Gongol.com Archives: August 2022

Brian Gongol

August 17, 2022

Computers and the Internet No excuses for lax security

In 2015, China hacked the Office of Personnel Management to capture a massive archive of personnel data on employees of the Federal government. Also in 2015, well before the mass-scale ground invasion, Russia used cyberwarfare against the Ukrainian power grid, a tactic Russia repeated in April. And for at least a year, North Korea has been using ransomware to extort money from operations in the health-care sector. ■ Espionage is nothing new. Nor is unconventional warfare. But the scale at which it can be conducted, the depth of the damage that can be done to ordinary life, and the asymmetric leverage that can be obtained by using cyberwarfare for malicious aims are all much greater than anything for which we have good historical analogies. ■ The time has long since come and gone for a sea change in American public attitudes towards information security. The need to straighten up and bring a responsible custodial mindset to how we treat and secure information can scarcely be overstated. ■ When a Secretary of State dismissed questions about "wiping" her home-based email server by asking, "What? Like with a cloth or something?", her response was not only cavalier, it was reckless. Defensively laughing off the question may have seemed like a cagey political response, but by 2015, it was already evident that cyberwarfare was a real threat that no high-level government official could dismiss or remain ignorant about. ■ Likewise, when a former President took classified documents to his private property -- including items labeled "Top Secret", regardless of any prerogative he may or may not have used to de-classify any of the contents at any time during his time in office -- he undertook known and easily-avoidable risks with the contents. Trespassers already presented a known security threat to the property, and there's no doubt foreign intelligence services already had an interest in the site. ■ Disregard for information security has to become a permanent, non-partisan disqualifier from public office. Regardless as to where the information is being held -- on paper, on an email server, on a flash drive, or just in a person's head -- the need to insist upon good security hygiene is both apolitical and more important than ever. ■ It sets back the national interest when anyone in 2022 falls back on "But her emails" either in earnest or in jest. The FBI's assessment at the time was that it found people being "extremely careless in their handling of very sensitive, highly classified information". In failing to take that assessment seriously and reducing it to a meme instead of escalating it to a call to action, the country chose a path of ill preparation for new incidents of security sloppiness. ■ No matter what stripe one's politics, there is no longer any room for dismissing, disregarding, or downplaying the contemporary rules of security. Everyone has a role to play now, far more than at any time in the past, and the tone in every Cabinet department, Congressional office, and independent agency is going to be set by the attitudes coming from the top. Ignorance of information security is a luxury we cannot afford. Anyone who cannot commit wholeheartedly and unreservedly to learning the new rules and living up to the standards required of them has no business coming near the data that adversaries might want.

@briangongol on Twitter