Five months after getting sworn into office, I opened a letter from the Office of Personnel Management (OPM) explaining that the extensive personal data I had provided when I joined the CIA was now in the hands of a foreign adversary.
I knew that OPM, the agency that manages the government’s civilian workforce, had been the target of one of the most devastating cyberattacks in U.S. history. Personnel files containing what are called “SF-86 forms,” filled out by millions of federal workers as part of our applications for security clearances, had been stolen.
I was one of those federal workers. Like millions of others who’d had their data taken, I was pissed.
An SF-86 data theft was way more extensive than the typical credit card account hack, where card information is used to make unauthorized purchases. The SF-86 forms ask individuals for deeply personal stuff, like where they’ve lived, how much money they’ve saved, where it was kept, the home addresses of their kids, parents, siblings, foreign contacts, whether they sought help for a mental health problem, or had gotten into money trouble.
If narcotraficantes in Mexico had this type of information, they would have the home addresses for family members of the Border Patrol. The Russians could use the information to drain people’s bank accounts by creating new access codes to acquire private information. The MSS—the intelligence, security, and secret police agency of the People’s Republic of China—would know if a Chinese American had family members still living in China in order to potentially extort or use that relationship to apply political pressure.
My information, and that of millions of others, was a gold mine for bad guys across the globe.
“Are you kidding me?” was my response to the letter. “Katherine Archuleta is going to have a bad day tomorrow.”
As a first-time congressman, I was a member of the Oversight and Government Reform Committee (OGR) and chairman of OGR’s brand-new Subcommittee for Information Technology. OGR was holding a hearing on the theft the day after I received my letter, and the director of OPM, Katherine Archuleta, would be testifying.
I had run my campaign on the promise of being the gold standard in constituent services and a leader on national security. On the campaign trail, I barely spoke about cybersecurity. IT procurement definitely never came up. Before being given the privilege of chairing a subcommittee as a freshman congressman, I had intended to focus on border security and counterterrorism issues. Not IT stuff.
I did have experience in cybersecurity—I had helped build FusionX into a preeminent cybersecurity firm; that’s why Jason Chaffetz (R-Utah) wanted me to serve on his committee. While I was at Crumpton Group, our clients were asking for help in defending their digital infrastructure. Being good intelligence officers, we said we knew a guy. That guy was Matt Devost, a crack cybersecurity expert. Because I was the only Crumpton consultant with a computer science degree, I was tasked to work with Matt to help build FusionX. I was the sales guy and account manager, but to pitch our business better, I learned a little something about what our hackers were doing.
The OPM hearing blew me away. One of the most damaging cyber heists in U.S. government history, and the U.S. government just let them in. What makes it worse is that OPM had been told for years it needed to improve its digital infrastructure to prevent such an attack.
I quizzed OPM officials about whether they employed basic elements of good digital hygiene like two-factor authentication, how they’d found the breach, and even whether they had a team drinking Red Bull working around the clock to fix this.
Their answers were vague at best, and they declined to apologize or even acknowledge their agency’s refusal to implement security best practices that had been recommended for years by the agency’s own inspector general.
I asked Archuleta whether the hacker had used a zero-day vulnerability to get into the OPM network. A zero-day vulnerability is a software security flaw for which the vendor of that software doesn’t have a fix. It was a simple question, but her reply was a bureaucratic side step.
“I think that would be better answered in a classified setting,” she said.
Really? Millions of people had their most personal information stolen, and she won’t tell us whether there’s a hole in their software. I asked the question even though I already knew the answer. The attackers didn’t exploit a zero-day vulnerability. They took advantage of a weakness in the software that we already knew was a problem. This could have been easily prevented if basic security measures had been taken. The fact that most of the country knew about an obscure government agency like OPM was an indication of how outraged the American public was that it was so easy for important information to be stolen—and that the theft was enabled by laziness and sloppiness.
The perpetrators were eventually identified: the government of China.
The OPM hack was not about the Chinese government making money. It was about scoring a treasure trove of data to improve their intelligence operations against the United States.
The war is underway. The reality is that the American Revolutionary War was fought by soldiers on the ground. World War II was fought by planes in the sky. And this New Cold War is being waged on the cyber battlefield.
But if a soldier is in battle and has an inferior firearm or doesn’t know how to use that firearm, or that firearm doesn’t work the way they think it will, then that soldier is unable to fight effectively. Combat effectiveness requires technical fitness—quality equipment and an ability to use the equipment the way it is intended to work. This is true whether the battlefield is in the air, on land, or inside cyberspace. We must achieve technical fitness for a cyber war we are already fighting, where the winner will control the world.
China isn’t the only country with its eyes fixed on the opportunities cyber warfare presents.
In 2021, three North Korean computer programmers were indicted in the U.S. for attempting to extort and steal more than $1.3 billion as part of a global cyber scheme that included the 2014 hack of Sony Pictures Entertainment. In that famous data breach, North Korean hackers dug through Sony’s network and released embarrassing emails between executives, executive salaries, and personal information about employees and their families. They demanded that Sony withdraw its movie The Interview, a comedy about hapless journalists recruited by the CIA to assassinate North Korean Leader Kim Jong-Un.
Russia has also developed considerable skill in cyber warfare and has been the most brazen in its execution. Without firing a gunshot, launching a missile, or deploying troops, it brought the country of Estonia to its knees. And in 2020, Russian hackers penetrated the Pentagon, intelligence agencies, nuclear labs, and Fortune 500 companies in the SolarWinds operation—one of the worse cyber espionage assaults ever experienced by the U.S. Hackers inserted malicious code into software updates that gave them remote access into computers. As of mid-2021, estimates suggest there would be insured losses of up to $90 million. Even more scary, this hack showed a cyberattack can impact more than just digital infrastructure. It showed it could navigate to operational technology—power distribution units, air handler units, and other control system devices, which can affect the physical world.
What this makes clear is that U.S. government, the private sector, and individuals are still ill-prepared for cyber warfare.
I experienced this lack of preparation firsthand in Congress, as well as at FusionX, where Matt Devost and his hackers worked to penetrate corporate data security systems to find their vulnerabilities before cybercriminals got there first.
In a meeting at a major financial services firm that was spending millions of dollars defending its digital infrastructure, I watched as Matt spent six hours firing questions at the senior leaders of the firm. It was my first time joining Matt on a security assessment, and I only understood about 40 percent of what was being discussed.
A security assessment is a discussion with the senior technical leaders of a company to determine how they protect their digital systems. This occurred on the first day. Then, on the second day, we would perform a “technical vulnerability assessment” of their network security—pop the hood and look inside. On the way back to the hotel after the first day, Matt commented to me that if this company was doing half of what it said it was doing, then tomorrow would be a very difficult day for us because it would be hard for us to break in.
A technical vulnerability assessment is different than a blind penetration test (which is a simulated cyberattack to find vulnerabilities without the knowledge of company data-security people). In a technical vulnerability assessment, the assessment is performed on the client’s premises and the defenders know what’s going on. The FusionX hackers would be given the most basic access to see if they could elevate their digital privileges to get deeper into the organization’s system. Think of it like this: You connect to the Wi-Fi at an airport during a layover between flights, and with that basic Wi-Fi access, you end up connecting to the air traffic control tower and can direct the planes in the air. In essence, that was what we were testing for.
We had our best guy on the case. That morning, I was settling into a cubicle for the day to work on other projects when Matt walked in and said, “We got in.”
“You got in?”
“Yep. In fifteen minutes.”
I was shocked. “We hacked into the most sensitive parts of the firm’s network, in fifteen minutes?”
“Yeah,” Matt said. “This always happens. Everyone talks a good game, but when you test whether they put their theories into practice, things usually fall apart.”
This was a tangible lesson in the Russian proverb popularized by Ronald Reagan, doveryai, no proveryai—trust but verify. I followed this maxim in Congress but found that too many organizations in the private sector and federal government rely on just the first part of this proverb.
The costs of cybercrime are growing exponentially, with estimates that it has doubled since 2015. Cyberattacks are also literally killing people. The first documented death resulting from a cyberattack happened in Dusseldorf, Germany, in September 2020, when a woman arrived at the Dusseldorf University Hospital for life-saving surgery, only to be turned away. Cyber criminals had just defeated the hospital’s security by exploiting a known software vulnerability, allowing them to commandeer the hospital’s computer systems needed to process the patient and carry out the surgery. Out of options, paramedics rushed the patient to another hospital, but it was too late—the patient died.
During the COVID-19 2020 shutdowns, the number of cyberattacks skyrocketed. According to the World Health Organization, cyberattacks soared fivefold after the pandemic erupted. Health organizations were the prime target.
Criminals love crises.
In 2021, hackers hacked into the industrial control systems of a water treatment plant in Oldsmar, Florida, and tried to poison the community’s water supply. A supervisor on duty was able to stop the perpetrators before they could raise the level of lye in the town’s water to a dangerous level. As-yet-unknown hackers had gained access to these sensitive systems because of poor password security and outdated software.
The stunning GameStop stock frenzy in early 2021 presents a scary cyber theft scenario with global implications. Fueled by a Reddit army of individual traders buying shares to squeeze hedge funds that bet the price would fall, GameStop’s stock price skyrocketed before falling back to earth. Tens of billions of dollars were won and lost over days of trading.
But what if this phenomena wasn’t hatched by Reddit users, but instead was fueled by a digital covert action campaign by a government like the Chinese Communist Party to achieve a financial objective to the detriment of the American public? This is a “black swan” event that would have catastrophic consequences, but against which we aren’t prepared to defend.
Improving our technical fitness to defend against catastrophic cybercrimes isn’t just the responsibility of governments and businesses. Individuals have a role to play by practicing good “digital hygiene.”
We relearned a lot about personal hygiene during the pandemic. To reduce our chances of getting COVID-19—wash hands, wear a face mask, and practice social distancing. For our online lives, there is digital hygiene.
The basics of digital hygiene are to have a fourteen-character-plus password, resist clicking on attachments in your email or texts from someone you don’t know, and keep your software on your phone or laptop up to date in order to protect your devices against a vulnerability discovered by the company that wrote the software.
Beyond the individual battle to maintain security on computers, phones, video game consoles, and other digital devices, there is the national digital war to protect our country.
Just as you can’t fight a war with tanks and planes that break down, we can’t fight this New Cold War with crumbling and porous digital infrastructure. During my time in Congress and on the House Appropriations Committee, we focused on modernizing our armed services—new planes, better ships, and improved training facilities. Now it’s time to have that same mentality for our digital infrastructure.
To achieve the operational tempo necessary to defend cyberspace, we need a culture of modernization within our government. That begins with being deliberate in paying attention to digital hygiene.
Many people have heard of antivirus software and firewalls. Antivirus software is used to prevent, detect, and remove computer viruses or malware—any kind of software designed to do something bad to your system. A firewall is a device you put on a network that monitors everything coming and going on your network and decides whether to allow specific traffic based on a predetermined set of security rules. Antivirus software and firewalls have been tools in cybersecurity for more than twenty-five years, but there are always new tools being developed to defend devices and computer networks. Ensuring that government agencies, businesses, and individuals are keeping up with the times requires a culture that prioritizes modernization.
Changing the behavior of the federal government is a momentous job, and Congress has a critical role in making this a reality. One way Congress can do this is through its oversight role and through legislation like FITARA. After three terms in Congress, I now understand how important the oversight function of Congress is. But in the first few months on the job, grappling with learning the ropes of being a chairman of a subcommittee, I thought doing oversight was more of a pain in the ass and a distraction than what it really was—probably the most important thing that I could have done to improve digital hygiene throughout the federal government.
“Tell me again, what the hell is FITARA?” was my question to Troy Stock, the staff director for the IT subcommittee that I chaired.
“It’s the bill that Chairman Chaffetz’s predecessor, Darrell Issa from California, and Congressman Gerry Connolly from Virginia passed at the very end of last Congress,” was Troy’s response. “FITARA stands for the Federal IT Acquisition Reform Act.”
“And why do I care?”
“You care because FITARA was the first major overhaul of federal IT in over two decades. Its implementation is in our jurisdiction. It’s been one year since it passed. We should have a hearing on how it’s working.”
Troy suggested I meet with Dave Powner, director of IT issues for the Government Accountability Office (GAO), to discuss a scorecard the agency had come up with to systematically measure and grade every federal agency’s performance under the law in modernizing their IT infrastructure.
The GAO is an independent, nonpartisan agency, often called the “congressional watchdog.” It examines how taxpayer dollars are spent and provides Congress and federal agencies with objective, reliable information to help the government save money and work more efficiently. I had already come to respect it as an agency because it has been identifying problems within the federal government for a long time, and every GAO staff member I had met was smart, thoughtful, and direct.
While I was suspicious about whether using a scorecard to measure the performance of the federal government’s IT systems was anything more than a monumental waste of time, I had used scorecards to improve the performance of many organizations in the past.
When I was a high school junior, I had read the book The 7 Habits of Highly Effective People by Stephen Covey, the founder of the leadership development company Franklin Covey. Ever since, I have incorporated these principles into my daily living, and because I was a fan of Franklin Covey’s products, I read The 4 Disciplines of Execution by Chris McChesney, Sean Covey, and Jim Huling during my time in the CIA.
One of the disciplines of execution is to keep a compelling scoreboard. If you have a clear goal and know what the key measures of success are, then you can track the specific behaviors that lead to goal accomplishment, thus making you more successful. Additionally, people play harder when they know someone is keeping score. I had used these pragmatic principles, including the scoreboard, to increase intelligence production and asset recruitment for my unit in Afghanistan.
Powner and his colleagues at GAO had developed a method of assigning a letter grade to how well a government agency was implementing four areas outlined in the FITARA legislation. The easiest thing that was graded was how well an agency was closing down data centers and transitioning digital operations into the cloud. It also graded whether new digital initiatives were delivering results on a regular basis and assessed performance metrics designed to measure whether new IT investments where being implemented within budget and on schedule. The other thing graded was how well an agency was protecting its IT assets and information.
Of the twenty-four large departments and agencies we reviewed, only two had earned Bs and just five got Cs. The rest flunked—they got Ds and Fs, meaning the federal government was failing to do very basic things to improve digital hygiene.
No wonder it was so easy to hack into OPM.
When Robin Kelly (D-Illinois), my Information Technology Subcommittee ranking member, and I called several agency chief information officers to testify about why their grades were so bad, we learned that these agencies failed to have a culture of modernization.
As we saw some slow improvements, we recognized that these agencies were paying attention to what we were keeping track of, so we added categories that would improve digital hygiene and build a culture of modernization. It took five years, but finally all twenty-four federal agencies passed. We demonstrated that aggressive and continued oversight could drive changes that would improve digital hygiene. We also showed that we needed all hands on deck to fix our technical fitness crisis.
The ship is sinking, and to stay afloat we’ve got to do more than use a small bucket for bailing water.
Winning this struggle is not the responsibility of just one person or organization. It’s everyone’s, especially at a time when technological change is accelerating at unprecedented speeds.
In 2018, I was getting an award from FCW (Federal Computer Week), a media company that covers technology within the federal government. At the awards dinner, FCW was presenting a special honor to NASA’s Voyager mission teams for showing what’s possible when innovation and dedication are required to keep systems running for the long haul. Dr. Jeffrey Hayes, a scientist at NASA responsible for the support of several missions then in operation, accepted the award on behalf of the Voyager team. In his acceptance speech, Dr. Hayes told the story of the Voyager program.
Forty-one years before the awards dinner, the day after I was born in 1977, NASA launched Voyager 2 into space. It was the first man-made object to leave our solar system, and the engineers who designed Voyager 2 believed it would send data back to Earth for maybe three to five years. Incredibly, Voyager 2 is still reporting back to us.
During his remarks, Dr. Hayes said, “Even when the radioisotope generators on the spacecraft are finally depleted, both of them will continue to move out into the galaxy—ambassadors of the human race as we take our first tentative steps into deep space.”
What’s crazy about Voyager 2 is that we learned so much about our solar system from it—and it only had seventy kilobytes of onboard memory. That’s about enough space for a seven-page Microsoft Word text document. A photo taken on your smartphone wouldn’t fit on the Voyager spacecraft computer system.
From the time that we launched this space probe, we have commercialized the internet, pretty much everyone has a handheld smartphone, and many schools even have 3D printers. These technological advancements have taken human innovation to places we couldn’t have imagined. But they have also increased the surface area available for hackers to attack.
To be prepared for cyber war we need all our cyber systems—government, business, academic, and personal—technically fit. We need a culture of modernization focused on continually improving our digital infrastructure, an infrastructure we can trust because we have verified it does what it’s supposed to do when we need it to do it. And combat effectiveness means having the right tools. If we are technically fit, not only will we be prepared for all the unexpected outcomes of a cyber war, but we will put ourselves in a position to stay the global leader in advanced technology.