Why Chinese Intelligence has my records

By June 30, 2015Comms

The other day, I got an email from the Office of Personnel Management (OPM) letting me know that my SF-86, the form I filled out in order to obtain a security clearance, had been stolen. While OPM never came out and said it, the general conclusion is that this was performed electronically by hackers in league with or directly employed by the Chinese government.

Let me tell you what’s typically on an SF-86: Everywhere I’ve lived, everyone I know, everything I’ve done, for the last decade. This includes criminal history (I have none), detailed medical information, Personally Identifiable Information (PII) about friends and family, where I’ve traveled, my foreign contacts, my business interests and financial information. It’s incredibly comprehensive.

And now in the hands of folks I don’t know, who have no allegiance to me, who may well be committed to my undoing.

I have read solemn speech after solemn speech from OPM’s leadership, from officials at USCYBERCOM, from all the far-flung corners of our government’s highest “cyber” echelons, those charged with the defense of our most sensitive information. I have processed this through the lens of a career spent in “Information Technology” (a bullshit term coined to make the field sound more expansive and less technical. It’s not “Information Technology,” it’s computers) and have arrived at the following conclusion: These people have absolutely no idea what they’re doing.

Aaron Swartz famously said, “It’s no longer okay to not understand how the Internet works anymore.” We would do well to remember that.

When I led the Reserve at Station New York, I wasn’t required to certify in our core skills of Search-and-Rescue and Law Enforcement. I was an officer, I was there to lead. But I made damn well sure that I certified both as a boat crewman and a boarding team member. I made damn sure I kept up on first aid and CPR, made damn sure that I could drive the boat, launch it and moor it up, troubleshoot engine casualties and electronics problems, knew the rules of navigation and about a thousand other skills necessary to do the job. I did this, not because it was required by my position, but because I knew that I could not effectively lead my unit without knowing what the hell they did. I couldn’t possibly be an effective manager and advocate for a tightly knit team of 50 cops, warfighters, EMTs and sailors without intimately understanding the gear they used, the tasks they performed, the sundries they burned through, the conditions under which they worked. I did this instinctively and intuitively, because that’s what leaders do. We’re trained to do it from the moment our boots hit the deck at the academy.

Back in 2012, a new “Cybersecurity Coordinator” was appointed to oversee our national efforts to stem the hemmoraging of sensitive information to adversaries foreign and domestic. Things like the disclosure of my SF-86. The guy was universally lampooned by those of us in the know, actually bragging about his lack of technical expertise. He was chosen for his expertise in “public policy,” a discrepancy so glaring that it would shock me if I hadn’t seen it a million times before.

I have worked in government my entire professional life, long enough to know some things about how you advance in it. Promotability and credibility in the government largely accrues based on the size of the budgets you manage and the corresponding manpower that comes under your leadership. And where are large budgets to be found? They are thrown at the topics of the greatest national concern. Government employees get selected for promotion by seniority. Time-in-grade. The government is a system of Mandarins. Time devoted to the institution is a far greater guarantor of upward mobility than a relevant skill set. And the reward for loyalty is administration of organizations with bigger and bigger budgets.

This is how during the post 9/11 hysteria, you got hojillions of “Islamic Terrorism” executives who didn’t speak a word of Arabic. Who had never read the Qu’ran. Who couldn’t find Mecca on a map. It’s how you got the FBI’s Counterterrorism chief saying he saw no need for Mideast or terrorism expertise among his agents. We had an entire generation of “Counterterrorism Experts,” who knew nothing about Islamic-extremism. Because they’d done their time, they were next in line to manage e big budget, and CT was where the money was.

And now, once again, we have a critical issue and are throwing the wrong people at the problem. Now, we have a generation of “Cyber Experts,” who know nothing about computers.

Because cyber is computers. It is nothing else. It is not policy. It is not management. It is not law enforcement. It is not intelligence. It is not warfighting. It is not public administration. It is not disaster management. It is not any of a legion of softer skills that are much much much easier to acquire than real, no-bullshit computer engineering ability.

Because learning Cisco iOS, or to write C++, or to troubleshoot Microsoft PKI problems, or to statefully decrypt SSL traffic so you can see what data you’re letting out the door, or to set up really effective hardware based RAID, or any of a legion of skills necessary to actually know what you’re talking about well enough to meaningfully direct the cybersecurity efforts of a nation, are as hard to acquire as a foreign language.

Our new man on point is famously quoted as saying, “Being too down in the weeds at the technical level could actually be a little bit of a distraction,” because the skills you need to get down in the weeds are way way way too hard to be acquired after you’ve spent a lifetime training to be a public policy leader, and are also absolutely and utterly critical to fending off an enemy in cyberspace. A background in public policy will not stop Chinese hackers from running off with my SF-86. Only a properly configured, monitored and maintained firewall, IPS, IDS, DLP and proxy infrastructure can do that. And if you don’t know what those things are, you can’t properly advocate for them.

The government system of rewarding seniority over expertise has set us back in a number of arenas, but we have never been in a position to test for competency before. Computer skills are *hard* skills, and basic right/wrong, pass/fail examinations can be quickly and easily developed. There are many specific and clear proprietary certifications accepted by industry as a minimum standard of competence and technical knowledge for any prospective leader.

Any prospective “cyber” leader, at any level of government, needs to be subject first-and-foremost, to a *technical* interview, that makes sure they show at least enough of a baseline understanding of the underlying technology not to be afraid of the kind of “down in the weeds” discussion that will actually prevent data-theft.

Cyber is computers. Until leadership understands that, you can expect more breaches like the one that compromised my SF-86. 

Author Myke Cole

Myke Cole is an American writer of history and fantasy who leverages a lifetime in military, law enforcement and intelligence service to take you to battlefields, real and imagined.

More posts by Myke Cole

Join the discussion 4 Comments

  • Dan Adler says:

    Speaking as an IT professional (for the last 15 years), HELL YES. It’s all about computers. I left my previous job (in telecommunications, which was part of an IT unit) because they hired a new manager who had an MBA and ZERO experience in Information Technology. I quit rather than watch things fall to pieces (which I’m hearing has/is happening)

    My current job (still in IT) is at a state college. Thus, a government job. I bet you can guess where I’m going here: My boss, and HIS (now former) boss don’t have backgrounds or educations in computer tech. Actually, neither of ’em has a college degree (which, actually, applies to several other high-ranking folks in this department). How’d they get the jobs? Seniority (yep, you nailed that).

    Thankfully, our higher-ups KNOW they don’t necessarily know the answers, and hire folks under them who do. And are willing to listen to input.

    It’s a pity the federal government doesn’t work that way. You (the general, military you of which you’re a part) protects us….. who protects you?

    • Day Al-Mohamed says:

      I actually get what you’re talking about.
      I might argue an exception to your recommendation. I once had a great boss who was a “policy person.” She listened to input and ideas and recommendations but she said her main job was to keep the bureaucratic *coughs delicately* from filtering down from the higher ups and to keep the staff (who were all skilled and knowledgeable) free to focus and get the job done.

  • Everything we do is about computers any more, whether as a writer, or an editor, a soldier, or as a Public Affairs Officer. Albeit I know what I know about computer security by being married to a security engineer and computer forensics expert, I learned it because I realized its importance. During my time in the government, I saw time and time again how they focused on the wrong “security” things as opposed to items like you described above that actually protect sensitive data. You outed them heartily enough above, I won’t put salt in the wounds with the examples I witnessed. Needless to say they are egregious. Even in the civilian sector there is a case of the MBA Boss with ZERO skills, which I actually can imagine — it’s business. But in the government they tout not asking your team to do anything you wouldn’t be willing to do. My first NCO in the Army, always used to say that good leaders always leave because of the time-in-service thing. I left. You left. He left.
    I got the same email from OPM. You’re not alone. Granted that doesn’t it make it any less aggravating and disappointing.

  • Antonio says:

    Maybe it wasn’t the Chinese. Maybe Jared Kushner got tired of doing his SF-86 over and over and he took yous so he could figure out how to fill out the form correctly.

Leave a Reply