Opinion

Editorial: U.S. must win at cybersecurity In the game of cybersecurity, the U.S. has to play to win or be ready for defeat.

Network cables plugged in a server room. Network cables plugged in a server room. Photo: Michael Bocchieri, Staff Photo: Michael Bocchieri, Staff Image 1 of / 1 Caption Close Editorial: U.S. must win at cybersecurity 1 / 1 Back to Gallery

America's national pastime has been hacked. It is a dizzy intermingling of past and future, reading headlines about the St. Louis Cardinals accused of illegally accessing an online database used by the Houston Astros. Are mom and apple pie next up on the cyber chopping block? No matter how we hold on to memories of an idealized past, nostalgia doesn't stop the world from spinning.

That's a lesson the federal government needs to learn, and the massive hacking of the Office of Personnel Management is proof enough. Earlier this month, the White House revealed that Chinese hackers appeared to have accessed the personnel files on millions of federal employees. This isn't just about stolen Social Security numbers. Those files likely included SF-86 forms, the 100-plus page security document that includes information on employees' family members, past employment, mental illness, medical history, criminal records and all manner of personal information. China basically has a map of the entire federal government and a cheat sheet on personal weak spots.

It would be easy to blame China, but it isn't as if the U.S. doesn't engage in cyber espionage. Edward Snowden made that fact perfectly clear. The problem is not with cyberwarfare - the problem is that we're bad at it.

The United States has grown comfortable atop the global order, whether militarily, economically or culturally. Those advantages were earned through decades of war and political struggle, and they don't automatically extend online. When it comes to cybersecurity, Chairman of the Joint Chiefs of Staff General Martin Dempsey told reporters earlier this year, it is a level playing field.

The last time the United States faced a similar threat, in the early years of the Cold War, our political leaders rushed to enact policies that would preempt the challenges of a changing world order. President Harry S. Truman oversaw the creation of the CIA, Air Force and National Security Agency, while the best and brightest focused their efforts on containing the new threat of expansive communism.

Today, the OPM runs on computers that are so out of date that they can't implement routine security encryption. The office has known for years that their systems were vulnerable. In fact, a November audit recommended that some of the OPM's networks be taken offline as a security precaution - advice that went ignored. More disturbing, Assistant Secretary of the Office of Cybersecurity of Communications Andy Ozment said that the hackers didn't gain access through any clever exploitation of weak security. They simply logged in using valid user credentials. How did this happen? Technology and news website Ars Technica reported that the company contracted to run the OPM's personnel records gave total access to employees who held Chinese passports. This is hardly the best and brightest.

So what should the federal government do to improve online security?

"What really should happen at this point is that people should be fired a lot more," Chris Bronk, a cybersecurity expert at the University of Houston, told the Chronicle editorial board.

The people responsible for these failures must face the consequences. Yet President Barack Obama continues to stand by Katherine Archuleta, his appointee as OPM director. And what about John Berry, Archuleta's predecessor, who ran the department on obsolete systems? The president rewarded him with an ambassadorship to Australia.

In fact, nobody within the agency was disciplined for the agency's failure to pass cybersecurity audits, according to Michael Esser, the assistant inspector general for the OPM. He also said in a congressional hearing that many of the people running the agency's computer systems had no background or expertise in information technology.

Apparently, failure is an upward trajectory in the Obama administration.

Rather than hold people responsible, the White House is pushing for a "30-day cybersecurity sprint" to improve vulnerable systems in the federal government - an idea that Bronk called "pathetic."

"It is like telling a heroin addict you have 30 days to get a college degree and become a fully functioning member of society," he said.

We need political leaders who are ready to run a marathon on cybersecurity. The future of the economy, military confrontation and human culture will live online. If the United States wants to maintain our global advantage, we can't rely on some moral umpire to call foul on China's hacking any more than we could for the Soviets. We will have to train to be the best team, and the game has already started.