In its first hearing of the new Congress, the House Homeland Security Committee delved into United States (U.S.) public and private sector cybersecurity in light of the seemingly massive SolarWinds hack. However, one of the witnesses made the point it would be more accurate to stop referring to the Russian hack by that name for it is quite likely other players in the U.S. were similarly compromised and have likely not been discovered as of yet. And so, with this major event as the immediate impetus for the hearing, the committee heard from witnesses on how the government could generally shore up cybersecurity.
Members were naturally interested in what the U.S. government can do, but within the current bandwidth that finds the government prescribing cybersecurity standards to the private sector anathema. And while the hearing featured the customary cybersecurity kumbaya on the importance of doing something, as with many issues there is deep disagreement on what that “something” might be. Neither the chair nor ranking member said much beyond platitudes, which does not necessarily suggest they will not have proposals to rectify the shortcomings that allowed the Russian SVR to penetrate key federal and private sector systems.
In his opening statement, Chair Bennie Thompson (D-MS) characterized cybersecurity as a bipartisan issue but noted his view that the previous administration resisted efforts to improve federal and U.S. cybersecurity. Accordingly, Thompson lauded President Joe Biden for his staffing decisions that have installed a number of cybersecurity experts in key positions in the White House and for taking a more adversarial stance towards Russia about election interference and the SolarWinds hack. He also lauded Biden’s inclusion of $10 billion for federal agency cybersecurity in his proposed $1.9 trillion COVID-19 relief package. Thompson said with proper leadership, the U.S. government could begin to address the gaps in its cyber posture that have been exposed. He revealed that the House Homeland Security Committee has been working with another (most likely the House Oversight and Reform Committee) to investigate the SolarWinds hack and how to remedy vulnerabilities. Thompson remarked it is clear that “’naming and shaming,’ sanctions, and indictments have not deterred bad actors from engaging in malicious cyber behavior that threatens our national security,” a playbook largely formulated and executed under the Obama Administration. Thompson said “[t]he Federal government must work to raise the baseline cybersecurity posture across government entities and the private sector to reduce avoidable, opportunistic attacks,” a fine sentiment expressed without any sense of how this might be accomplished.
New Ranking Member John Katko (R-NY) agreed in his opening statement that cybersecurity is a bipartisan issue. Katko largely echoed Thompson’s dire assessment of U.S. cybersecurity in the face of an endless onslaught by Russian, Chinese, and other hackers. However, he made clear that he wanted to hear solutions from witnesses and not a recitation of the awesome task facing the U.S. government. Katko discussed some of the aspects of cybersecurity that make the issue complex. He expressed concern about the muddled, overly complicated lines of cybersecurity authority on the civilian side of the U.S. government and how they impair effective security and responses. Notably, he omitted the national security side of the government even though this may be the most targeted part of federal systems in large part because this is outside the remit of the committee. Nonetheless, he called for the committee and the Congress to give the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) the necessary authority to safeguard the civilian side of the federal government, a policy proposal that very likely appeals to the Democratically-controlled Congress and White House.
Former CISA Director Christopher Krebs provided “a series of recommendations to improve our approach to making the Internet a safer and more secure place for all Americans.” He asserted “[t]hese recommendations are rooted in the need to continually improve our understanding of our nation’s physical and digital infrastructure, introduce friction into the adversaries’ activities, and increase investments and centralized services for government and industry alike…[and] align with the more defensive actions associated with “Deterrence by Denial.” Krebs grouped his recommendations into these five categories, with more specific sub-recommendations also being made:
1) Continue to invest in CISA’s National Critical Functions (NCFs) Initiative, improve our understanding of the risk facing our Nation’s infrastructure, and expand roll out to highest risk functions.
2) Prioritize identification of systemically important enterprise software and services, update federal contracting for greater transparency and sharing, and launch operational defensive partnerships called for in the 2021 National Defense Authorization Act.
3) Launch a national countering ransomware initiative to improve defenses, disrupt the ransomware business model, and use broader set of authorities against actors.
4) Proceed with Department of Commerce rulemaking on Executive Order 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” to counter adversary abuse of Virtual Private Servers.
5) Improve Federal cybersecurity posture through enhanced governance, increased funding, and centralized services offered by CISA.
Former Principal Deputy Director of National Intelligence in the Office of the Director of National Intelligence Sue Gordon discussed “three aspects of the issue: the nature of the cyber threats we face and that are emerging, the domains in which those threat manifest, and the imperatives that must drive solution.” She said “[m]y colleagues will discuss the specifics of recent attacks and proffer specific next steps, I hope to put those in context:
- First, in terms of threat, offensive cyber capability is a global commodity—the means by which every interest of our adversaries and competitors is increasingly achieved. In a digitally connected world, one need not travel great physical distance or expend great resource to achieve malign outcome.
- Second, in terms of domain, it used to be that governments held all the vital information (kept the secrets worth stealing) and wielded all the power(made all the decisions worth influencing.) No longer. The engine of our great society lies in our companies and our communities, and the decisions made in board rooms and voting booths can have global impact, so the threat surface includes private companies and private citizens, and their decisions can have direct effect on National security as surely as it would if they held government position.
- Third, enough problem identifying. Your purpose—our collective purpose—is to find solution.
Former Special Assistant to the and Cybersecurity Coordinator at the National Security Council Michael Daniels claimed “the US government should pursue three long term goals to counter the cyber threats we face: It should seek to raise the level of cybersecurity and resilience across our digital ecosystem; disrupt adversaries at a faster pace and larger scale; and respond more effectively to cyber incidents when they occur.” Daniels expanded on his recommendations:
- Raise the level of cybersecurity across the ecosystem – despite a growing recognition that cyber threats affect everyone, many organizations still have not implemented basic cybersecurity measures, such as two-factor authentication, and very few have reached a high level of maturity, even those that manage or perform critical national functions. They also have not developed sufficient resilience to cyber incidents. Given this situation, the Federal government should aim to improve cybersecurity and resilience across the board. Setting such a goal does not require the government to treat all organizations the same or not prioritize some functions over others; in fact, achieving this goal requires such prioritization. However, given the interconnected and interdependent nature of cyberspace, the goal should be that all organizations reach a level of cybersecurity commensurate with their size, industry, and overall function.
- Disrupt adversaries at scale – since we cannot rely on defense alone, the US government also needs to increase the pace and scale of its disruption efforts, whether against nation-states, criminals, hacktivists, or terrorists. Disruption should involve all the elements of national power, including diplomatic, economic, law-enforcement, cyber-technical, military, and intelligence tools. It will also require working with private sector cybersecurity providers and collaborating internationally. While we have made significant progress in these activities over the last decade, we need to impose greater costs on our adversaries.
- Respond more effectively to incidents – no matter how much we improve our defense and offense, our adversaries will sometimes achieve their goals. They will succeed in stealing information or money, causing disruption, or holding a critical function at risk. To deal with those situations, the Federal governments needs to be able to deal with such incidents rapidly and efficiently, enabling private sector owners and operators to restore functionality expeditiously.
As the U.S. enters a new era of competition, on battlefields old and new, modernizing and further resourcing America’s cyber strategy is a necessary precondition for achieving any number of other critical government objectives. In my testimony today, I will outline a conceptual framework for understanding cybersecurity. I offer five recommendations that I believe will meaningfully improve our ability to anticipate and prevent cyber threats and fortify our cyber defenses, building on the recommendations and critical work undertaken by the Cyberspace Solarium Commission:
- Providing the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. Department of Homeland Security with the authorities and resources to one day become an operational federal CISO, or Chief Information Security Officer, for the civilian federal government;
- Adopting speed-based metrics to measure agencies’ response to cyber threats;
- Passing a comprehensive federal breach notification law;
- Increasing security standards for vendors supplying high-risk software through government acquisition processes; and
- Targeting the business model of ransomware criminals with mandatory “Know Your Customers” rules in cryptocurrency payment systems.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.