[BreachExchange] Lack of preparation tops the list of cybersecurity threats, senators say

[Audrey McNeil]

http://valleycentral.com/news/nation-world/senators-say-lack-of-preparation-tops-the-list-of-cybersecurity-threats

In the array of cybersecurity threats, from data theft to disinformation,
election hacking and attacks on critical infrastructure, lawmakers warned
that the most serious threat may be the government's lack of preparation.

Officials responsible for the nation's cybersecurity appeared before the
Senate Armed Services Committee on Thursday and delivered a clear message,
that while multiple agencies are working toward improving national security
in the information space, the United States is still not keeping pace with
the threat.

A senior cybersecurity official at the Department of Homeland Security,
Chris Krebs, warned that cybersecurity "is one of the most significant
strategic risks to the United States," yet when he was pressed to account
for the state of America's information security, he repeatedly said his
agency and others "have a lot of work to do."

The Pentagon official responsible for developing cyber policy and guidance,
Kenneth Rapuano, testified that the Department of Defense does not have
"sufficient depth and breadth of doctrine" to deter adversaries in the
cyber domain.

Sen. John McCain (R-Ariz), chairman of the Armed Services Committee lashed
out at both the Trump and Obama administrations for failing to produce a
plan to address one of the greatest national security threats facing the
country.

"To be clear, we are not succeeding," McCain stated. "We see no
coordination and no policy and no strategy."

Under the current structure, at least four agencies are responsible for
cybersecurity, including threats to critical infrastructure, protecting the
electrical grid, cyber warfare operations and incident response. Partly due
to the complexity of the mission, there is no single office or individual
in charge of the entire enterprise.

The highest level official is Rob Joyce, the White House cybersecurity
coordinator, a non-confirmed member of the National Security Council.

Joyce refused to appear publicly before the committee on Thursday, citing
executive privilege. Joyce may soon be subpoenaed by the committee after
Democrats and Republicans expressed frustration at the lack of cooperation
from the executive branch.

Before taking office, President Donald Trump said his administration would
prioritize cybersecurity and have a plan drafted within 90 days of taking
office. But it wasn't until May that Trump released an executive order
calling for a thorough review of the nation's cybersecurity posture and a
set of recommendations.

The executive order included a series of deadlines for reports to be
completed by agencies responsible for aspects of the cyber enterprise, but
the administration is again behind schedule.

"We have not seen a plan to move forward yet," said Sen. Mike Rounds
(R-S.D.) who is anxious to see the Trump administration produce a strategy.

"We [need to] look at where we actually want to fight our cyber fights in
the future," he said. "Do we want to fight them within our own systems or
do we want to be able to respond and stop the attacks before they get into
our system? And that requires a long-term strategic policy."

To date, the federal government has been slow to implement a cybersecurity
strategy, which officials say is a work in progress and in need of
improvement. In the meantime, adversaries are innovating new, low-cost ways
to hold U.S. interests at risk.

"We are trying to defeat a 21st-century threat with the organizations and
processes of the last century," McCain said. "And we are failing."

Despite having the largest and arguably the most capable military on the
planet, Sen. Angus King (I-Maine) worries that the United States has yet to
effectively deter cyber attacks from nation-states or non-state actors.

"It's warfare on the cheap,"King said.

North Korea, Iran, Russia, and China to terrorist organizations and
criminals are becoming increasingly sophisticated adversaries in the
information space, according to an assessment from the Office of the
Director of National Intelligence.

The nation-states that have successfully attacked the United States have
not been met with serious consequences, something King worries will
continue to invite future attacks.

"So far there hasn't been much in the way of price paid," the senator
argued. "There have to be consequences, otherwise everybody is going to
come after us. Not just Russia, but North Korea, Iran, terrorist
organizations."

When North Korea successfully hacked Sony Pictures in 2015, President Obama
authorized the first-ever sanctions for cyber-related activities. North
Korea was undeterred and according to reports from Seoul, hacked into a
trove of classified data and stole U.S. and South Korea war plans.

The United States has been working with China for years to address
cyber-enabled intellectual property theft and espionage, but the results of
those dialogues have been mixed.

The intelligence community concluded that Russia interfered in the 2016
presidential elections, but that action that was met with limited economic
sanctions. Despite an outcry from Washington, Russia has continued to
engage in information warfare, and little has been done to counter the
behavior.

King stressed that just being on the defensive is not going to work. "We
have to have a deterrent capability."

The Pentagon currently does not have a doctrine of deterrence in the cyber
domain, Rapuano explained. In part, out of concern that establishing a
threshold for an act of war or another act that would warrant retaliation
would "invite adversaries to inch up close but short" of that threshold.

Part of President Trump's executive order calls for agencies to outline
"strategic options" for deterring adversaries in cyberspace. That
information has not yet been presented to members of Congress or the public.

Senators on both sides of the aisle are concerned that the policy may not
come soon enough. Last month the Department of Homeland Security revealed
that 21 states had their voting infrastructure hacked in the last election.

DHS effectively classified state election systems as "critical
infrastructure" and a priority for first-line defense under the last
administration and today Krebs is heading up an election security taskforce.

"There's no question they're going to come back," Krebs said, saying that
DHS is focused not only on the 2018 midterm elections but also the upcoming
gubernatorial elections in the next few weeks.

He noted that the department has made "some progress" in securing state
election systems, but "there's a lot more to do."

Sen. Bill Nelson (D-Fla.) is most concerned about the vulnerabilities in
the election system, describing those weaknesses as a "major threat to
national security."

"If a foreign power can come in and change what would be a free and fair
election, then that undermines the entire constitutional democracy," Nelson
stressed.

The array of threats in the cyber domain is vast, ranging from lower-level
ransomware attacks and data theft, to espionage and misinformation,
destroying critical infrastructure, jeopardizing military platforms and
imposing significant costs on the U.S. and global economies.

One report cited by the Department of Justice estimates that cybercrime
alone cost $3 trillion 2015 and is likely to increase to $6 trillion in
2021.

The profits from cybercrime have also been used to advance conventional
national security threats. North Korea, through ransomware, Bitcoin and
other digital bank heists, has reportedly taken in as much as $1 billion
annually, The New York Timesreported. That is equivalent to about a third
of the value of the nation's exports.

The recent Equifax breach highlighted another vulnerability when 143
million people had their most sensitive information stolen and has raised
questions about the governments role in monitoring private company's data
security.

Assistant Director of the FBI's Cyber Division, Scott Smith, said on
Thursday that he is confident the agency will get to the bottom of the
theft and ultimately be able to determine whether the theft was committed
by a nation-state or some other individual or entity. That attribution
could take between six to eight months.

At that time, he noted it is not clear how the United States will prosecute
the responsible party.

According to officials, it is yet to be determined whether the United
States was winning or losing the war for dominance in the cyber domain.
"We're still trying to get our arms around it," Krebs said. "This is a
battle that is going to be going on for many years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171019/2cccbf14/attachment.html>