A senior cybersecurity official at the Department of Homeland Security, Chris Krebs, warned that cybersecurity “is one of the most significant strategic risks to the United States,” yet when he was pressed to account for the state of America’s information security, he repeatedly said his agency and others “have a lot of work to do.”
The Pentagon official responsible for developing cyber policy and guidance, Kenneth Rapuano, testified that the Department of Defense does not have “sufficient depth and breadth of doctrine” to deter adversaries in the cyber domain.
Sen. John McCain (R-Ariz), chairman of the Armed Services Committee lashed out at both the Trump and Obama administrations for failing to produce a plan to address one of the greatest national security threats facing the country.
“To be clear, we are not succeeding,” McCain stated. “We see no coordination and no policy and no strategy.”
Under the current structure, at least four agencies are responsible for cybersecurity, including threats to critical infrastructure, protecting the electrical grid, cyber warfare operations and incident response. Partly due to the complexity of the mission, there is no single office or individual in charge of the entire enterprise.
The highest level official is Rob Joyce, the White House cybersecurity coordinator, a non-confirmed member of the National Security Council.
Joyce refused to appear publicly before the committee on Thursday, citing executive privilege. Joyce may soon be subpoenaed by the committee after Democrats and Republicans expressed frustration at the lack of cooperation from the executive branch.
Before taking office, President Donald Trump said his administration would prioritize cybersecurity and have a plan drafted within 90 days of taking office. But it wasn’t until May that Trump released an executive order calling for a thorough review of the nation’s cybersecurity posture and a set of recommendations.
The executive order included a series of deadlines for reports to be completed by agencies responsible for aspects of the cyber enterprise, but the administration is again behind schedule.
“We have not seen a plan to move forward yet,” said Sen. Mike Rounds (R-S.D.) who is anxious to see the Trump administration produce a strategy.
“We [need to] look at where we actually want to fight our cyber fights in the future,” he said. “Do we want to fight them within our own systems or do we want to be able to respond and stop the attacks before they get into our system? And that requires a long-term strategic policy.”
To date, the federal government has been slow to implement a cybersecurity strategy, which officials say is a work in progress and in need of improvement. In the meantime, adversaries are innovating new, low-cost ways to hold U.S. interests at risk.
“We are trying to defeat a 21st-century threat with the organizations and processes of the last century,” McCain said. “And we are failing.”
Despite having the largest and arguably the most capable military on the planet, Sen. Angus King (I-Maine) worries that the United States has yet to effectively deter cyber attacks from nation-states or non-state actors.
“It’s warfare on the cheap,”King said.
North Korea, Iran, Russia, and China to terrorist organizations and criminals are becoming increasingly sophisticated adversaries in the information space, according to an assessment from the Office of the Director of National Intelligence.
The nation-states that have successfully attacked the United States have not been met with serious consequences, something King worries will continue to invite future attacks.
“So far there hasn’t been much in the way of price paid,” the senator argued. “There have to be consequences, otherwise everybody is going to come after us. Not just Russia, but North Korea, Iran, terrorist organizations.”
When North Korea successfully hacked Sony Pictures in 2015, President Obama authorized the first-ever sanctions for cyber-related activities. North Korea was undeterred and according to reports from Seoul, hacked into a trove of classified data and stole U.S. and South Korea war plans.
The United States has been working with China for years to address cyber-enabled intellectual property theft and espionage, but the results of those dialogues have been mixed.
The intelligence community concluded that Russia interfered in the 2016 presidential elections, but that action that was met with limited economic sanctions. Despite an outcry from Washington, Russia has continued to engage in information warfare, and little has been done to counter the behavior.
King stressed that just being on the defensive is not going to work. “We have to have a deterrent capability.”
The Pentagon currently does not have a doctrine of deterrence in the cyber domain, Rapuano explained. In part, out of concern that establishing a threshold for an act of war or another act that would warrant retaliation would “invite adversaries to inch up close but short” of that threshold.
Part of President Trump’s executive order calls for agencies to outline “strategic options” for deterring adversaries in cyberspace. That information has not yet been presented to members of Congress or the public.
Senators on both sides of the aisle are concerned that the policy may not come soon enough. Last month the Department of Homeland Security revealed that 21 states had their voting infrastructure hacked in the last election.
DHS effectively classified state election systems as “critical infrastructure” and a priority for first-line defense under the last administration and today Krebs is heading up an election security taskforce.
“There’s no question they’re going to come back,” Krebs said, saying that DHS is focused not only on the 2018 midterm elections but also the upcoming gubernatorial elections in the next few weeks.
He noted that the department has made “some progress” in securing state election systems, but “there’s a lot more to do.”
Sen. Bill Nelson (D-Fla.) is most concerned about the vulnerabilities in the election system, describing those weaknesses as a “major threat to national security.”
“If a foreign power can come in and change what would be a free and fair election, then that undermines the entire constitutional democracy,” Nelson stressed.
The array of threats in the cyber domain is vast, ranging from lower-level ransomware attacks and data theft, to espionage and misinformation, destroying critical infrastructure, jeopardizing military platforms and imposing significant costs on the U.S. and global economies.
One report cited by the Department of Justice estimates that cybercrime alone cost $3 trillion 2015 and is likely to increase to $6 trillion in 2021.
The profits from cybercrime have also been used to advance conventional national security threats. North Korea, through ransomware, Bitcoin and other digital bank heists, has reportedly taken in as much as $1 billion annually, The New York Times reported. That is equivalent to about a third of the value of the nation’s exports.
The recent Equifax breach highlighted another vulnerability when 143 million people had their most sensitive information stolen and has raised questions about the governments role in monitoring private company’s data security.
Assistant Director of the FBI’s Cyber Division, Scott Smith, said on Thursday that he is confident the agency will get to the bottom of the theft and ultimately be able to determine whether the theft was committed by a nation-state or some other individual or entity. That attribution could take between six to eight months.
At that time, he noted it is not clear how the United States will prosecute the responsible party.
According to officials, it is yet to be determined whether the United States was winning or losing the war for dominance in the cyber domain. “We’re still trying to get our arms around it,” Krebs said. “This is a battle that is going to be going on for many years