Humans Are the Weakest Link in a Brittle System
Until very recently I would have said that Edward Snowden had created the single largest catastrophe in U.S. intelligence history (you can read on this blog and in my essays just how extensive this damage has been). Whatever you think of the other value of his disclosures, it is inarguable that they also imposed a steep cost — one that has enormously disrupted U.S. statecraft around the world (from alliances, to collection, to human sources, to counterterrorism, to fighting organized crime and human trafficking).
But now the trickle of news about the OPM breach is making me reconsider that idea. While it was appropriate for Katherine Archuleta to resign her post as the head of OPM, she really is not to blame for everything that went wrong. Instead, what the OPM breach means is that there are systemic weaknesses built into the U.S. government that are much more meaningful than a shallow understanding of “cyber” security — ranging from IT and acquisitions mismanagement to the fundamental weakness of having humans involved at all.
Think of it this way: Ross Ulbricht, the founder of the original black market darknet site Silk Road, did not get identified and arrested because he was hacked or because his encryption was broken. He got arrested because he became lazy about properly safeguarding his identity online, and the FBI was able to piece together enough hints about him to track him down. They exploited fundamental human weaknesses in the Silk Road’s security and managed to grab him.
This pattern is repeated again and again on supposedly unhackable systems like the TOR network: from child pornography to drug smuggling to murder-for-hire, it is humans that form the fundamental weakness in these systems, not the sophistication of their security regimes.
It is one reason I laugh when groups like the EFF or other cyberutopians advocate universal strong encryption for everyone as a protective measure (Snowden himself has said that encryption is the only reliable way to safeguard yourself). But this is silly talk: the supposed best minds, using the best encryption, are only as good as their last mistake. And when you cannot exactly control your surroundings, you are weak — whether you are a criminal running a darknet syndicate from your apartment, a leaker sitting in a hotel in Moscow, or a government agency. Social engineering is the best hack, as they say. And “they” are right.
See, the government forgot to control its surroundings when it comes to data. It allowed one of its contractors to subcontract the database administration to a firm that was physically located inside China and granted that firm root-level access to its database of personnel. It goes without saying that OPM, no matter the assumed failures of Ms. Archuleta, could not possibly control its surroundings — and thus cannot control its data — given such a set up. China (we assume) did not need sophisticated hacking tools to pull off the greatest data heist in history — one that now includes over a million fingerprints and probably other forms of biometric identification. No, China only had to find a weak point in the system and exploit it relentlessly.
Our system, like every system that exists, is fundamentally brittle. It has accumulated so many layers, so many rules and structures, that things will break and secrets will spill. This is a structural fault line in our basic capacity to secure things at all. I disagree with some who say this is a consequence of overclassification. This hack has nothing to do with the fact of secrecy, whether you consider it necessary or unnecessary (a moot discussion if nothing can be secured to begin with). Much how Snowden showed that a malicious insider could exploit the rules and escape to an enemy government with gigabytes of data, the OPM breach has shown that a clever actor can find a tiny opening in federal regulations about contracting, data storage, acquisitions, and set-asides — and exploit it just as surely as a dedicated insider threat.
If you add all of this up, it makes OPM a collective failure of our politics, not any one administrator, process, or even policy. Everything from small business set-asides, to privatization, to outsourcing, to the dramatic growth in demand for cleared workers, to decades-old human resources regulations, to generations-old verification processes, to plain old human laziness (who on earth would give a subcontractor, but especially one based in a foreign country, root access to your personnel database?) have added up to make a large set of personnel records vulnerable. The immediate vulnerability is being addressed, but in the meantime, we’re left with a thorny problem: how do you even begin to fix this?
OPM is not a “cyber” issue, as much as it is an institutional issue. Our institutions are struggling mightily to keep pace with change in the modern world. Even relatively new institutions like OPM, which is only thirty six years old, have to grapple with ancient computer systems, byzantine regulations, and complex business rules in a way they simply never imagined in the 1970s. Fixing that bigger, structural problem is going to be a lot harder, and require a lot more political and social will, than we currently have on hand.
So how do we fix it? I have no idea. Resilience is an easy buzz word to throw around, but it means very little that is specific and worth acting upon. But I hope, at least, that the people tasked with fixing this brittleness are looking at the causes of institutional weakness, and not just patching holes as they go. Because if they do that (when? When they do that?) all we should expect is more unpleasant news about a new breach later on down the road.