A broad, worrisome assortment of cyber threats tops the U.S. intelligence community’s latest “worldwide threat assessment,” but it’s unclear whether the policymaking apparatus in Congress and the federal bureaucracy is keeping up.
“The intelligence community’s threat assessment for cyber is basically what we have been saying for some time. The cyber threat is bad and is going to get much worse as the attackers are becoming much more sophisticated, blending nation-state and criminal activity, while the system they are attacking — already weak — is getting weaker,” said Larry Clinton, president of the industry-based Internet Security Alliance.
“Meanwhile,” Clinton said, “the economics of cybersecurity all favor the attackers as the intelligence community repeatedly indicates cyberattacks are a relatively inexpensive way to conduct all manner of nefarious activities.”
Director of National Intelligence Dan Coats and four of his most senior colleagues in the intelligence community offered their take on global threats last week before the Senate Intelligence Committee.
“The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected — with relatively little built-in security — and both nation-states and malign actors become more emboldened and better-equipped in the use of increasingly widespread cyber toolkits,” the first entry in the new intelligence assessment states.
The idea that the U.S. is less than fully prepared to respond was frequently mentioned by lawmakers.
“Cyber attacks are occurring right now [and] there is still no strategy or doctrine for dealing with them,” Sen. Angus King, I-Maine, said at the hearing. “Until we have a deterrent capacity, this will continue.”
Adm. Mike Rogers, the outgoing head of both the National Security Agency and Cyber Command, said “we’re not where we need to be” in areas such as government-industry information sharing.
The policy machinery is moving – on election security, deterrence, threat information sharing, consumer data hacks, threats from foreign companies perhaps in league with hostile powers, and other issues – but how quickly and effectively it will produce solutions remains to be seen.
Election security is a prime concern cited in the intelligence assessment.
King as well as Senate Intelligence Chairman Richard Burr, R-N.C., both said last week that the panel would produce recommendations for shoring up election systems.
Burr promised an open hearing on the matter, and King told the Washington Examiner the committee will recommend that voting machines are never connected to the Internet and that there are always paper-ballot backups.
Republicans and Democrats haven’t converged around a single approach to election-security legislation, and a House Democratic task force unveiled its own recommendations last week.
Cyber deterrence is even more amorphous than election security as an area of policymaking.
Deterrence is essential, lawmakers and intelligence leaders agreed, but how to achieve it, or even define it, remains subject to debate.
The State Department, which is expected to take the lead on international engagement on cybersecurity, is reorganizing its cyber functions while the Pentagon under a congressional mandate is developing a cyber deterrence strategy.
Threats from Chinese-based telecommunications and information technology companies were also a hot topic at the Senate Intelligence Committee hearing and legislation has been introduced that would ban two of those firms – Huawei and ZTE – from receiving U.S. government contracts. The intelligence community leaders said they shared lawmakers’ concerns about security risks associated with the products and said they would not recommend using them.
“The equipment they produce is very much a risk to U.S. agencies,” House Intelligence Ranking Member Adam Schiff, D-Calif., said in an interview. “We can’t rely on their integrity. Something like this bill ought to move.”
The legislation targeting Huawei and ZTE has been viewed as something of a long-shot, but both the House and Senate versions continue to attract cosponsors.
The two companies have denied any wrongdoing or improper connections with the Chinese government.
The intelligence community’s threat assessment also highlighted growing links and blurred lines between criminal operations in cyberspace and nation-state activities. Criminals and foreign adversaries could be targeting consumer data, for reasons ranging from garden-variety theft to building false identities or other purposes.
One way to address that could be through a federal consumer data security and breach notification law, an idea that has foundered repeatedly in Congress over the past decade.
Rep. Blaine Luetkemeyer, R-Mo., chairman of a House Financial Services subcommittee, has drafted a new bill that is the likely starting point for debate this year. But many of the same obstacles await, including on the controversial question of preempting state laws on data security and breach notification.
“Our bill says you’re responsible if a breach happens on your network,” Luetkemeyer said in an interview. “We’re trying to set a bar at which everybody has to accept responsibility.”
These are each important pieces but key players such as ISA’s Clinton suggest the bigger picture is being missed.
“Unfortunately, the government activity to promote cybersecurity has been almost entirely focused on incremental operational issues,” he said. “Very little has been done to reorient the economics of cybersecurity. … Until we take this more comprehensive approach to cybersecurity – including the how and why of the issue – I’m afraid we will continue losing ground.”
