WH Breach Probe: How Transparent?Administration Gives Vague Response to Unclassified Net Breach
The breach of an unclassified White House IT network unveiled last week is disturbing,although not surprising. But the way the Obama administration is informing Congress - and the public - about the cyber-attack is equally unsettling.
The administration has not been very transparent about the breach, including how it occurred, how it's being investigated and what it will tell Congress - and the American citizenry - once the probe concludes. The White House did not confirm the hack until it was disclosed by the Washington Post.
I hope they tell us about what happened because that's how other administrators learn, and are able to improve their defenses.
When I queried the White House late last week about how transparent its investigation into the breach will be, including how it plans to disclose information to Congress and the public, the White House issued a statement attributed to Bernadette Meehan, a National Security Council spokesperson: "Consistent with sensitive intelligence matters, the director of the FBI notified congressional leadership and the chairs and ranking members of the intelligence committees." That was it, nothing more.
One can only hope the administration will share key, unclassified findings about the breach, not only with Congress, but with the public, too. The White House can't reveal everything about the hack - there are legitimate national security concerns - but it can share many details with the cybersecurity community about the attack. After all, one of the administration's top cybersecurity goals is cyber-threat information sharing. And information sharing goes beyond alerting others of pending threats, but sharing lessons learned from cyber-attacks so others can avoid similar digital assaults.
Importance of Transparency
"I hope they tell us about what happened because that's how other administrators learn, and are able to improve their defenses," says Johannes Ullrich, dean of research at the SANS Technology Institute, in an interview last week with Information Security Media Group. "Other networks, not just government but commercial networks and such, may be affected by the same type of malware," Ullrich says. "It's usually very important ... to actually disseminate some of these details."
But disseminating such information doesn't seem to be in the DNA of many officials in the administration and Congress. The leaders of the committees with government IT security oversight weren't notified by either the White House or apparently by their own congressional leaders. The ranking member of the Senate Homeland Security and Governmental Affairs Committee, Tom Coburn, issued a statement before word surfaced that the "Gang of Eight" - the Democratic and Republican leaders of each house and chairs and ranking members of their respective intelligence committees - were briefed on the breach. The Oklahoma Republican complained about the lack of limpidity from the White House regarding the breach.
"I'm disappointed that the White House decided not to notify Congress of the breach, even as its officials debated with my staff the need for agencies to tell Congress when they've been hacked," Coburn says, in a statement issued Oct. 29.
'Yet to Receive Satisfactory Answers
Coburn says he pressed the administration to share details about what has happened and how the attack succeeded. "I have yet to receive satisfactory answers," he says.
Apparently Coburn's colleagues in the Gang of Eight failed to alert him of the breach, too.
A Senate Homeland Security and Governmental Affairs Committee aide, speaking on background, says the White House did not notify its chairman, Sen. Tom Carper, D-Del., about the intrusion, adding that since the breach the committee staff has been in contact with the administration about the incident.
Carper used the uproar over the breach to call for enactment of a series of cybersecurity bills Coburn and he have sponsored, including the Federal Information Security Modernization Act, a measure that would update the Federal Information Security Management Act, the law known as FISMA that governs federal government IT security (see FISMA Reform Heads to Senate Floor).
"I am committed to continuing to work with my colleagues on both sides of the aisle, the administration and stakeholders to pass our legislation and additional measures that address this critical issue as soon as possible," Carper says.
But we need more than just laws. We need a government that can be as frank as possible about the cyber-vulnerabilities government IT systems experience. Without such transparency, the government and other entities in our society will not be able to develop the proper cyber-defenses.