority, meaning the Department of Homeland Security. Final wording of legislation before Congress to incentivize businesses to share cyberthreat information with the government is bogged down, in part, over the roles of DHS and the NSA in managing and/or sharing cyberthreat information Seeking Compromise on Info-Sharing Bill).
In the interview with Breibart, Fiorina asserts that the OPM breach would never have occurred if she were president. "They got there because there were gaping vulnerabilities in that system which were known and which were identified, [but] they were never closed," Fiorina said. "Part of standing up the command, is understanding who dropped the ball and why. And there needs to be consequences for that. But the most important role of that cyber command is obviously to take hold of our cybersecurity strategy."
Fiorina is right about gaping vulnerabilities, and a myriad of security gaps were highlighted in OPM inspector general audits and in the OIG's annual Federal Information Security and Management Act assessment.
Though Fiorina has been critical of the Obama administration's approach to government IT security, the White House has conducted a number of initiatives aimed at strengthening federal cybersecurity, including having the Department of Homeland Security help other agencies secure their information assets and continuously monitor government systems for vulnerabilities. Still no one expects breaches to stop anytime soon, even with additional steps Congress, the administration or future presidents will take to strengthen cybersecurity.
Fiorina, as part of her strategy, said she would retaliate against the Chinese, who are blamed for the OPM attack. The Chinese government has said it has arrested nongovernment, nonmilitary hackers for the OPM attack, although many Western experts believe the government or Chinese Liberation Army instigated the attack (see China: Chinese Criminals Hacked OPM).
Fiorina in the interview did not say how the U.S. should retaliate.
But retaliating for the OPM attack seems counterintuitive, considering the U.S. government conducts similar e-spying operations against its foreign adversaries. In fact, James Clapper, the director of national intelligence, admired China's ability to crack a major government IT system. "Don't take this the wrong way," Clapper said at an event in June (see OPM Breach: China Is 'Leading Suspect'). "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute."
Retaliating against the Chinese, Russians and other nation-states for stealing intellectual property, however, is appropriate. But how the U.S. retaliates is critical. "Policymakers must be keenly aware of the costs associated with each response, as they will have an impact on a country's diplomatic relations, reputation, and military and intelligence operations," says Adam Segal, director of the Council on Foreign Relation's digital and cyberspace policy program (see Retaliating for State-Backed Hacks).
Fiorina, unlike most of this year's crop of presidential candidates, has at least taken the step of outlining an approach to cybersecurity, something more candidates must do. Though she has laid out more details than her rivals about her approach to cybersecurity, her solutions remain vague and need to be fleshed out.