Six years after a story ran in Time magazine about Vladimir Putin taking the Russian intelligence service of the web- the United States government still appears to be completely impotent to defend its own interest online.
Putin‘s actions may appear at first glance to be paranoid but they are not made without serious concern. In the early 2010s, it became widely known that the US intelligence services were wiretapping the personal and political communications of German Chancellor Angela Merkel, as well as 34 other world leaders. US and Israeli joint efforts culminated into an online attack that devastated the Iranian nuclear program through a covert internet operation known as STUXNET. The hackings of several news wire services allowed online criminals to obtain information on upcoming press releases that allowed the hackers to day-trade with insider information.
Further and contemporaneously to Putin’s decision, major US companies and federal bureaus suffered serious cyber attacks. Home Depot had nearly 56,000,000 customer’s credit card information stolen out of their systems. Visa and MasterCard were forced to warn their customers that up to 10 million buyers had their personal information compromised. Target had between 40-110,000,000 customers credit and debit card information stolen. Most disturbingly, the Internal Revenue Service had 700,000 taxpayers notified that their birthdates, names, and Social Security numbers were illegally accessed by online hackers.
Against this backdrop, President Putin made an unprecedented move- he turned back the clock on the intelligence services. He defied established intelligence-community wisdom by removing the Russian intelligence service from the Internet. Putin made a tremendous purchase of typewriters for classified documents and other communications. Izvestia (the Russian news publication) characterized the Kremlin’s purchase like this:
“After scandals with the distribution of secret documents by WikiLeaks, the exposes by Edward Snowden, reports about [Russian Prime Minister] Dmitry Medvedev being listened in on during his visit to the G20 summit in London, it has been decided to expand the practice of creating paper documents.”
As all reports indicate, this experiment on behalf of the Russian Intelligence Service has been a smashing success. One can think of numerous hacks against various U.S agencies ranging from the NASA to United States Department of Agriculture. One can not think of any equivalent in Russia. The Russians do not seem to get hacked- and perhaps their regression to typewriters plays a significant role in that.
Yesterday, another embarrassing hack was discovered in the United States Department of Treasury. The exact details are not yet known but the attack was serious enough to prompt an emergency meeting of the President’s National Security Council. Early reports indicate that this hack was likely backed by a foreign power, introduced during a software update and used to monitor the internal communications of the Treasury. Some sources have intimated that many more agencies than the Treasury will be identified as compromised once the investigation into this breach concludes.
Reuters brought the greater issue of this hack to a succinct point: “The breach presents a major challenge to the incoming administration of President-elect Joe Biden…”. No Presidential administration has developed a coherent policy to defend against hacks of U.S. agencies. United States agencies have continually relied on internet communications and computer support since the 1990s yet every President from George Herbert Walker Bush to the (incoming) Biden Administration have failed to develop a working system to defend our agency’s security.
When Edward Snowden, Bradley Manning, and others leaked classified information from computers at the N.S.A. and Army Intelligence, the Obama Administration failed to respond appropriately. While the Trump Administration (wisely) elevated the United States Cyber Command (USCYBERCOM), the command has yet to put out any (publicly available) recommendations to defend our agencies information security.
Curiously, only one agency has had any serious plan to defend their own information security. The United States Air Force manages its Minuteman-3 missiles in a way that is comparable to the Russian intelligence service and should serve as a model to all other U.S. agencies. These 450 nuclear missiles are stationed in bases across the United States and have their information managed by floppy disks. These floppy disks (formally referred to by their technical name “SACDIN Diskettes”) are used to manage information stored in computers that date back to the 1960s. As Leslie Stahl reported for a 60 Minutes piece on the subject: “there is no way to attack (these bases). The equipment can’t get on the internet. So there is no avenue in for someone outside the system- so they (the Airforce) are going to keep it this way.”
Notably, Stahl was right, there has been zero leaks or hacks of sensitive information from the Air Force’s Global Strike Command. The SACDIN Diskettes can not be hacked for the same reason a typewriter can not be hacked, it is not connected to the internet. The 1960s computers servicing the 319th Missle Squadron that Stahl Reported on are more difficult to leak information from than the computers at the N.S.A. or Army Intelligence because they do not interact with most modern technology.
*** Note: A summation of Stahl’s report can be found here: https://www.youtube.com/watch?v=q0mDATn80QU
Unfortunately, at the end of 2019, the American press briefly noted that the Air Force planned to move off of the floppy disk system that had served the Global Strike Command so well. A quote from Lt. Col. Jason Rossi received significant traction among sceptics who protested what the Air Force called their new “highly-secure solid-state digital storage solution”: “You can’t hack something that doesn’t have an IP address.”, he said, “It’s a very unique system — it is old and it is very good.” Unmoved by resistance in the trade-press that cover this issue and by comments from the Air Force’s own staff, the GAO reported that the Air Force is proceeding with their plans to replace the allegedly antiquated SACDIN Diskette system.
Information security for our agencies has never been more pressing or important than it is now- and never before have the incoming or outgoing presidencies seemed less concerned. 6 years and (soon to be) 2 presidencies have passed since the Russians revolutionized sensitive information security by reintroducing the typewriter for classified documents. The only U.S. agency that seems to have created a fool-proof system against leaks/hacks (a system that has not failed in 50 years) is ending their use of that system during a time of serve informational security for government agencies.
The Trump Administration has done nothing in their 4 years to adopt the Russian model for the Intelligence Community- even as hacks continue to ravage U.S. agencies.
The Biden Administration has no plan to defend agencies information security or to reverse the actions of the United States Air Force’s Global Strike Command.
Neither the incoming or outgoing administrations have noticed the model the Air Force and the Russian intelligence service have set forward for information security.
All of these issues can be handled by the President, all of these issues are immediately within the President’s control by executive fiat. A singular presidential directive by President Trump or (incoming) President-elect Biden (once he assumes office) could move U.S. Agencies to a proven system that defends information security better than any system yet developed. However, neither administration seems concerned and the U.S. (characteristically) seems likely to remain the perpetual victim of online attacks.
*** THE FIRST CIRCULATION OF THIS EDITORIAL WAS PUBLISHED HERE: https://www.cybersecuritylawreview.com/blog/blog-post-one-7jhxf IN THE CYBER SECURITY LAW REVIEW ***