Not for all the locks on doors

The WSJ reports that "computer spies", probably from China, have stolen terrabytes of data from the F-35 project. They exploited vulnerabilities in a contractor's system to siphon out data, which they encrypted before putting it on the wire, so that it may still be unknown exactly what was stolen. However, sources believed that the really important system details had escaped compromise, on the basis of the isolation of the data from the stolen information. The intrusions were first detected in 2007 and continued into 2008.

Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks. Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad. ...

Former U.S. officials say the attacks appear to have originated in China. However it can be extremely difficult to determine the true origin because it is easy to mask identities online. A Pentagon report issued last month said that the Chinese military has made "steady progress" in developing online-warfare techniques. China hopes its computer skills can help it compensate for an underdeveloped military, the report said.

If the WSJ article is accurate, then the compromise of the F-35 data probably represents only a small sample of the true damage. Barack Obama pledged to make cybersecurity a large part of his defense plan. Mother Jones Steve Aquino wrote that the new cybersecurity czar would have vast powers to set standards, view private data and even be able to shut down parts of the Internet.

On Wednesday they introduced a bill to establish the Office of the National Cybersecurity Advisor—an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure. That broad power is rattling some civil libertarians. The Cybersecurity Act of 2009 (PDF) gives the president the ability to “declare a cybersecurity emergency” and shut down or limit Internet traffic in any “critical” information network “in the interest of national security.” The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president.

The bill does not only add to the power of the president. It also grants the Secretary of Commerce “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.” This means he or she can monitor or access any data on private or public networks without regard to privacy laws.

I commented that one problem with giving the keys to unlock America's information stores to a single government agency in order to defend them was the danger that the cybersecurity czar's system itself might be hacked. In that case, the vast powers delegated to Obama's cyberczar -- or his contractors -- could be wielded by those "computer spies". In late 1941, the commanders at Pearl Harbor, fearing Japanese sabotage, defended the island's aircraft by parking them wingtip to wingtip in the middle of the runway where they could be put under guard. That didn't work out too well. The bureaucrats dream of the day when all health care data can be stored securely under their care. While I recognize the transformational benefits of managing patient health care histories, I also fear the magic day for the reasons already given.

NextGov says that one of those who will be standing guard will be none other than Richard Clarke, who joins other experienced bureaucrats on the defensive team. These individuals may be competent and well-meaning, but in a system with as many moving parts and constraints as the government, the whole is sometimes less than the sum of the parts.

Among those advising Obama on security is Richard Clarke, former counterterrorism czar in the Clinton and Bush administrations. He and others have publically criticized the White House for not making cybersecurity a priority, and for limiting the amount of authority the position has had over governmentwide cybersecurity policy.

The top cybersecurity position in government has risen in stature in the Bush administration, albeit slowly. Gregory Garcia, assistant secretary of cybersecurity and telecommunications, reports to Robert Jamison, undersecretary for the National Protection and Programs Directorate. Jamison reports to Homeland Security Secretary Michael Chertoff, who reports to President Bush. Three steps away from the president.

The cybertheft game between China and the United States will always remain asymmetrical for as long as the US has more secrets to steal than China. I certainly hope that our cyberguardians had the wit to poison the data when it was being siphoned off. My only fear is that the fear of legal liability may have prevented them from messing with their own data even as it was stolen by the Chinese. In our modern, politically correct world, nothing is too absurd to be true.