The Complex

Even the White House Thinks This Secrecy Thing Is Out Of Control

The White House is promising to find new ways to declassify cybersecurity secrets -- even as the Obama administration continues to go after leakers with a vengeance.

"There is absolutely a shift toward doing that and we're working quite hard at that," said Andy Ozment, senior director for cybersecurity at the White House told Killer Apps today. "We have to change our culture and accept more risk to our [cyber intelligence] information in order to share it more aggressively."

While the administration has made a seemingly aggressive push for secrecy, prosecuting record numbers of alleged secret-spillers, the opposite is true when it comes to fighting cyber attacks on networks largely owned and operated by the private sector.

All of this was laid out in last February's cybersecurity executive order through which the White House is trying to dramatically increase the amount of network intelligence government shares with businesses.

"It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities," reads the order.

Ozment said his shop is trying to carry out that order, "and declassifying information or creating unclassified versions of information is a key part of that."

"Let's say we have a piece of information that we collected through intelligence that may be useful to protect a company. The goal would be to exert ourselves and say, ‘let's identify another way we could have found this information that would not have been through intelligence'," Ozment added.

In other words, the government might share secrets -- without telling anyone they're secrets.

"In other cases it will be, ‘we found this through intelligence, but we think the threat is [so] significant we'd rather lose the source and protect our infrastructure,'" said Ozment. "That's just a straight calculation."

Still, the government has work to do when it comes to quickly sharing information with the private sector. Companies routinely complain about supplying info to the government - and getting nothing back.

For a long time now there's been a chorus of experts saying that over-classification prevents intelligence from reaching businesses in time for it to be useful against network attacks. More broadly, the heavy blanket of secrecy is thrown over so much information, these experts say, that it actually encourages the kind of massive leaks we've seen from Edward Snowden and Bradley Manning. The ridiculousness of the classification system encourages certain leakers to ignore it altogether.

Just last week, we reported that the Government Accountability Office is kicking off its first-ever investigation into over-classification on a variety of topics at the request of California Republican Rep. Duncan Hunter.

This flies in the face of conventional Intelligence Community wisdom -- especially when it comes to cybersecurity. The traditional notion has been that the discovery of a software flaw should be kept secret so that the government can exploit it and deploy its own malware on enemy networks.

"Back in the pre-cyber world we had a pretty well worn rut in the road as to where that line [favoring offense over defense] is," former CIA and NSA director Michael Hayden told representatives from the electrical power industry in Washington on Aug. 6. "That line may now be in the wrong place."

Keeping security flaws secret from industry has resulted in tactical successes for U.S. government hackers but these come at the cost of causing "a real strategic problem [in] that industry is not aware of vulnerabilities out there," said the former spymaster.

He echoed the sentiments of the White House that when it comes to cyber, the emphasis must be placed on defense, even if it means burning some ability to conduct offensive operations.

"I think the trend line right now is in the direction of more defense even if it has to be at the expense of offense," said "Right now, what we need to do with that trend line is accelerate it."

President Obama has been taking a lot of heat for backing off some of the NSA-focused secrecy reforms he championed as a Senator and presidential candidate. (These reforms included, among other things, requiring the executive branch to routinely tell Congress how many Americans' communications information had been swept up by the government and limiting the amount of bulk electronic data the government could collect) But in the area of cybersecurity, at least, his administration is at least talking a good game about fulfilling Obama's earlier promises to open the government.

Getty Images

National Security

Of Course Hacktivists Will Respond if Snowden is Ever Caught

If Edward Snowden magically disappears from Russia and reappears in an American prison, the U.S. could face reprisals from hacktivists around the globe, America's former spy chief speculated Tuesday morning.

"If, and when, our government grabs Edward Snowden and brings him back her to the United States for trial, what does this group do?" asked ex CIA and NSA director Michael Hayden rhetorically about groups such as Anonymous during an Aug. 6 speech in Washington. "They may not go after the U.S. government because frankly, the dot mil stuff is one of the hardest targets in the United States. If they can't go after dot mil, who are they going after? Who, for them, are the [digital] World Trade Centers?"

That's right. The former head of the CIA just compared Anonymous - a group best-known for defacing some websites - to the world's most notorious terrorists. And that's not the only insult he hurled. Hayden also labeled such groups as "nihilists, anarchists, activists, Lulzsec, Anonymous, twentysomethings who haven't talked to the opposite sex in five or six years."

Hayden was speaking to a group of representatives from the electrical power industry, a business sector many have warned is too vulnerable to a catastrophic cyber attack. 

He admitted that his comments are "purely speculative" but pointed out that Snowden has large backings around the globe among the hacker community.

"Certainly, Mr. Snowden has created quite a stir among those folks who are committed to transparency and global transparency and the global web ungoverned and free," said Hayden. "I don't know that there's a logic behind trying to punish America or American institutions for his arrest, but I hold open the possibility."

Now, positing that some information-freedom-loving collective will retaliate if Edward Snowden is snatched by the CIA is stating the obvious.

Anonymous and the affiliated group LulzSec have defaced or taken down plenty of websites and released private information on thousands of people in the past as retaliation for the U.S. government's treatment of Bradley Manning, the Army Private convicted of leaking mountains of classified government documents to Wikileaks. (Their most serious attacks -- on the databases of AT&T and the Arizona Department of Public Safety -- were done while one of their leaders was secretly serving as an FBI informant.)

Still, it's incredibly unlikely that hacktivist groups would execute lethal cyber attacks roughly equivalent to the digital 9/11 that Hayden referred to.

While the high-end hacking ability of non-state actors is growing every day -- made easier by the black market in digital weapons -- it's worth pointing out that a truly devastating cyber attack on the U.S. would probably backfire against the group that did it.

If American institutions do face reprisals, they're likely to be more of an inconvenience -- albeit a possibly costly one in terms of dollars -- rather than a catastrophe. Think websites being defaced and taken offline or personal information leaked; not the energy grid going down for weeks or trains flying off the tracks. That's the stuff groups like al Qaeda or rogue nations are interested in. Call me old fashioned, but the information freedom hacking groups I'm familiar with may love causing chaos and breaking laws in the name of vigilante justice, but they don't seem too interested in killing lots of people.

Wikimedia Commons