The Wall: Undermining National Security in More Ways Than One

The nation’s longest federal government shutdown continues, along with the debate on the issue that triggered it: a wall on the border between the U.S. and Mexico. While every serious voice agrees on the importance of secure borders, what constitutes effective border defense varies widely. Largely ignored in these discussions: how the financial and emotional impact of the shutdown puts the nation at risk not from external threats, but internal ones.

From the beginning of this shutdown, we’ve heard numerous stories from the ranks of the 800,000 laid off government employees, as well as the massive number of government contractors who are also not getting paid (and won’t get back-pay when this is all over), on social media and in the press about how the shutdown has and will continue to impact them and their families:

“Last week we had soup for dinner and my son asked if it was because we didn’t have money.”

“I’m really worried my landlord will not be happy when I can’t pay my rent.”

A federal employee with diabetes who is running out of insulin “…can’t afford to go to the ER. I can’t afford anything. I just went to bed and hoped I’d wake up,”

These stories point out the precarious financial situation at least part of the nation’s federal workforce faces, not just during the furlough, but on a regular basis. ‘Living paycheck to paycheck’ is a phrase one usually does not associate with college-educated professionals on the General Schedule, which is a signal to the intelligence services of our adversaries that one of the primary means of getting someone to spy for you – Money – is more likely to produce results across a wider spectrum of targets than may have been thought.

Such efforts do not necessarily have to be applied to feds with security clearances; you don’t have to have a clearance to provide information of value to our adversaries. The collection of intelligence about an adversary is often described as akin to building a ‘mosaic’: a lot of little pieces of this and that, no one piece being particularly valuable, assembled over time into a comprehensive picture.

As an example, one of the classic little ‘asks’ that counterintelligence training used to tell you to be wary of is requesting a facility or agency phone book. What harm could that do, right? It’s not even classified. We always have extra and they just go in the trash at the end of the year. Well, you’ve just handed over a list of who does what in your organization, and provided a means to reach them. You’ve also confirmed, or filled in gaps, in an adversary’s knowledge of the organization and what it does.

A modern equivalent? “Hey, I’ve been trying to bid on this contract your agency is putting out. Could you provide me with the email of <a senior defense executive>?” What’s one email address, right? Well, for all the talk of “APT” and “sophisticated” nation-state hacking, phishing is still a leading method of cyber attack. And based on professional experience, the more senior the individual, the less attentive they are to cyber security threats.

With a little more time and effort, one could come up with an extensive list of potential scenarios. None of them have to be obviously linked to security or safety issues that might make a frustrated-but-loyal fed feel suspicious, because that’s the magic of building a mosaic: every little tiny bit helps.

This isn’t exclusively a nation-state-based threat. Contractors with questionable ethics, organized crime, terrorists, or other threat actors could all take advantage of the precarious financial situation Uncle Sam has placed his people in. This is of particular concern in environments where the trustworthiness of the workforce is already questionable.

Federal shutdowns are not new. But this one comes at the end of a string of insults and injuries the federal workforce has had to face in recent years. The most significant of these being the breach of computer systems at the Office of Personnel Management. OPM didn’t just lose personnel records, it lost the background checks and related paperwork for feds with security clearances. To maintain a clearance, one has to re-submit to a background check every few years. Questions about your financial situation will be asked. Investigators will understand what caused people to miss payments or take a ding to their credit scores in the winter of 2018/spring of 2019; but if a missed paycheck sends you into a financial Mariana Trench, that’s going to be an issue. Being in financial straits could cost you your clearance, the loss of which could cost you your job. The real impact of the shutdown for some might not come home to roost for months or years.

The opposite is also true: if the bulk of the workforce took a financial hit, but you managed to come out unscathed, why is that? Everyone assumed Aldrich Ames’ stories about his wife’s family’s wealth were true, until they found out it wasn’t.

How do we deal with this?

Congress and the White House should focus on border security, not a wall per se. While there are places along the U.S.-Mexico border where a literal wall might make sense, we need to apply all the tools and technologies available to us – steel, concrete, sensors, drones, and people – to address the problem. People want a check on illegal immigration, the form that check takes is less important than the fact that it exists, and is functional.

A comprehensive study of the federal pay scale. No one joins the gov’t to get rich, but if the financial troubles of the workforce are as deep and wide-spread as the media would have us believe, is that a function of a whole lot of people living beyond their means, or are we really not paying people a livable, much less market, wage? Its ‘federal service’ not ‘federal servitude.’

If you’re a fed, particularly one with a clearance, maybe don’t talk to reporters or get on social media to discuss your plight. This is not the old days: identifying the missives of potential targets is neigh on trivial to actors like Russia and China (especially if they have your OPM file and SF-86 paperwork). And while no one thinks they’re the one who is going to sell out their country to pay the mortgage, under the right conditions, anyone can be pressured to do a little, seemingly innocuous thing, that could contribute to serious damage down the road.

/* Full credit and extensive thanks to Freshman, who came up with the idea for this post and was instrumental in its creation. */

Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.

$.02

What Year is This?

I feel like I’m taking crazy pills here . . .

The Homeland Security Department finally named an assistant secretary for cybersecurity last year, and the Senate ratified the first international treaty on cybercrime.

The Computer Security Industry Alliance had lobbied for these achievements for more than two years and counts them as big wins, said acting executive director Liz Gasster. But the nation still lacks a comprehensive data security law, and DHS needs to develop response and recovery plans for disruptions of our critical infrastructure.

[…]

CSIA has set out a cybersecurity agenda for government for the last two years, with only indifferent results. In its Federal Progress Report for 2006, it gave the administration an overall grade of D because of failures to pass privacy legislation and to set clear priorities for future work.

It seems like just yesterday that RTM shut down the inter-tubes with his Sendmail experiment. In the aftermath CERT/CC was born (gov’t sponsored but run by the academy – a foreshadowing) and annual projections of a) the death of the Internet, b) the need for more cooperation, and c) the need for more legislation followed. In the mean time we’ve had a few Digital Battle of Wake Islands, the .com boom and bust (and .com bust-boom), too many parallels to Snow Crash to count and version .9 of Hari Seldon’s Encyclopedia Galactica.

Every year the same discussions, every year the same problems, every year more threats, every year we expose ourselves more and every year no forward progress. Why?

Main St. Fallujah

This story from LGF and this bit by Lind seems to suggest that maybe Fallujah in your home town might not be that far off. I suggested as much in both written and verbal formats, though like Lind I was focusing on different perps and victims. Domestic reporting indicates that the raw materials are readily available (to the baddies) in bulk and if there isn’t a Jihadist Web site (or old Army FM) with the requisite know-how online I’d be surprised.

Consider this your friendly neighborhood threat warning report . . . I elaborate at ThreatsWatch.