Reassessing our cyber security

The U.S. Government has reported 14 million federal employees' sensitive personal data was stolen in a cyber-hack: it marks one of the largest thefts of targeted personnel information; it was likely orchestrated by Chinese operators; and it is only the latest in a series of deep network intrusion into U.S. government networks in recent months - Russia compromised White House and State Department email systems in a campaign of cyberespionage.

The credibly attributed Chinese break-in to the U.S. Office of Personnel Management - the second major intrusion into OPM by China in less than a year - may hemorrhage up to 30 years' worth of personnel records to foreign entities. This information can later be used for targeted human intelligence collection or sophisticated 'spear-phishing” operations against U.S. Government computer networks. On Friday, Dan Payne, a senior counterintelligence official for the Director of National Intelligence shared this message with government workers: 'Some of you may think that you are not of interest because you don't have access to classified information,” he said. 'You are mistaken.” Painfully, this breach puts many hardworking federal employees at risk in their professional and personal lives.

The cyber assault on government networks is only the latest in an ongoing campaign by foreign adversaries to exploit U.S. interests. The impact of North Korea's cyberattack on Sony Corporation resulted in the loss of 25 million users' data and an estimated cost of recovery at $1.25 billion. America's critical infrastructure - our electric grids, water systems, transportation networks, command and control data - suffer a daily barrage of 6 million online probes looking to penetrate vulnerable networks, 80% of which are operated by private companies according to the Department of Homeland Security.

The challenge isn't just technology. OPM recently installed detection tools that discovered the agency's most recent breach in April. This provided the FBI with critical information on the timing and method of the ‘zero-day' exploit - an unknown network vulnerability - that led to the data loss. However, it took OPM until last week to report the hack, an unfortunate response when the White House calls on private companies to report breaches publicly in 30 days. Questions remain if other agencies and business were hit by similar intrusions after the cyber threat was identified?

To address this challenge, U.S. companies, government agencies and Americans must fundamentally reassess our response to threats in cyberspace. One security firm, SimSpace identifies preventive assessments, training and testing as a robust means for improved cyber defense - akin to first-responder training. 'In training US military cyber protection teams and corporate IT defenders one thing is immediately clear: cybersecurity is best enhanced by investing in people, process, and technology,” says William Hutchinson, SimSpace Founder and former US Cyber Command officer.

Ultimately, network operators from executives to front-line technicians must be prepared to do much more than monitor firewall dashboards and ensure patches are updated. Today's cyber responders must train and practice with their tools to actively know their networks, deploy real-time countermeasures to deter attackers and dynamically manage their computer systems to stop theft, promote network resiliency and ensure data integrity.

The new cyber threat landscape necessitates that organizations base their cybersecurity on the assumption that the adversary is already operating inside the network. As America's public and private enterprises work to serve our country and our national interests, it is vital that our best front-line - our people - are trained, informed, and prepared to take the steps needed to protect themselves and the nation from cyber threats.

' Rep. Zach Nunn (R-Bondurant) served as Director of Cybersecurity on the National Security Council, White House and as the lead cyber counterintelligence officer for the U.S. Intelligence Community from 2008-2013. Comments: zach@zachnunn.com