The Chinese word for “crisis” is comprised of two characters. One represents “danger,” and the other represents “opportunity.” On Thursday, June 4, 2015, the United States was reminded of both the dangers and opportunities faced in the digital age after news broke that Chinese hackers allegedly breached government personnel records belonging to millions of current and former federal employees. In response, the Chinese government denied responsibility for the hack, and described any accusations as “irresponsible and unscientific." Feel free to pause and collect yourself after such a surprising response.
The facts surrounding the hack and China’s involvement are still developing. Many questions remain unanswered: How did this happen? Why did this happen? What happens next? Likewise, many Americans have questions about what this hack means both for their own personal information and for our country’s standing in the world. The whole situation is terrifying because it is so easy to see the danger. But in addition to outlining the danger caused by the hack, this post also aims to reveal the opportunities for those of us wondering where we go from here.
First, let us review what we know. Last Thursday, U.S. officials announced that federal government computers in the Office of Personnel Management ("the Office") were hacked, consequently compromising the records of four million current and former U.S. government employees. The Office maintains records for federal employees in each agency, including the Federal Bureau of Investigation, the Department of Justice, and the State Department. These records contain names, addresses, social security numbers, and banking information. In short, these records constitute a hacker’s dream. After notifying employees that their personal information was compromised, U.S. officials instructed victims to monitor or close bank accounts, freeze credit reports, and change online passwords.
The Office of Personnel Management reported that it became aware of the breach in April during an “aggressive effort” to update its cyber security systems. The Office announced that it would be offering those affected 18 months of free credit monitoring and identity theft insurance. But victims are still, understandably, concerned. With the information compromised, the hackers are capable of impersonating any affected employee; thereby amplifying concerns over identity theft and misuse. U.S. officials announced that it suspects that if the Chinese government is responsible for the hack, the Chinese may be compiling a database of information on federal employees in the hopes that such information may be used to blackmail and turn employees against their own government. And all of this is without even mentioning the inherent violation and sense of vulnerability that naturally accompanies the loss of one's privacy. The danger, on all fronts, is magnificent.
U.S. officials are silent on exactly how the breach occurred, but I can hazard a guess. Last Friday, a number of administration officials explained that the Office did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. The Office also failed to regularly scan for vulnerabilities in the system, and a post-breach audit demonstrated that 11 of the 47 computer systems that were required to be certified as safe for use last year were not "operating with a valid authorization." This was the scene as of two months ago, despite prior evidence demonstrating that Chinese hackers accessed federal records in both 2013 and 2014. In other words, the government knew its cyber security protocols to prevent hacks was weak, but was far too slow in improving itself.
Often, we hear too many stories of companies with lax cyber security protocols because CEOs decry "well, other companies might get hacked but it certainly will not happen to me." We do not typically think of the U.S. Government sharing that sentiment. But even after prior security incidents by Chinese hackers, the U.S. government dragged its feet and failed to implement many of the same security precautions that the Department of Justice published just last month. It is easy to demonize China as dangerous in the digital age, but with such poor attention to cyber-security, perhaps the U.S. government is more like Walter White, exclaiming, "I AM the danger!" to anyone testing the government's cyber-security protections.
The first step in solving any problem is to acknowledge that a problem exists. We have a cyber-security problem. Cyber-security is a problem for every country on the planet, because a breach can happen to anyone, anywhere, at any time. The only question is whether a breach will inflict minor damage or create a massacre. But after this hack, the President and Congress have an opportunity to work together and prioritize cyber-security as a national security imperative. Annually, the US government spends approximately $13 billion on cyber-security, compared to over $1 trillion dollars on traditional defense spending. Throwing money at a problem is not a solution, but the hack provides us with an opportunity to evaluate our priorities and recognize that cyber-security attacks are going to be the battlefield for the 21st century. Investing in cyber-security can help create more jobs and strengthen our digital infrastructure so that we may prevent future attacks and better protect the information of all citizens.
Second, this hack can provide the country and the world with an opportunity to conduct an open and candid debate over diplomacy in the digital age. Political commentators on talk radio and cable news have described the China hack as "an act of war," and recently, NATO Secretary-General Jens Stoltenberg announced that "cyber is now a central part of virtually all crisis and conflicts, NATO has made clear that cyber attacks can potentially trigger an Article 5 [military] response." That is frightening. With these kinds of statements floating around, we need to have a global discussion on how nations will conduct themselves in an era of constant cyber attacks. Currently, the digital world is like the Wild West: no rules and no real accountability. Data can be stolen by a bandit from any corner of the planet, and nations have failed to come to an understanding as to how they can work together to bring about justice. Instead, we leave each country with the responsibility to decide how it will respond without any real guidance from the rest of the world. The U.S. is not going to respond to this breach with military action. That is a safe bet. But what if China got hacked? Russia? North Korea? All bets are off. Diplomacy is challenging enough as it is, but cyber-security is a concern every nation in the world shares. Now is the time for countries to unite behind their concerns and work together to establish some order.
Private companies also have an opportunity. Companies can learn the lesson that our government had to learn the hard way. As mentioned above, we see too many companies try to explain why they did not work to prevent a cyber attack or prepare a response plan. Many think that they will be the exception to the rule. Last week's hack demonstrated that no one is safe. But the opportunity exists for you to do something TODAY. Hackers are growing more sophisticated with each passing day, and companies can emerge as heroes by working with an attorney to set in place reasonable safeguards to protect data. Breaches are inevitable. But you have the opportunity to restrict the magnitude of any given breach. You have the opportunity take the steps today that will minimize the costs and damage of tomorrow's breach. Look at last week's hack as a wake-up call. The U.S. government saw the signs that its security features needed improvement, but it failed to act with swiftness we all see as essential now. Do not let this happen to your company.
Finally, taking cyber-security seriously can serve as a great business opportunity. This is not a United States issue, but rather a global issue. Companies around the world know this is a fact. Transnational companies are eager to do business with companies that take cyber-security seriously and implement privacy-by-design measures that embrace security protocols from the very beginning instead of as an afterthought. Companies can protect their data, expand into the global market efficiently, and bolster the bottom line simply by working with an attorney to employ protocols that should be executed in the first place. It is win-win-win.
The danger in any crisis is often easy to see. Finding the opportunity takes time, deliberation, and a proactive approach towards an improvement. An opportunity exists for anyone with cyber-security off of his radar to take his head out of the sand and embrace that the future is now. We can be proactive and demonstrate that we take cyber-security seriously, while working with our colleagues across the aisle and our fellow global citizens around the world. None of this is easy, but it can make for a better world. We all face the danger. Together, we can seize the opportunity.