The other day, I got an email from the Office of Personnel Management (OPM) letting me know that my SF-86, the form I filled out in order to obtain a security clearance, had been stolen. While OPM never came out and said it, the general conclusion is that this was performed electronically by hackers in league with or directly employed by the Chinese government.
Let me tell you what’s typically on an SF-86: Everywhere I’ve lived, everyone I know, everything I’ve done, for the last decade. This includes criminal history (I have none), detailed medical information, Personally Identifiable Information (PII) about friends and family, where I’ve traveled, my foreign contacts, my business interests and financial information. It’s incredibly comprehensive.
And now in the hands of folks I don’t know, who have no allegiance to me, who may well be committed to my undoing.
I have read solemn speech after solemn speech from OPM’s leadership, from officials at USCYBERCOM, from all the far-flung corners of our government’s highest “cyber” echelons, those charged with the defense of our most sensitive information. I have processed this through the lens of a career spent in “Information Technology” (a bullshit term coined to make the field sound more expansive and less technical. It’s not “Information Technology,” it’s computers) and have arrived at the following conclusion: These people have absolutely no idea what they’re doing.
Aaron Swartz famously said, “It’s no longer okay to not understand how the Internet works anymore.” We would do well to remember that.
When I led the Reserve at Station New York, I wasn’t required to certify in our core skills of Search-and-Rescue and Law Enforcement. I was an officer, I was there to lead. But I made damn well sure that I certified both as a boat crewman and a boarding team member. I made damn sure I kept up on first aid and CPR, made damn sure that I could drive the boat, launch it and moor it up, troubleshoot engine casualties and electronics problems, knew the rules of navigation and about a thousand other skills necessary to do the job. I did this, not because it was required by my position, but because I knew that I could not effectively lead my unit without knowing what the hell they did. I couldn’t possibly be an effective manager and advocate for a tightly knit team of 50 cops, warfighters, EMTs and sailors without intimately understanding the gear they used, the tasks they performed, the sundries they burned through, the conditions under which they worked. I did this instinctively and intuitively, because that’s what leaders do. We’re trained to do it from the moment our boots hit the deck at the academy.
Back in 2012, a new “Cybersecurity Coordinator” was appointed to oversee our national efforts to stem the hemmoraging of sensitive information to adversaries foreign and domestic. Things like the disclosure of my SF-86. The guy was universally lampooned by those of us in the know, actually bragging about his lack of technical expertise. He was chosen for his expertise in “public policy,” a discrepancy so glaring that it would shock me if I hadn’t seen it a million times before.
I have worked in government my entire professional life, long enough to know some things about how you advance in it. Promotability and credibility in the government largely accrues based on the size of the budgets you manage and the corresponding manpower that comes under your leadership. And where are large budgets to be found? They are thrown at the topics of the greatest national concern. Government employees get selected for promotion by seniority. Time-in-grade. The government is a system of Mandarins. Time devoted to the institution is a far greater guarantor of upward mobility than a relevant skill set. And the reward for loyalty is administration of organizations with bigger and bigger budgets.
This is how during the post 9/11 hysteria, you got hojillions of “Islamic Terrorism” executives who didn’t speak a word of Arabic. Who had never read the Qu’ran. Who couldn’t find Mecca on a map. It’s how you got the FBI’s Counterterrorism chief saying he saw no need for Mideast or terrorism expertise among his agents. We had an entire generation of “Counterterrorism Experts,” who knew nothing about Islamic-extremism. Because they’d done their time, they were next in line to manage e big budget, and CT was where the money was.
And now, once again, we have a critical issue and are throwing the wrong people at the problem. Now, we have a generation of “Cyber Experts,” who know nothing about computers.
Because cyber is computers. It is nothing else. It is not policy. It is not management. It is not law enforcement. It is not intelligence. It is not warfighting. It is not public administration. It is not disaster management. It is not any of a legion of softer skills that are much much much easier to acquire than real, no-bullshit computer engineering ability.
Because learning Cisco iOS, or to write C++, or to troubleshoot Microsoft PKI problems, or to statefully decrypt SSL traffic so you can see what data you’re letting out the door, or to set up really effective hardware based RAID, or any of a legion of skills necessary to actually know what you’re talking about well enough to meaningfully direct the cybersecurity efforts of a nation, are as hard to acquire as a foreign language.
Our new man on point is famously quoted as saying, “Being too down in the weeds at the technical level could actually be a little bit of a distraction,” because the skills you need to get down in the weeds are way way way too hard to be acquired after you’ve spent a lifetime training to be a public policy leader, and are also absolutely and utterly critical to fending off an enemy in cyberspace. A background in public policy will not stop Chinese hackers from running off with my SF-86. Only a properly configured, monitored and maintained firewall, IPS, IDS, DLP and proxy infrastructure can do that. And if you don’t know what those things are, you can’t properly advocate for them.
The government system of rewarding seniority over expertise has set us back in a number of arenas, but we have never been in a position to test for competency before. Computer skills are *hard* skills, and basic right/wrong, pass/fail examinations can be quickly and easily developed. There are many specific and clear proprietary certifications accepted by industry as a minimum standard of competence and technical knowledge for any prospective leader.
Any prospective “cyber” leader, at any level of government, needs to be subject first-and-foremost, to a *technical* interview, that makes sure they show at least enough of a baseline understanding of the underlying technology not to be afraid of the kind of “down in the weeds” discussion that will actually prevent data-theft.
Cyber is computers. Until leadership understands that, you can expect more breaches like the one that compromised my SF-86.