Even the White House Thinks This Secrecy Thing Is Out Of Control
August 7, 2013
The White House is promising to find new ways to declassify cybersecurity secrets — even as the Obama administration continues to go after leakers with a vengeance.
"There is absolutely a shift toward doing that and we’re working quite hard at that," said Andy Ozment, senior director for cybersecurity at the White House told Killer Apps today. "We have to change our culture and accept more risk to our [cyber intelligence] information in order to share it more aggressively."
While the administration has made a seemingly aggressive push for secrecy, prosecuting record numbers of alleged secret-spillers, the opposite is true when it comes to fighting cyber attacks on networks largely owned and operated by the private sector.
All of this was laid out in last February’s cybersecurity executive order through which the White House is trying to dramatically increase the amount of network intelligence government shares with businesses.
"It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities," reads the order.
Ozment said his shop is trying to carry out that order, "and declassifying information or creating unclassified versions of information is a key part of that."
"Let’s say we have a piece of information that we collected through intelligence that may be useful to protect a company. The goal would be to exert ourselves and say, ‘let’s identify another way we could have found this information that would not have been through intelligence’," Ozment added.
In other words, the government might share secrets — without telling anyone they’re secrets.
"In other cases it will be, ‘we found this through intelligence, but we think the threat is [so] significant we’d rather lose the source and protect our infrastructure,’" said Ozment. "That’s just a straight calculation."
Still, the government has work to do when it comes to quickly sharing information with the private sector. Companies routinely complain about supplying info to the government – and getting nothing back.
For a long time now there’s been a chorus of experts saying that over-classification prevents intelligence from reaching businesses in time for it to be useful against network attacks. More broadly, the heavy blanket of secrecy is thrown over so much information, these experts say, that it actually encourages the kind of massive leaks we’ve seen from Edward Snowden and Bradley Manning. The ridiculousness of the classification system encourages certain leakers to ignore it altogether.
Just last week, we reported that the Government Accountability Office is kicking off its first-ever investigation into over-classification on a variety of topics at the request of California Republican Rep. Duncan Hunter.
This flies in the face of conventional Intelligence Community wisdom — especially when it comes to cybersecurity. The traditional notion has been that the discovery of a software flaw should be kept secret so that the government can exploit it and deploy its own malware on enemy networks.
"Back in the pre-cyber world we had a pretty well worn rut in the road as to where that line [favoring offense over defense] is," former CIA and NSA director Michael Hayden told representatives from the electrical power industry in Washington on Aug. 6. "That line may now be in the wrong place."
Keeping security flaws secret from industry has resulted in tactical successes for U.S. government hackers but these come at the cost of causing "a real strategic problem [in] that industry is not aware of vulnerabilities out there," said the former spymaster.
He echoed the sentiments of the White House that when it comes to cyber, the emphasis must be placed on defense, even if it means burning some ability to conduct offensive operations.
"I think the trend line right now is in the direction of more defense even if it has to be at the expense of offense," said "Right now, what we need to do with that trend line is accelerate it."
President Obama has been taking a lot of heat for backing off some of the NSA-focused secrecy reforms he championed as a Senator and presidential candidate. (These reforms included, among other things, requiring the executive branch to routinely tell Congress how many Americans’ communications information had been swept up by the government and limiting the amount of bulk electronic data the government could collect) But in the area of cybersecurity, at least, his administration is at least talking a good game about fulfilling Obama’s earlier promises to open the government.
