Assessing U.S. Response to Cyberthreat
Legislation is required to cut through interagency bureaucracy and provide the U.S. government and the private sector with the tools to thwart cyberattacks.
Huw Price, the Bertrand Russell professor of philosophy at the University of Cambridge, wrote earlier this year in The New York Times about the need to focus more attention on potential future risks posed by technology. By that, he explained, he meant catastrophic risks, such as those posed by artificial intelligence advancing computers beyond human control or designer bacteria getting into the hands of terrorists, for example. But it is the current danger posed by cyberthreats to everything from the U.S. electric grid and its banking system to its general economic wellbeing that worries current and former government officials. Former Director of National Intelligence Mike McConnell is one of those trying to draw attention to the risk of catastrophic harm from cyberattacks. Though he, like others, uses the metaphor of 9-11, he’s not just talking about a single or focused series of attacks. He’s talking about long-term systemic risk.
Speaking at an event hosted by the American Bar Association’s Standing Committee on Law and National Security, McConnell, who is currently vice chairman at Booz Allen Hamilton, noted that nation states routinely use cyberhacking to steal intellectual property from U.S. companies, which can slowly lead to economic decline. Thus, instead of causing immediate harm by bringing down the electric grid or the banking system, he explains, “it could be catastrophic over 10 to 15 years.”
Whether the attack is sudden or subtle, the big problem the United States faces in trying to defend against the threat isn’t that no one acknowledges the problem. It’s that the various parts of industry and government that need to work together closely to fight it successfully do not have the authority they need nor do they have the right framework within which to coordinate their actions. Despite the talk of better cooperation since 9-11, when it comes to cybersecurity, “we are currently arguing on bureaucratic turf,” McConnell said.
Assistant Attorney General Lisa Monaco, who spoke to the same group, also highlighted the need to overcome agency silos to battle the cyberthreat. She specifically focused on the importance of improving information sharing among intelligence and law enforcement branches of government. But her assessment of progress was more upbeat.
Monaco noted that before the National Security Division (NSD) was created within the Department of Justice (DOJ) in 2006 as a response to 9-11, the DOJ’s counterterrorism and counterespionage prosecutors and its intelligence lawyers worked separately without coordinating their actions or sharing information. Now they are well integrated with regard to the terrorist threat, and they are also working to apply those lessons to the cyberthreat. To that end, last year the agency created a nationwide network of National Security Cyber Specialists that “brings together the department’s full range of expertise on national security-related cyber matters, drawing on experts from the NSD, from the U.S. Attorney’s Offices, from the Criminal Division’s Computer Crime and Intellectual Property Section, and from other DOJ components,” she said. “It is a one-stop shop within the DOJ for national security cyber intrusion activity.”
But the same level of coordination does not exist among departments or between the public and private sectors.
A major issue, McConnell explained, is that the legal language that exists to grant agencies the authority to act on various aspects of the problem does not cut across jurisdictions; it exists as separate authorities: Title 18 for the DOJ, Title 50 for intelligence, and Title 10 for the Department of Defense (DoD), for example, with the Department of Homeland Security (DHS) authority being yet another statutory silo. So it is not clear that the National Security Administration (NSA) can share with the DHS information about a U.S. company suffering a cyberattack or that the DHS can share that with a sector that works with the compromised company or the company itself. In fact, McConnell said, if it were a physical attack, “we would not allow that perpetrator to cross our border,” but in the cyber realm, the intelligence agencies may well be aware of a foreign nation’s intrusion into a business and yet not be legally able to warn them about it or stop the intrusion.
To combat the rising threat, McConnell explained, there has to be a connection between the function of listening in on (what he called exploiting) an enemy’s network to learn its capabilities and plans, and being able to respond to those plans in some fashion, perhaps with a countercyberattack if necessary for national defense. On the military side, that’s why it’s so important that the U.S. Cyber Command, established by the military in 2010, continue to report to the Director of the NSA, so that exploiters (the NSA’s intelligence gatherers) and attackers (under the Cyber Command) work hand in glove within the same agency, he said.
Some military and think-tank experts have advocated separating the Cyber Command from the NSA, but McConnell says, “They have never walked in my shoes. Bureaucratically, all cooperation would stop.” If that were done, he says, “I can absolutely assure you...that the heads of those agencies and the members will battle to the death. They absolutely will not cooperate.” It’s just the nature of government bureaucracy, he says, that overlapping missions lead to turf battles.
For that reason, there also needs to be new legislation that removes overlap and conflict and sets a framework for cooperation on the cyberthreat generally throughout government and with the private sector, McConnell said.
Other attempts to pass cyber-related legislation have not gone well, however. Bills aimed at improving information sharing and establishing standards for cybersecurity at private-sector owned critical infrastructure have stalled in Congress.
The White House continues to take interim steps that don’t require legislation. In fact, not long after McConnell spoke, the President issued an Executive Order on Improving Critical Infrastructure Cybersecurity, which called for government agencies to work with critical infrastructure owners and operators to establish a cybersecurity framework and to improve information sharing. Among other measures, the executive order directed DHS to expand its Enhanced Cybersecurity Services (ECS) program, a program established in 2012 to enhance the cybersecurity of critical infrastructure entities that voluntarily chose to participate. Under the program, DHS partnered with DoD to share cyberthreat indicators with critical infrastructure companies through Commercial Service Providers (CSPs) serving those companies.
Through ECS, DHS will be able to share information about new attack signatures and other means of detecting and mitigating cyberthreats with CSPs. However, a Government Accountability Office report on cybersecurity issued the same month as the executive order, notes that “According to DHS, a secure environment for sharing cybersecurity information, at all classification levels, is not expected to be fully operational until fiscal year 2018.”
While the executive order also calls for the development of technology neutral cybersecurity standards within one year, compliance would be voluntary, perhaps limiting the ultimate impact of any standards. The order does call for possible incentives to induce compliance.
The White House also announced a stepped-up effort to protect trade secrets of U.S. companies through stronger diplomatic efforts, stronger enforcement actions to catch those who steal trade secrets, greater efforts to encourage businesses to strengthen protections against theft, and outreach to educate the public.
The White House push for better information sharing addresses some of Connelly’s concerns, but the executive branch can only do so much. “An Executive Order signed by the President... does not take the place of legislation for the needed changes across the cyber security landscape,” McConnell said. “Legislation must address issues such as sharing sensitive government information with the private sector for better protection; standards for raising our collective cyber security posture; and incentives—such as liability protection—for industry members who voluntarily meet higher standards. Legislation also is required to provide appropriate authorities and direction to executive departments of government for improved coordination and cooperation to protect the nation.”
And without legislation, the issue of bureaucratic turf wars may continue to get in the way of the country’s ability to effectively fight the next cyberwar.