Without government mandates to secure critical infrastructure, a damaging cyberattack on the nation will happen, experts tell a House panel.
A panel of cybersecurity professionals warned lawmakers that voluntary guidelines for securing the nation’s critical infrastructure have not worked and that Congress must pass strong cybersecurity legislation that sets basic security standards in order to avoid a damaging cyberattack.
“If we don’t do that this year, an attack is inevitable,” James Lewis, a senior fellow at the Center for Strategic and International Studies, told a House Homeland Security Committee's Oversight, Investigations and Management Subcommittee during the April 24 hearing.
Rep. Michael McCaul (R-Texas), the subcommittee's chairman, called the hearing in advance of scheduled debate and votes later this week on three cybersecurity bills introduced by Republican legislators.
Democrats on the subcommittee criticized the bills as dangerously broad and ineffective because they encourage sharing of information between government and industry without privacy safeguards, do not require security standards for privately owned networks, and undermine the role of the Homeland Security Department in protecting critical infrastructure.
The panel of government, former government, academic and private-sector professionals told the subcommittee that America is at risk of losing its technological leadership and economic competitiveness and that national security is being jeopardized by an onslaught of online espionage and theft. Despite the urgency, however, Lewis was not optimistic about the chances for passing strong legislation.
“If I have learned anything this year, it is that you shouldn’t try to move major legislation in an election year,” he said.
Shawn Henry, who until this month was executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said that networks are not defensible and that operators need to assume that they have or will be compromised.
“The threat has reached the point that a determined adversary will access any system that is directly accessible from the network,” said Henry, who now is president of CrowdStrike Services, a cybersecurity intelligence start-up. “They will keep coming until they come in.”
He called the drumbeat of cyber crime reports that have been made public “the tip of the iceberg” and that the real threat lies “below the waterline” in the classified arena. “The public sees the tip,” he said. “I have seen below the waterline.” He said that nation-states are gathering data on our next generation of weapons and are developing capabilities to counter them.
Stephen Flynn, founding co-director of Northeastern University’s George J. Kostas Research Institute for Homeland Security, criticized the government for working too much “below the surface” and said greater candor was needed in dealing with cyber threats. “Err on the side of openness,” he advised.
McCaul identified China and Russia as our most aggressive cyber adversaries, accusing both of military and industrial espionage. But Lewis said they are not the greatest threat.
“I don’t worry about China and Russia,” he said. “They aren’t going to start a war just for fun. I don’t know if we can say that for Iran and North Korea.” Both of those nations are working to achieve a cyber war capability, Lewis said, and reconnaissance and attack tools are becoming more powerful and being commoditized by criminals and hackers, lowering the bar for countries that would like to enter the fray. “The greatest threat to cybersecurity in the United States is complacency.”
Although witnesses and lawmakers alike agreed on the urgency of the cyber threat and the need for action, there remained divisions on what action to take. Previous panels of private-sector executives have warned legislators that industry needs to be left free of regulations in order to innovate and adapt to changing threat landscapes. But this panel took a different tack.
“At the end of the day, purely voluntary approaches will not get us where we need to be,” Flynn said.
“We know what to do to solve the problem,” said McAfee Chief Technology Officer Stuart McClure. “It’s a matter of getting people to do it.”
A Republican task force on cybersecurity legislation last year recommended that Congress take a non-regulatory, piecemeal approach to cybersecurity rather than considering comprehensive legislation that would empower DHS to establish security requirements for privately owned infrastructure. The House is scheduled to vote April 26 on three of the bills resulting from the task force:
- HR 4257, sponsored by Oversight and Government Reform Subcommittee Chairman Rep. Darrell Issa, (R-Calif.), which would update a 2002 law governing the defenses of federal networks.
- HR 2096, sponsored by McCaul (R-Texas), to boost research and development for cybersecurity, focusing on defenses against threats.
- HR 3834, sponsored by Rep. Ralph Hall (R-Texas), to boost research and development on cybersecurity, focusing on general IT.