Washington’s attitude towards cybersecurity has drastically changed over the last 12 months.
In 2016, Capitol Hill’s understanding and framing of the issue evolved as major political organizations, businesses and prominent individuals were hurt by cybercrime. While the dust has yet to settle on a number of these events, we may all look back at 2016 as a watershed year for how D.C. approaches cybersecurity.
In June, the Washington Post reported that Russian hackers had breached the Democratic National Committee. Originally, it was believed that the hackers broke into the DNC to steal opposition research on now President-elect Donald Trump — a politician viewed favorably by Russian President Vladimir Putin. Two different Russian hacking groups, dubbed by security researchers as Cozy Bear and Fancy Bear, were able to access the DNC’s network for about a year before being kicked out by a private cybersecurity firm.
Shortly after the breach became news, a faceless hacker known as Guccifer 2.0 began publishing internal DNC communications to a blog post and using Twitter to engage with U.S. journalists. Guccifer would go on to share troves of leaked conversations between democratic operatives, including a cache of private emails between DNC chairwoman Debbie Wasserman Schultz and several staffers that showed favoritism towards then presidential candidate Hillary Clinton. The controversy surrounding the DNC damaged the Clinton campaign and eventually caused Schultz to resign.
Security researchers said that the brazen data breach carried forensic evidence suggesting that the perpetrators behind the attack wanted to be identified. Though the DNC and RNC have obvious political ties to Washington, the NSA and the Homeland Security Department do not provide direct protection to either organization.
A Political Mess
During a year in which digital defensive shortfalls were on full display, Congress dove into a lengthy debate about the ethics, values and challenges associated with commercial encryption. After a December 2015 terrorist attack in San Bernardino, Calif., left 14 people dead, law enforcement officials rushed to uncover communications held in one of the dead gunmans’ iPhone.
In February, the FBI announced it was not able to unlock the aforementioned iPhone because of the device’s security features, leading the Bureau to request assistance from Apple. The FBI asked Apple to create software that would undermine a passcode protection component. But the Cupertino, Calif.-based company refused and made it clear that would resist any order to do so in court. The FBI then contracted a private security firm to break into the target’s iPhone 5C; overstepping Apple and its argument that a backdoor was necessary in the process.
Meanwhile, lawmakers played their part in Washington on each side of the aisle, with some encouraging Apple’s resistance and others calling on the tech company to comply with the FBI’s investigation. Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., for example, introduced an anti-encryption bill titled the Compliance with Court Orders Act of 2016, which would require tech firms to decrypt customers’ data at a court’s request. But the legislation was met with immediate backlash and stalled out before it could ever get close to President Obama’s desk.
In the months that followed, a bipartisan working group led by Sen. Mark Warner, D-Va., gained praise from colleagues. The working group has met several times, offering a venue for lawmakers and technology experts to come together and discuss how policy can be crafted in a pragmatic and informed fashion.
FBI officials and several prominent Republican lawmakers are expected to reignite the debate around encryption in early 2017, as stockpiles of locked smartphones containing criminal evidence continue to grow in local police stations across the U.S.
Morale at the NSA
Three years removed from Edward Snowden’s escape to Russia, and the NSA finds itself at the center of a domestic economy hungry to hire its best technical talent; putting the spy agency in a precarious recruitment position.
A combination of low morale, competition from the private sector and negative press coverage has increasingly caused NSA hackers to leave public service in favor of industry, former NSA Director Keith Alexander said in early December.
The rate at which these cyber-tacticians are exiting public service has increased over the last several years and has gotten considerably worse over the last 12 months, multiple former NSA officials and D.C. area-based cybersecurity employers told CyberScoop. The concern held by some in the intelligence community is that this attrition will overwhelm ongoing recruitment efforts that are now beginning to hit stride.
The NSA’s structural reorganization plan known as NSA21 — an objective pioneered by Rogers — has also become a growing point of tension between different divisions within the secretive agency.