Major cyberattack on US 'inevitable,' experts tell Congress

A panel of cybersecurity professionals warned lawmakers that voluntary guidelines for securing the nation’s critical infrastructure have not worked and that Congress must pass strong cybersecurity legislation that sets basic security standards in order to avoid a damaging cyberattack.

“If we don’t do that this year, an attack is inevitable,” James Lewis, a senior fellow at the Center for Strategic and International Studies, told a House Homeland Security Committee's Oversight, Investigations and Management Subcommittee during the April 24 hearing.

Rep. Michael McCaul (R-Texas), the subcommittee's chairman, called the hearing in advance of scheduled debate and votes later this week on three cybersecurity bills introduced by Republican legislators.


Related coverage:

Bipartisan cyber bill now the center of partisan turf war


Democrats on the subcommittee criticized the bills as dangerously broad and ineffective because they encourage sharing of information between government and industry without privacy safeguards, do not require security standards for privately owned networks, and undermine the role of the Homeland Security Department in protecting critical infrastructure.

The panel of government, former government, academic and private-sector professionals told the subcommittee that America is at risk of losing its technological leadership and economic competitiveness and that national security is being jeopardized by an onslaught of online espionage and theft. Despite the urgency, however, Lewis was not optimistic about the chances for passing strong legislation.

“If I have learned anything this year, it is that you shouldn’t try to move major legislation in an election year,” he said.

Shawn Henry, who until this month was executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said that networks are not defensible and that operators need to assume that they have or will be compromised.

“The threat has reached the point that a determined adversary will access any system that is directly accessible from the network,” said Henry, who now is president of CrowdStrike Services, a cybersecurity intelligence start-up. “They will keep coming until they come in.”

He called the drumbeat of cyber crime reports that have been made public “the tip of the iceberg” and that the real threat lies “below the waterline” in the classified arena. “The public sees the tip,” he said. “I have seen below the waterline.” He said that nation-states are gathering data on our next generation of weapons and are developing capabilities to counter them.

Stephen Flynn, founding co-director of Northeastern University’s George J. Kostas Research Institute for Homeland Security, criticized the government for working too much “below the surface” and said greater candor was needed in dealing with cyber threats. “Err on the side of openness,” he advised.

McCaul identified China and Russia as our most aggressive cyber adversaries, accusing both of military and industrial espionage. But Lewis said they are not the greatest threat.

“I don’t worry about China and Russia,” he said. “They aren’t going to start a war just for fun. I don’t know if we can say that for Iran and North Korea.” Both of those nations are working to achieve a cyber war capability, Lewis said, and reconnaissance and attack tools are becoming more powerful and being commoditized by criminals and hackers, lowering the bar for countries that would like to enter the fray. “The greatest threat to cybersecurity in the United States is complacency.”

Although witnesses and lawmakers alike agreed on the urgency of the cyber threat and the need for action, there remained divisions on what action to take. Previous panels of private-sector executives have warned legislators that industry needs to be left free of regulations in order to innovate and adapt to changing threat landscapes. But this panel took a different tack.

“At the end of the day, purely voluntary approaches will not get us where we need to be,” Flynn said.

“We know what to do to solve the problem,” said McAfee Chief Technology Officer Stuart McClure. “It’s a matter of getting people to do it.”

A Republican task force on cybersecurity legislation last year recommended that Congress take a non-regulatory, piecemeal approach to cybersecurity rather than considering comprehensive legislation that would empower DHS to establish security requirements for privately owned infrastructure. The House is scheduled to vote April 26 on three of the bills resulting from the task force:

  • HR 4257, sponsored by Oversight and Government Reform Subcommittee Chairman Rep. Darrell Issa, (R-Calif.), which would update a 2002 law governing the defenses of federal networks.
  • HR 2096, sponsored by McCaul (R-Texas), to boost research and development for cybersecurity, focusing on defenses against threats.
  • HR 3834, sponsored by Rep. Ralph Hall (R-Texas), to boost research and development on cybersecurity, focusing on general IT.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Apr 27, 2012

Play offense, the first sign of a cyber threat, take it out. I am far less concerned about who the enemy is, as opposed to what types of tools are going to be used to wage this war.

Wed, Apr 25, 2012 Optional

"A Republican task force .. recommended ... a non-regulatory, *piecemeal approach* to cybersecurity rather than ... comprehensive legislation that would empower DHS to establish security requirements for privately owned infrastructure. " Oh, THAT doesn't sound biased or anything. I'm sorry, I must of gone to the Op-Ed page instead of a news article.

Wed, Apr 25, 2012

The FIPS 199 and 200 are standards. Currently the NIST 800-53 controls are guidelines with impact recommendations. Controls are applied to systems based on a risk assessment which includes the organization's current environment and mission priorities. HR 4257 refers to 40 USC 11331 which appears to make compulsory and binding the control recommendations despite what a risk assessment or mission would require. This would make screen saver a required control in an air control tower, even though it would be hazardous to human life.

Wed, Apr 25, 2012

How many times does this need to be repeated? Take National Security and major infrastructure/financial comms off the public IP universe already. Never should have been on there in the first place. Hard to exploit through an air gap.

Wed, Apr 25, 2012 SoutheastUS

Perhaps Congress should put its money where its mouth is. Channel 1% of both the Defense Department's budget and Homeland Security's budget into open-source cybersecurity tools that would be available to everyone. If the software is free, more people and businesses (especially SMBs) would adopt it, providing the open-source developers make it easy enough to implement and administer. Alternatively, "the best defense is a good offence" would indicate the NSA and CIA should be actively attacking and "virtually" dismantling the sources of these cyberattacks and botnets using the best "white hat" hackers available.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above