May 9, 2016 / by emptywheel


Long-Serving Intelligence Executive: Sure, Government Has Been Thoroughly Pawned But What about Ordinary Citizens?

Three months after Obama rolled out a cybersecurity initiative backed by a piece in the WSJ, former Deputy Director of Defense Intelligence David Shedd has decided to critique it (the 3 month delay might have something to do with the fact that, in the interim, Shedd was getting beat up by DOD Inspector General over having created his own private limousine service).

In his op-ed, Shedd questions Obama’s embrace of a public-private partnership. He makes a good point that such government initiatives rely on voluntary participation. He insinuates that Obama ignores the contributions of Apple because of the fight over encryption.

How odd that the president didn’t even mention Apple among the other leading technology firms when it comes to cybersecurity. Apple, America’s (and the world’s) largest and most valuable technology firm, has led the industry in securing its products, a claim the others listed can’t stand by. But of course the president can’t mention Apple as a shining example of American cybersecurity, because his administration is entrenched in a political battle with the company over encryption.

It’s a fair dig. Except that’s the kind of anachronism I wouldn’t expect from a lifetime spook. It is true that Jim Comey was on the war path with Apple since the company made iPhone encryption standard in fall 2014. But things didn’t start ratcheting up until February 16, when DOJ got an All Writs Act to make Apple rewrite their operating system, after Obama wrote the op-ed that didn’t mention Apple.

Shedd then mocks Obama’s efforts to introduce more flexibility in hiring cybersecurity people. Here’s what Obama said:

We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office. I want this generation of innovators to know that if they really want to have an impact, they can help change how their government interacts with and serves the American people in the 21st century.

Here’s what Shedd (he of the personal limousine service) said:

While this proposal rightly addresses the need to recruit great talent, does the administration really think the ability to wear jeans is going to sway the best and brightest away from the pay in Silicon Valley?

Perhaps we’re all missing the metaphor of “wearing jeans” for smoking pot. But the truth is some people aren’t motivated primarily by personal limousine services; they would like to help the government. One real barrier to hiring talent — people like Ashkan Soltani — is something Shedd has been a very big player in: security clearances.

Which gets me to my real confusion about this piece.

First, even before he talks about how much better the tech industry, at least, is than the government on these issues, Shedd complains that there’s nothing in Obama’s policy for “everyday citizens or industry.”

It’s all well and good to talk about protecting U.S. innovation and giving every American a level of online security. But the president fails to suggest even a single solution that would impact everyday citizens or industry.

Then he lays out how absolutely incompetent the government has been in protecting itself.

[C]onsidering the fact that multiple government agencies, as well as the Justice and Homeland Security departments, have faced significant cyberattacks, this is an odd claim to make.

The most egregious breach took place less than a year ago, when the Office of Personnel Management suffered a huge data breach that continues to impact tens of millions of federal workers and contractors, including those with access to America’s most sensitive secrets. No one was fired over the incident. Is that accountability? In late February, the office’s chief information officer resigned just two days before having to testify before Congress.

The administration’s failed record in cybersecurity extends beyond the breaches on government systems. In a recent score card released by the House Oversight and Government Reform Committee, the majority of federal agencies received subpar, if not failing, grades on their cybersecurity posture.

Among the worst was the Department of Energy, which is charged with protecting our nation’s nuclear technology. Given that the Obama administration had seven years to meet its cybersecurity obligations, why should the American people believe anything will change with a new initiative?

Now, if the government is a cybersecurity sieve, then why is Shedd bitching that there’s nothing in Obama’s policy for “ordinary citizens” or the private industry companies that aren’t getting pawned? Shouldn’t locking down the nation’s nuclear secrets — a point I’ve emphasized — be a higher priority than saving Target from liability when its customers get their credit card data stolen (besides the fact, for customers who can afford an iPhone, as Shedd pointed out, Apple is already doing something)? In a purportedly capitalist society, should the government free private industry of all responsibility for its own security?

Crazier still, Shedd — who worked in Bush’s National Security Council until 2005, then moved to Director of National Intelligence, then in 2010 moved to DIA — is bitching that no one (aside from Katherine Archuleta) got fired for the OPM hack. In several of those positions, Shedd was in a place where he should have been one of the people asking why the security clearance data for 21 million people was readily available to be hacked — though no one in his immediate vicinity thought to ask those questions until 2013 and even then not including the non-intelligence agencies that might be CI problems. He was in a position when he may have — probably should have — reviewed some of the underlying database consolidation of clearance databases, including (at ODNI) identifying them as a counterintelligence threat.

A report published by the Office of the Director of National Intelligence provides some insight: In order to report security clearance volume levels, the National Counterintelligence and Security Center’s Special Security Directorate (SSD) “compiled and processed data from the three primary security clearance record repositories: ODNI’s Scattered Castles (SC); DoD’s Joint Personnel Adjudication System (JPAS); and the Office of Personnel Management’s (OPM) Central Verification System (CVS). To fulfill specific reporting requirements of the FY 2010 IAA, the SSD issued a special data call to the seven IC agencies with delegated authority to conduct investigations or adjudications.” The purpose of the data call was to consolidate security clearance data.

It’s probably not Shedd’s fault personally OPM got hacked, but some of the people who directly worked for him along the way may well bear responsibility.

Moreover, when he bitches about how so little has been accomplished in Obama’s 7 years, it ought to raise questions about why nothing got accomplished in his own decade of service in a position when he might have done something. Perhaps he spent years fighting with Obama (and before him Bush) to do something about the government’s cybersecurity, but if so, that’s what he should be talking about, not that Obama wants to make it easier for hackers to wear jeans to work.

Some of Shedd’s complaints are spot on. Just not coming, as they do, from someone who spent a decade in a position to address cybersecurity himself.

Copyright © 2016 emptywheel. All rights reserved.
Originally Posted @