Questions persist for national cyber strategy
- By Karen Epper Hoffman
- Mar 17, 2017
At last month’s RSA conference, government officials, contractors and public- and private-sector experts alike offered their insights on everything from hackers' attempts to influence the presidential election to the need for more stringent cybersecurity policies or even a “digital Geneva Convention” to rein in rogue nation-states and the hackers they support. But many fundamental questions remain.
“We need to consider what is our strategy for addressing terrorist behavior and how we are able to deter our enemies in cyberspace,” said Daniel Lerner, professional staff member for the U.S. Senate Committee on Armed Services, during a panel discussion on oversight in the wake of Russian hacking. “But first, we must understand the key cornerstones, starting from the executive branch and what other authorities have provided to the government.”
Fellow panelist Michael Bahar, staff director and general counsel at House of Representatives and a member of the Permanent Select Committee on Intelligence, said that the U.S. government must use both “the carrot and the stick” to deal with domestic and foreign cybersecurity threats. “It’s a lot like public health,” Bahar said. “There’s a lot that you can do… but it is about determining what is the reasonable level of care here?”
Brendan Shields, staff director for the House Committee on Homeland Security, said that the U.S. government’s liability to attack from outside the United States is a “big focus” right now, in light of the apparent hacking of the Democratic National Committee last fall.
The panelists pointed out, however, that often the first hurdle is just designating which agency (or committee, or group of agencies or committees) is ultimately responsible for determining whether attacks have taken place, who is to blame, and how the matter should be handled. “Jurisdictional problems are not just a matter of dysfunction,” Lerner said. “The perspectives [of these groups] are all different. A lot of these jurisdictional issues need to be worked out for good reasons… A lot of the time these issues are proxies for getting all the stakeholders together.”
Indeed, nefarious nation-states, terrorist groups and cybercrime rings are already exploiting the gaps that exist when cybersecurity issues fall between the cracks of military and governmental oversight, according to Lerner. Lerner, Shields and Bahar all referenced various recent cyber-attacks on the U.S. financial industry, top private sector companies such as Sony, and U.S. government agencies, and how these breaches are becoming more damaging and public.
“This is not only about offense, but defense as well,” Bahar said. “The Russia attacks have not been sophisticated. They used spearphishing. Why were [these attacks] so effective? Why are we still so susceptible to these misinformation campaigns?”
John Carlin, partner at law firm Morrison Foerster and a former assistant attorney general for the Department of Justice National Security Division, said many lessons have been learned from the recent DNC hack, including the need to focus more on technology. “There is absolutely no security product that will go far and deep enough to keep out an adversary absolutely,” he said. “Russia did not need to go that deep into their playbook to break in.”
Karen Epper Hoffman is a freelance writer based in the Seattle area.