By Joseph Marks
Director of National Intelligence Daniel Coats on Capitol Hill in Washington on Jan. 29. (Joshua Roberts/Reuters)
That assessment underscores how the United States is far more vulnerable in cyberspace than on the battlefield, in the air, or at sea, where it remains superior to its adversaries.
As a result, the cyberattack capabilities of China, Russia, Iran and North Korea are “growing in potency and severity” and “threatening both minds and machines in an expanding number of ways,” Coats told the Senate Intelligence Committee during an annual hearing on worldwide threats.
“As the world becomes increasingly interconnected, we expect these actors to rely more and more on cyber capabilities when seeking to gain political, economic and military advantages over the United States and its allies and partners,” Coats said.
He described all four nations in written testimony as capable of launching cyberattacks against critical infrastructure such as energy or electrical systems, which could cause, at least, temporary disruptions to American life.
Moscow, in particular, “is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage,” according to the testimony.
Here are four big takeaways from the hearing:
1. Elections are still a target.
Russia, which launched a hacking and disinformation operation to undermine the 2016 presidential election, remains interested in conducting similar operations during the 2020 election, FBI Director Christopher Wray warned.
What’s more, “other countries are taking a very interested eye in that approach,” Wray said.
The U.S. government has distributed $380 million in election security grants to states since Russia’s 2016 election operations and the Homeland Security Department has helped states with vulnerability scans and cybersecurity advice. Many election systems remain vulnerable to hacking, however, according to independent tests.
2. China is the real threat to watch.
Much of the governmental and intelligence focus of the past two years has been on the threat of Russian hacking and disinformation campaigns, but China poses a greater long-term strategic threat, Wray said.
Chinese digital theft of intellectual property, which declined significantly after a 2015 agreement between President Barack Obama and Chinese leader Xi Jinping, has rebounded dramatically in the fast four years, Wray said, calling China “the most significant counterintelligence threat we face.”
The FBI is conducting economic espionage investigations in “virtually every one” of its 56 field offices Wray said, and “almost all of them lead back to China.”
Intelligence leaders and senators also focused on the telecommunication giant Huawei during the hearing, which officials have warned could be a platform for Chinese digital snooping. Congress banned Huawei from government contracts last year and the White House is considering an executive order barring the company from U.S. systems entirely. The Justice Department also indicted Huawei officials this week for allegedly evading U.S. sanctions on Iran and stealing robotic technology from T-Mobile.
“It seems to me they have to decide: They’re either going to be a worldwide telecommunications company or an agent of the Chinese government,” Sen. Angus King (I-Maine) said of Huawei. “They can’t be both.”
3. The shutdown’s making it harder to recruit top talent.
The Intelligence Committee’s ranking Democrat Mark R. Warner (Va.) fretted during the hearing that the partial government shutdown that concluded Friday could make it far more difficult for the FBI and other intelligence agencies to recruit top talent.
The shutdown forced FBI cyber agents to work without pay and hampered numerous cyber investigations.
“If we cannot guarantee that people who work for the United States government aren’t going to be used as hostages for either side of a political debate, then I think our ability to recruit and retain will go down dramatically,” Warner warned.
The FBI is “still assessing the operational impact of the shutdown,” Wray said, though he described the shutdown as an “incredibly negative and painful experience” for FBI agents and their families. He did not say what effect it might have on recruiting and retention.
4. It's the big four adversaries - with an asterisk.
Intelligence leaders focused almost exclusively during the hearing on cyber threats posed by Russia, China, Iran and North Korea, rather than cyber threats posed by terrorist groups or nations with less advanced cyber capabilities.
That tracks with conventional wisdom in recent years that the sort of large scale cyberattacks that would cause significant disruption to U.S. life or even deaths are beyond the capabilities of existing terrorist organizations.
Coats’ written testimony merely warned of terrorists launching distributed denial of service attacks or defacing Web and social media sites.
The report does warn, however, that foreign criminal groups could launch cyber strikes that disrupt the health care, financial or emergency service sectors “based on the patterns of activities against these sectors in the last few years.”
The intelligence community is also increasingly seeing “nation states enlisting the help of criminal hackers, which is a form of outsourcing that makes it even more of a menace,” Wray warned.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Sen. Mark R. Warner (D-Va.) in Washington on Dec. 6, 2018. (Andrew Harrer/Bloomberg News)
The senator also expressed concerns about the toll that the shutdown took on employees' morale and on the federal government's ability to recruit cyber professionals. “Needless shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and pushes some of our best towards alluring careers in the private sector,” Warner said, before asking what DHS intends to do to address those issues. He also asked Nielsen what kind of work DHS was able to carry out to strengthen election security as the shutdown went on.
A Department of Homeland Security worker listens to then-President Barack Obama talk at the National Cybersecurity and Communications Integration Center in Arlington, Va., on Jan. 13, 2015. (Larry Downing/Reuters)
Government agencies’ scores overall dropped slightly on the network security metric — largely because of a well-documented issue of website security certificates expiring. The government actually raised its score in the other two categories, however.
There’s no definitive explanation for why the government’s patching score improved, but it’s a reasonable guess that IT security staff who remained at work had more time to deal with routine patching while other operations were shuttered, Security Scorecard’s Chief Research and Development Officer Alex Heid told me.
The endpoint security score almost certainly improved because furloughed workers weren’t on their phones and laptops and so they were not making poor security decisions, Heid told me. The survey does not address numerous other potential vulnerabilities that aren't visible on the public internet.
Employees work inside the C-TOC Big Rig freight truck in London that IBM uses to train corporate teams to respond to cybersecurity incidents. (Luke MacGregor/Bloomberg News)
Additionally, employers should set up internal retraining initiatives to help fill cybersecurity shortages and educators should emphasize teaching computing fundamentals, according to the authors. “Instructors should work to incorporate hands-on learning opportunities like competitions, challenges, and cyber ranges into cybersecurity curricula to build practical skills in students and forge partnerships with local employers to allow students to partake in apprenticeships and internships that will expose them to the cybersecurity work environment,” the report said.
Rep. Jim Langevin (D-R.I.) on Capitol Hill in Washington on Jan. 3. (Carolyn Kaster/AP)
Speaking at the State of the Net conference, Langevin also said he intends to reintroduce a nation-wide consumer data breach notification bill. Under the legislation, businesses would have 30 days to disclose such breaches. Previous versions of the bill have been stymied by disputes over whether states woud be allowed to retain stronger breach notification requirements.
— U.S. District Judge Lucy Koh in San Jose rejected a data breach settlement proposed by Yahoo, Reuters's Jonathan Stempel reported. Three breaches affected about 3 billion accounts from 2013 to 2016. “The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts,” according to Reuters. “But the judge said the accord did not disclose the size of the settlement fund or the costs of the credit monitoring, and the proposed class may be too big because the number of ‘active’ users that Yahoo disclosed privately to her was far lower.”
— More cybersecurity news from the public sector:
Iranian flags in Tehran on Aug. 4, 2018. (Ali Mohammadi/Bloomberg News)
— Google's Chrome security team is pursuing efforts to spot URLs that look unusual or suspicious to make Internet users safer, Wired's Lily Hay Newman reported. Hackers can use complicated URLs to trick or confuse users and carry out scams. To help remedy the problem, the Chrome security team is launching a tool called TrickURI “that collects both legitimate and sneaky URL samples to train machine learning algorithms about potentially phishy sites,” according to Wired.
— More cybersecurity news from the private sector:
Canada's Public Safety Minister Ralph Goodale in Toronto on April 23, 2018. (Nathan Denette/Canadian Press/AP)
— More cybersecurity news from abroad:
- BSidesPhilly cybersecurity conference in Philadelphia on Friday.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
Polar vortex brings snow, plunging temperatures to D.C. region:
Watch Elon Musk's jet flights in 2018:
The political pitfalls in the race to 2020:
Source: The Washington Post