Several years ago, I was asked while on a panel to define the difference between leaders and managers. I said, “Managers watch things happen. Leaders make things happen.”
We certainly need effective leaders now to deal with the aftermath of the OPM data breach — or, what I like to call the “OPIE Leak” — arguably the most devastating data breach in our nation’s history.
So often we hear, “Take care of your people” or “Our people are our most important asset.” But for 22 million current, former and prospective federal employees impacted by the theft of Office of Personnel Management records, it’s crucial we have leaders who will step forward and define solutions for a cyber disaster that continues to grown in magnitude and scope.
If we do not act quickly, decisively and with the appropriate actions, we will perpetrate more harm than the original hackers imagined.
If I were leader of a federal department or agency — and as someone who devoted his career to supporting people in the intelligence community who were particularly hard hit by this data breach — I would be taking a number of steps immediately to try to address employees’ concerns.
What exactly can a leader do?
First, don’t act like a manager! Fight for your people. Fight to get them protected, and demand the Obama administration support the necessary authorization and appropriation acts to deliver the required help for your most valued resource.
One place I’d start is to get support for an idea we might borrow from a large defense contractor that just announced it will provide identity theft protection and insurance as an employee benefit.
Second, hold town halls and speak the truth about how the breach is affecting you and those you love. Ask your people for their feelings and ideas on how to deal with the issue. And most of all, follow up with people so they do not have to wonder if you are still leading. This is the way to really get out in front of the effects of the breach and an affirmative step to restore productivity.
Third, help your staff deal with the uncertainties and risks they now face. Bring in experts for brown bag lunch-and-learn sessions on how people can better protect themselves online and in personal transactions. Sponsor training sessions, webinars and online tutorials on techniques to assure stronger security protections. Employees and their families need a better understanding of how to use randomly generated login and password data to protect themselves.
And don’t forget that the single most important thing a leader can do each day is continue to infect those around them with a contagious enthusiasm for the mission. When you do this, you create focus and drive among those with whom you serve, and they will begin to be driven by the mission once again rather than personal concerns.
The people who serve the public are much more dedicated, professional and tolerant than most politicians would have you think. If there is ever a choice between the mission and anything else, there is no choice: It’s the mission. But those same professionals, when faced with a choice between personal safety, or more importantly, the safety of their children, and their job … well you get the point.
What intelligence agencies can do
Here’s what else I would I do if I was in charge of a security or intelligence organization that must respond to people affected by this crisis — and also try to protect the integrity and viability of the organization.
I’d create a team of the best experts I could find in counterintelligence, cyberthreats and security, and personnel security and protection. I’d have the team develop a plan of action and a set of standard procedures for reporting and dealing with phishing and other types of cyber probing attacks on my people. I’d also move sensitive data off of unclassified networks in order to protect that data and the mission capability of my agency.
Additionally, I would ask for peer review of the process by the employees in a gathering where I would learn from the dissenters and those who think the process was not unbiased.
I’d also tap technologies available today that will allow the imbedding of a chip set within a computer that will prevent exfiltration of data and/or communication of an agency computer with a computer or device that is not equipped with the like chip set. Such hardware solutions are one aspect of building a more protected and fluid environment for people to do their jobs.
In addition to hardware solutions, I would search for rapidly emerging technologies that provide the best available protection and use those capabilities even though they might not follow military-grade security DIACAP or RMF protocols.
The best way to defeat the enemy is to get out in front of the enemy. Frankly, today, the enemy is at least a step or two ahead of us and as long as we continue to use the same old methods and processes, they will continue to dominate us in the cyberwar.
Just as we found after the 9/11 terrorist attack — that we needed to enhance physical security of our institutions and facilities — we need to wake up and aggressively rethink programs to give us the resources to mount the type of cyberthreat analysis, cybersecurity and cyber defense that will provide us the security and protection we need. This may be the toughest of all things for leaders of these agencies to accomplish.
Challenges to leadership
All organizations, be they private or public, tend to have inertia that drives them to do things the same old way. It takes true leadership ability to persuade subordinate leaders to give up resources to create the necessary resource center to deal with these new and rapidly emerging issues.
I remember a case where all of the strategic leaders of several national security organizations got together and voted to take a specific set of resources from each of the organizations and pool them to address critical needs. They created a task group to study the most effective ways to accomplish the new direction and mission requirements.
Unfortunately, the leaders of the task group were from the two agencies that were taxed for the largest sums of money. The group convened teams of experts to look at the most efficient and effective providers in their community. But the ones identified weren’t those represented by the task group leaders. The reports were dismissed and the result was that the two organizations that “donated” the most were identified as the best to get the money and to go forward with the new program.
This happens more often than one would like to think in government. The imperative for leaders in government must always be to do what is best for the American people and our nation as a whole. When this is perverted by justifications for why we should just keep doing it the same old way, we are going against our oath of office and the result is government organizations that run amuck, or fail to provide the services they were formed to provide in the most effective way.
So lead, don’t manage. If you do, you will drive the change needed and benefit the American people and those with whom you serve. Do not give in to political pressure and politically correct rhetoric to address the problem. Demand innovation and resources to test and use newly created technologies, whether they use the old or new methods. It is far more important that the hardware or software be capable of accomplishing the task than how it accomplishes the task. Search for the resources internally and ask Congress to reprogram. There is no new pile of hidden money somewhere. Every dollar spent on cyber must come from somewhere else. If you let your staff convince you that the cyber task is too hard, or that the resources are not there, then you are not leading.
The essence of leadership is making the hard decisions and
then influencing, persuading, and causing action, which accomplishes the
Richard A. Russell is a former senior national intelligence service executive who served in national security positions for more than 36 years before retiring in January 2015.