15 March 2020

Congress, Warning of Cybersecurity Vulnerabilities, Recommends Overhaul

By Julian E. Barnes and David E. Sanger
Source Link

A yearlong effort by a bipartisan group of lawmakers suggests steps to deter attacks, including clearer communication of operations. 

 “The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” a congressional report concludes.Credit...Jonathan Ernst/Reuters

WASHINGTON — A yearlong congressional study of American cyberspace strategy concludes that the United States remains ill-prepared to deter attacks, including from Russia, North Korea and Iran. It calls for an overhaul of how the United States manages its offensive and defensive cyberoperations.

The report, mandated by Congress and led by a bipartisan group of lawmakers, says the military needs far more personnel trained for cyberoperations. It also says Congress needs to dedicate committees to cyberoperations, and the public and private sectors need vastly improved defenses created in layers, along with more aggressive offensive actions inside the networks of other nations.

Those steps would be intended to drastically raise the cost of attacking the United States or its companies.


“The U.S. government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace,” the final report of the Cyberspace Solarium Commission concludes. “We must get faster and smarter, improving the government’s ability to organize concurrent, continuous and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries.”

Senator Angus King, the Maine independent who is the co-chairman of the commission, said in an interview, “There is rarely a silver bullet; there is silver buckshot.”

Many of the actions in the 122-page report can be taken by Congress, including transforming the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, into a rapid-response group akin to the how the Federal Emergency Management Agency is supposed to react to natural disasters.

But others would require active support from the White House. President Trump’s staff is famously reluctant to bring cybersecurity issues to his desk for fear that he would again conflate recommendations for improved defenses with discussion of Russia’s efforts to interfere in American elections, which Mr. Trump considers tantamount to questioning the legitimacy of his presidency.

The White House has also been secretive about current policy: The administration refused to share with Congress, or the commission, the presidential order signed in August 2018 that gave new powers to the military’s Cyber Command.

Despite the devastation cyberweapons have caused around the world over the last decade, they are still in their infancy. David E. Sanger, a New York Times national security correspondent, explains why the threat is growing. 

Cyberconflict right now, at this very moment, is like this airplane. It was the first military airplane that was ever built — back in 1909. But in just a few decades, planes would be capable of destroying entire cities. Right, so when we talk about cyberweapons, we’re still basically in 1909. “That’s why you have to have some humility about what’s going to happen in the world of cyberconflict.” David, here, is a national security correspondent for The Times, and he’s written a book about cyberconflict. It seems like we’re hearing more and more — “One of the worst cyberattacks ever.” — about state-sponsored cyberattacks. “Occasionally, there are going to be breaches like this.” “And this weapon will not be put back into the box.” “We have more to lose than any other nation on earth.” So, we really wanted to find out just how bad things are. And how bad they could get. Should we be afraid? 

“Yes, you should be afraid, but not for the reason you think — not because somebody is going to come in and turn off all the power between Boston and Washington. You should be worried about the far more subtle uses of cyber.” For example, not an overt attack on U.S. troops, but instead, maybe hacking into military health records and switching around people’s blood types. It still causes havoc. “Think terrorism —” “About a third of the building has been blown away.” “— instead of full-scale war.” “Why do you call it the perfect weapon?” “Because it’s deniable. If you can’t figure out right away where the attack’s coming from, you can’t really retaliate.” Plus, you can fine-tune the strength of cyberattacks. You can make them just strong enough to do real damage, but not so strong that they trigger a military response. 

“It’s cheap compared to, say, nuclear weapons. You just need some twenty-somethings who are good at programming, a little bit of stolen code and maybe some Red Bull just to keep them awake during the night.” That’s why cyberweapons have only just begun to spread. “And cyber is the perfect weapon for a country that’s broke.” “And we can confirm that North Korea engaged in this attack.” Take that time North Korea hacked into Sony — “Because of a satirical movie starring Seth Rogen and James Flacco.” What if they didn’t have cyberweapons? “Maybe they would have landed some commandos at Long Beach, called an Uber, stuck some dynamite underneath the Sony computer center and run like hell.” So really, North Korea’s only option was to use cyberweapons. 

But it wouldn’t be so easy for the U.S. to hit North Korea’s cybernetworks. “They have fewer IP addresses — Internet Protocol addresses — in North Korea, than you have on any given block of New York City.” Still, we wanted to know who’s the best at cyberconflict. “Russia, China, Iran, they use it regularly to advance their political agendas. The Russians to disrupt, the Chinese frequently to steal information, the Iranians to show that they can reach the United States.” “How good or bad is the U.S. at this stuff?” “Among the very best at cyberoffense. 

The problem is that while we’re good at offense, we’re the most vulnerable in the defensive world because we’ve got so many networks that form such a big target. The United States has 6,200 cybersoldiers.” “Are these people sitting in military fatigues behind a computer?” “They are sitting in military fatigues behind a computer. But the Russian hackers, or the Chinese hackers, may not be in uniform. They may be in blue jeans. They are probably sitting at the beach somewhere — someplace that’s got a really good internet connection.” All this cyberconflict really kicked off in 2008. Right, that’s when the U.S. and Israel attacked Iranian nuclear facilities. “It was the most sophisticated use of cyber by one state against another, and it opened up the Pandora’s box.” And remember — it’s still only the beginning. “We haven’t seen a full-blown war, and we don’t know what one looks like.” “What’s the most challenging part about covering this beat?” “The hardest part about covering the state use of cyber, is the enormous secrecy that the U.S. government wraps around it. But we’ve hit the point where the secrecy has actually begun to impede our ability to deter attacks. Because others don’t understand what we can do to them, and what we’re willing to do to them. In other words, we’re not setting any red lines out there.”

Cyberconflict: Why the Worst Is Yet to Come Despite the devastation cyberweapons have caused around the world over the last decade, they are still in their infancy. David E. Sanger, a New York Times national security correspondent, explains why the threat is growing.CreditCredit...Illustration by Aaron Byrd

The commission stops short of addressing one of the central conundrums of current cyberoperations. The United States has condemned foreign operations aimed at intruding in American networks to influence elections or penetrate energy grids. But at the same time, the report calls for an acceleration of the American strategy of persistent engagement, in which Cyber Command and the National Security Agency go deep inside Russian, Chinese, Iranian and North Korean networks, among others, to see attacks massing or to take pre-emptive action to deter an adversary’s operations.

In order to reach international agreements on what kinds of actions are permissible, the United States must be willing to say what kinds of offensive techniques it is willing to give up — including turning off power systems, communications networks or influence elections in peacetime, the report states. American intelligence agencies and the military have resisted such discussions. While commission members have said any such international agreement would require a verification system to ensure compliance, the commission report does not directly address that challenge.

“I don’t think we should take any options off the table if we are attacked,” said Representative Jim Langevin, a Rhode Island Democrat on the commission and the chairman of a House subcommittee on intelligence and emerging threats. “We will not in peacetime take down infrastructure.”

The report endorses the current concept of “forward defense” or “persistent engagement” so the United States stays inside foreign networks. But it argues for penalties against those who steal intellectual policy, interfere in elections or manipulate data in the United States.

“Those that would violate those norms should be held accountable, with public shaming and sanctions or indictments, using all tools of national power,” Mr. Langevin said.

Many of the solutions proposed by the commission have a bureaucratic feel, even if they might help lead to a better coordinated strategy. While the White House has had a cybersecurity coordinator, the job was downgraded by John R. Bolton, who was dismissed last year as national security adviser. The position created by the commission would be confirmed by the Senate and report to the president.

The commission was created in part to assess why America’s response to nuclear weapons deployment was so focused and its response to cyberstrategy so disorganized. While nuclear weapons have not been used in war in nearly 75 years, cyberweapons — far less drastic in effect — are used all the time against government and industrial targets and private individuals. In the absence of a single major, catastrophic event, the fear was that Congress was not focused on daily, corrosive cyberbattles.

“This is almost like a 9/11 commission in the absence of a 9/11,” said Representative Mike Gallagher, Republican of Wisconsin, who is the co-chairman of the commission. “We are attempting to galvanize the American public and spur a change in the status quo prior to that huge cyberattack.”

To better deter adversaries, the commission calls for both quicker attribution of who is responsible for cyberattacks — easier to advocate than execute — and a clearer, more public discussion of America’s military cyberoperations aimed at countering such adventurism.

Under the Trump administration, the government has taken some steps to shore up its cybercapabilities and use them more aggressively.

Mr. Trump, from time to time, has favored cyberattacks over traditional, physical strikes. When Iran shot down an American drone over the Persian Gulf last year, Mr. Trump called off airstrikes but allowed a cyberattack that hurt Tehran’s ability to covertly strike oil tankers in the Persian Gulf. There were attacks on Russia’s Internet Research Agency before the 2018 congressional elections.

The Pentagon is already beginning work on one key proposal of the commission: an expansion of the nation’s cyberranks. Cyber Command was formed with 6,200 personnel but has since expanded its missions to encompass far more operations aimed at potential adversaries, Mr. Gallagher said.

“Three years from now, we could be looking at that as a recommendation that results in an expansion of the cybermission force,” he said.

General Paul M. Nakasone, the head of Cyber Command, testified last week that the Pentagon had already ordered a study to potentially increase the number of personnel.

The cyberspace commission was modeled on work done in the Eisenhower administration, the original Project Solarium, which ultimately shored up the containment policy of the Cold War and focused the military on building a broad deterrence policy around nuclear weapons.

Cyberoperations are of growing importance, but they are not yet as central to American national security strategy as nuclear weapons were in the 1950s. Still, just as early Cold War strategists needed to build up the nuance of deterrence around nuclear weapons, national security experts today are wrestling with how to deter adversaries in cyberspace.

To build up deterrence, a key recommendation of the commission is that the United States speak more clearly about its cyberoperations, which are shrouded in mystery and rarely publicly discussed.

“Saying we will respond at a time and place of our choosing is not sufficient,” Mr. King said. “That is too mushy. There has to be a communication that there will be a response in a timely manner.”


No comments: