After the long New Years weekend, 2021 started off with a typical consultation schedule, working from my home in Great Falls, Virginia during the covid-19 pandemic. I was four Zoom, two Face Time, and three MS Teams meetings into the work week on Monday, and it was approaching 6:00 PM when I had my final remote encounter, this time over WebEx – a consultation with Dr. A. Harry Priapus MS, PhD, BYOB, Director, Penetration Division, at the Cybersecurity and Infrastructure Security Agency. I will give him credit – for a person in his position, he maintained his composure pretty well at first, calmly discussing the technical ramifications and policy implications of recent adverse events in the disciplines of US government classified software and information systems infrastructure security. For nearly fifteen minutes, he calmly posed insightful, prudent, informed and thoughtful questions pertaining to the SolarWinds Network Performance Monitor, the Orion Java EE Application Server, FireEye, and the documented espionage capabilities of the Russian SVR for our mutual discussion.
Then, frankly, the poor man had a nervous breakdown, right there in the little secured private DISA VPN Web browser window on my home workstation desktop. I guess it was a good thing he was at home where none of his colleagues could observe him, because it was a truly piteous sight. There’s something, I suppose, about having a stay-at-home wife with a serious shopping habit, two kids in private prep school academies with extra-curricular dressage, ballet and yachting lessons, a country club membership, monthly payments on a BMW, a Mercedes and a Porsche Cayenne, a $1,200,000 mortgage on a house in Reston, and a high-end Senior Executive Service salary that renders a man particularly vulnerable to little glitches at work, such as potentially being held responsible for the most horrendous hack of federal software in the history of computing. Seriously, I hate to watch people like that suddenly decompose into sniveling, sobbing heaps of fearful remorse and solipsistic recrimination when Washington, DC has finally chewed them up and spit them out into the rancid, reeking cesspool of bureaucratic failure. And this is what it sounded like after he was able to regain his composure to an extent that would allow him to produce and comprehend coherent speech, and I was able to save him from accessing his vintage handgun collection and blowing his brains out with a firearm of appropriate historical signficance:
Harry: Tom, I’m ruined! Do you understand? I’m totally [expletive] ruined!
Tom: Well, now, let’s not jump to conclusions here. What makes you say that?
Harry: Don’t you see? When the biggest hack in the history of federal computing happens, there are going to be investigations, and lots of them! They’re searching for someone to pin it on, Tom! Heads are going to roll! It’s inevitable! And let’s not beat around the bush – as the Director of the Penetration Division, I’m the tip of the spear! I’m the head of the battering ram! I’m the point of the arrow! I’m…
Tom: Appropriately named for the job, certainly. Have you considered retaining the services of a Freudian psychoanalyst?
Harry: I already have one. He says my Id is displacing my Superego’s reaction formation, causing my wife to regress to her latency stage and giving my son an Oedipus complex.
Tom: And what’s your plan to deal with all that?
Harry: Well, I was thinking about switching to a Jungian, actually. Look, Tom, if this mess were really my fault, I’d be willing to stand up straight and stiff and plunge in like a man, believe me! But it’s not!
Tom: Not your fault? What makes you say that?
Harry: Because I told everyone I could about the GAO report!
Tom: You mean, GAO 18-520T?
Harry: Hell, yes! Actually, I was even telling them about the problems with EINSTEIN way back before GAO 16-294 came out. But nobody would listen.
Tom: And the problem was?
Harry: Oh, come on, Tom! You know as well as I do! EINSTEIN serves two key roles in Federal Civilian Executive Branch cybersecurity. First, EINSTEIN detects and blocks cyberattacks from compromising federal agencies. Second, EINSTEIN provides CISA with the situational awareness to use threat information detected in one agency to protect the rest of the government and the private sector.
Tom: Okay, can you honestly tell me that you genuinely understood what you were warning everyone about?
Harry: Of course I did!
Tom: Well, you know the old engineering proverb – if you can’t explain a technical concept to the man in the street, you don’t really understand it yourself. So suppose you were confronted with Joe and Jane Sixpack from Peoria, Illinois, taking selfies down on the Mall in front of the Washington Monument and the President of the United States ordered you to explain EINSTEIN to them – what would you say?
Harry: Okay… um… I’d say that, well… it’s like this: the federal government’s civilian computing capability – the hardware and the software, is like a big, secure federal facility, like, um… the Pentagon, or an ICBM launch site, or… um… Area 51… yeah, that’s it.. with virtual fences and virtual gates and virtual Humvees full of security guards patrolling the perimeter, and that whole virtual thing is a computer system called EINSTEIN. The first phase of EINSTEIN, known as EINSTEIN 1 or E1, is like a camera at the entrance of that secure facility. It records cars entering and leaving and identifies unusual changes in the number of cars. EINSTEIN 2, or E2, adds the ability to detect suspicious cars based upon a watch list. E2 does not stop the cars, but it sets off an alarm. So to summarize, E1 and E2 detect potential cyberattacks before they can enter the facility. The latest phase of the program, known as EINSTEIN 3 Accelerated, or E3A, is kind of like a guard post at the highway that leads to the facility. E3A uses classified information to look at the cars and compare them with a watch list; then I’d tell them that using classified information allows E3A to detect the most significant cybersecurity threats, and so that means E3A can actively block the most dangerous, prohibited cars from entering the facility.
Tom: And would you also tell Joe and Jane that EINSTEIN didn’t pay any attention to the regularly scheduled FedEx, DHL US Postal Service and UPS delivery trucks going in and out of the facility?
Harry: Delivery trucks? What are you talking about?
Tom: Well, using that vehicular analogy you would employ to explain EINSTEIN to a couple of rube tourists on the Mall, those delivery trucks would be the regularly scheduled program patches and code base updates sent from the vendors who provide the products that comprise your network software infrastructure and…
Harry: Oh, Jesus Christ, Tom! Right! And that’s how the Russians got into the federal information networks – with trojan horse malware hidden in regularly scheduled software updates delivered from SolarWinds! Okay, okay, I get the [expletive] point!
Tom: EINSTEIN spent all its time scrutinizing one part of the traffic into and out of federal software, but totally ignored another. Once the Russians realized that…
Harry: Yes, yes, I know! They looked around for a suitably careless vendor of some sort of ubiquitous networking tool…
Tom: Like SolarWinds.
Harry: Yeah, and then they compromised its development and maintenance release administrator account passwords with some clever social engineering.
Tom: Which subsequently allowed the SVR to tuck all kinds of spiffy spyware into SolarWinds patches and updates, deposited everywhere like little package bombs stacked neatly in the back of those metaphorical delivery trucks – a wriggling, voracious infestation of software worms right in the heart of the federal network infrastructure. And from there, the spyware infestation spread, as it was designed to do, from the heart throughout the entire metaphorical federal networking circulatory system, considerably aided by the fact that a lot of federal IT employees were so dumb, ignorant and lazy, they never bothered to change the SolarWinds manufacturer’s default password on their own agency systems from “SolarWinds123” to anything else.
Harry: Oh, [expletive] it, Tom! What do you expect from a bunch of GS-12’s who learned network administration in some online course they heard about from a late night TV commercial sandwiched in with a bunch of others for training courses to become semi-trailer truck drivers, plumbers and diesel mechanics?
Tom: And the GS-14’s who oversee them?
Harry: You know as well as I do, Tom, they’re a bunch of dizzy Desis with CS diplomas from the University of Belliphlop, Asians who just got off the plane last year with ten grand for immigration lawyers fees and Eastern European expat code geeks who are as likely to be working for the SVR as for us!
Tom: And you’re saying you tried to warn everybody about them?
Harry: Uh… no. Not about them. Doing so would have been pointless. Also, it might have gotten me fired, since they’re all in the Civil Service and run to their union rep crying like two-year olds in a tantrum if you so much as look at them cross eyed, much less criticize their security designs and configurations, or, God forbid, dare question the implementations of their policy compliance procedures. Besides, IT staff like that have infected the work force at every agency of the federal government. It’s been like that for… years… going on a couple of decades by now. Get enough high-school dropouts who learned some Java and HTML and think that means they’re geniuses, combine that with enough nattering, back-stabbing, nepotistic Desis, season liberally with guys from Petrograd, Bucharest, Sarajevo, Beijing and Shanghai, and and guess what happens to your agency’s IT shop? All the competent native-born white Americans with college degrees and graduate diplomas and PhDs say [expletive] this [expletive] and quit to go work in private industry. And consequently, what’s left is your civilian US government cyber workforce.
Tom: And, of course, neither you, nor any of the other highly paid, so-called cybersecurity experts managing all those federal IT programs ever noticed that gaping hole in the EINSTEIN design, did you?
Harry: Oh, [expletive], Tom! I’ve talked myself blue in the face about not becoming complacent just because we have EINSTEIN! I’ve said, over and over again, EINSTEIN is no silver bullet, okay? I’ve lost track of how many speeches and presentations I’ve made to top federal officials, telling them, time after time, that security can’t be achieved through only one type of tool. That’s why we need defense-in-depth, which means using multiple tools in combination to manage the risks of cyberattacks. Yeah, sure, EINSTEIN provides perimeter defense for FCEB agencies. But it was never capable of blocking every cyberattack, and I never said it was, either! Ever since I got this job, I’ve been saying EINSTEIN needs help! It needs other tools to interface with. We need other systems inside agency networks, Tom, other programs and processes! We need stuff like Continuous Diagnostics and Mitigation, Security Best Practices Programs and Multi-factor Identification capabilities!
Tom: How about federal IT workforce security training?
Harry: Didn’t you hear what I just said about the federal IT workforce?
Tom: Um… yes. Point taken. But – leaving aside the obvious drawbacks inherent in offering training to a bunch of people who have plenty of reasons not to pay attention to it, I suppose you’re saying that if we had those extra goodies like CDM and MFI, the SVR wouldn’t have handed the United States of America its cybernetic ass on a platter?
Harry: Well… probably not the whole [expletive] thing, Tom! Not the entire [expletive] thing!
Tom: Just a few slices, huh?
Harry: Yeah, like what we handed the Iranians with Stuxnet. A nice big slice of their ass – not the whole [expletive] thing.
Tom: Because if we had handed the Iranians their entire ass, there would have been a war.
Harry: Damn right there would have been a war!
Tom: But there’s not going to be any war with Russia, no matter how much damage they do, no matter how much humiliation they make the federal government endure, no matter how ridiculous they make America look.
Harry: Right. Because they have atomic weapons and could blow up the [expletive] world. So the US just has to take it. Which is why there are going to be a bunch of investigations with hopping mad politicians looking for some scapegoats – like me!
Tom: So how come EINSTEIN didn’t get that help you’ve been yelping for since you got the job?
Harry: What? You want a list? Shall I recite a list of reasons why the Russians made the entire US civilian federal IT organization look like a bunch of ignorant, bumbling, incompetent, amateurish bozos?
Tom: I don’t know – do we have time for it?
Harry: Probably not for all of it, but I can guarantee you, right behind those lazy, worthless, egotistical nincompoops who work for me, I’d say it’s the morons I work with and the imbeciles they work for, and those idiot political appointees that [expletive] [expletive] [expletive] Donald Trump put in charge at the top.
Tom: Sounds plausible.
Harry: And the fact that Trump has a huge blind spot where Russia in general and Vladimir Putin in particular are concerned. He still denies the Russians even did anything, after we found out they’ve been hacking us for years!
Tom: So they have – and Trump definitely maintains that Russia did nothing of the sort. Big blind spot there. Makes you wonder what they’ve got on him.
Harry: Well, whatever it is, it won’t matter. Trump will just pardon himself for the illegal parts and deny the rest.
Tom: Assuming he leaves office on January twentieth and doesn’t try to pull off an armed takeover using martial law as an excuse after his last-ditch effort to overthrow the 2020 election by perverting the Constitutional approval process for ratification of the Electoral College results fails.
Harry: Oh, sure, assuming that. If not, all bets are off anyhow, and nobody’s going be giving flying [expletive] about the Russians taking charge of all our computers, too. I mean, what’s spitting in the [expletive] ocean, right?
Tom: Right. So what would be next on this huge, long list of yours?
Harry: Oh, yeah, well… then there are the greedy, mendacious IT contractors who submit bids and proposals featuring resumes of guys with eighteen years of education, multiple professional certifications and twenty years of experience and then pull a bait-and-switch after they win the work, sending in their own gaggle of high school drop outs and H-1B visa slaves – and charge the government the same [expletive] labor category rates as the guys whose resumes won the contract, while paying the substitutes wages that would embarrass an Indonesian factory worker – and keeping the difference for themselves!
Tom: Gee, Harry, tell me how you really feel, why don’t you?
Harry: I am! Then there’s the dimwits in Congress who have spent the last forty years playing partisan politics instead of passing legislation that provided adequate funding for IT security, even as the use of IT solutions spread exponentially all over the federal sector!
Tom: Hmm… and how did those lamebrained nimrods in Congress get there?
Harry: Yeah, yeah, sure – next on the list has got to be the birdbrained, numskull, nitwitted cretins who elected them!
Tom: The public, the voters… folks like the two bumpkins from Peoria you were theoretically explaining EINSTEIN to, correct?
Harry: I… well, okay, I guess so.
Tom: I would note at this point, that in a democracy, by definition, the people get exactly the government they deserve.
Harry: So you’re saying, if Americans feel humiliated, stupid, insecure and fearful because the Russians have sneaked in and taken over every civilian federal computer network the United States has, it’s their own damn fault?
Tom: Ultimately, yes, of course it is, although I’d have to give the ones who voted Republican for the last four decades about sixty percent of the credit. Which isn’t to say the Democrats haven’t done their fair share of screwing up federal IT since 1980. So – if somebody comes looking to lay all that at your doorstep, my advice would be to recite that list for them, right up to the point you did just now.
Harry: And if that doesn’t convince them?
Tom: Just keep going. There’s more than enough blame to go around here. I’m sure there are plenty of other simpletons, pinheads, dumbbells and dorks who contributed materially to this truly historic fiasco. For example, I notice you haven’t even gotten to the federal software vendors…
Harry: Oh, yeah, yeah! Total pinheaded, dumbbell dorks, for sure! And those mindless hardware vendors, and those knucklehead dopes in federal acquisitions, and…
Tom: Tell you what – how about you write down the entire list and send it to me in an email. Then I’ll review it and provide some suggestions to achieve optimal conceptual organization and presentation impact. Then you can memorize it and be ready to unload with both barrels on whoever dares point a finger at you for all the absurd lameness and shameful lack of competence, intelligence and integrity which permitted these revolting, inexcusable circumstances to arise.
Harry: Sounds good, Tom! Sounds real good! I’ll get right on it.
Tom: And I’ll start work the moment I see your email. No extra charge.
Harry: Okay, deal! Excellent! Bye now! Take care!
Tom: Sure, thanks. Goodbye.
So now, I’m keeping an eye on my Inbox, ready to do some serious technical editing of Dr. Priapus’ list. When I’m done, it will be pure rhetorical dynamite, I’m sure. And no doubt, all over Washington, other gentlemen and ladies who share his current dire situation are feverishly working on the responses that will, they hope, save their careers when the IT Reign of Terror begins. Because then, of course, as Robespierre noted, pity will be treason.