Search This Blog


Search Tool

Jun 30, 2020

Analysis | The Cybersecurity 202: Commission's plan to avert devastating cyberattack faces uphill battle, 9/11-era officials say

By Joseph Marks

with Tonya Riley

A bipartisan commission that unveiled its plan to reduce the risk of a devastating cyberattack on the scale of the September 11, 2001, terror attacks should be worried about another threat: Washington.
Those who worked on the government response to 9/11 predict that today's policymakers aren't ready to take on ambitious changes – and there's no sense of urgency with the public fixated on other crises, from the coronavirus pandemic to the economy.
This could be a huge challenge for the Cyberspace Solarium Commission, which seeks to shore up potential government and intelligence blind spots to avert a mass casualty attack before it happens.
“I don’t want to say they can’t get the job done, but we had things going for us that they don’t that made our job much easier,” former congressman Lee Hamilton (D-Ind.), who co-chaired the 9/11 Commission, told me. “The whole country’s attention was turned to the events of 9/11 and the response to it…Cybersecurity is a very important issue, but they won’t have that public focus.”
Michael Chertoff, the second director of the Department of Homeland Security, which was created in the wake of the 9/11 attacks, warned that “there’s always more impetus when you’ve experienced a disastrous event.”
The comments reflect a struggle that has dogged cybersecurity advocates for years. A major cyberattack targeting parts of the electrical grid or transportation systems could be devastating for the nation but it’s tough to focus money and energy on a threat that hasn’t happened yet.
Major digital attacks that have occurred, meanwhile, such as Russian efforts to upend the 2016 election and Chinese-linked theft of U.S. security clearance information have prompted limited changes that don’t address the full scope of the dangers.
“After 9/11 we learned a lot about warning signals that weren’t spotted," Sen. Angus King (I-Maine), co-chair of the Solarium Commission along with Rep. Mike Gallagher (R-Wis.), told me. “In this case, the signals are gigantic neon signs. This is the longest windup for a punch in the history of the world. We know it’s coming but we just don’t know how or when.”

9/11 Commission Co-Chairmen, former Indiana Rep. Lee Hamilton, left, and former New Jersey Gov. Tom Kean, testify on Capitol Hill. (AP Photo/Kevin Wolf)
Solarium commissioners have struggled to implement the boldest changes among their dozens of recommendations. 
The most prominent of those is creating a new White House czar to oversee cybersecurity policy across the government. Rep. Jim Langevin (D-R.I.), a Solarium Commission member, introduced a bipartisan House bill that would create the position. But a Senate version is stalled, largely because of White House opposition.
Another top recommendation would streamline the dozens of congressional committees and subcommittees that deal with cybersecurity to just one committee each in the House and Senate. That could be nearly impossible to implement because of congressional turf battles, officials who worked on the 9/11 response predicted.
Indeed, despite years of efforts, DHS's anti-terrorism work is similarly overseen by numerous congressional panels.
“At DHS we continually begged Congress to reduce the number of committees that had jurisdiction over the department, and that [begging] continues to happen and it continues to not be successful,” the first DHS secretary and former Republican governor Tom Ridge told me.
Commissioners have had better success with smaller recommendations. 
Several of those may be included in a major defense policy bill that is working its way through Congress.
They include beefing up the role of the Department of Homeland Security’s top cybersecurity official and requiring cybersecurity risk assessments from publicly traded companies.
The Solarium Commission was based on an Eisenhower-era commission focused on how best to counter the Soviet Union. In addition to lawmakers, its members include top industry executives and former government officials who’ve been stumping for the report’s recommendations since its March release.

Michael Chertoff, the former U.S. secretary of Homeland Security. (Richard Drew/AP)
The commission's efforts are also challenged because cybersecurity is, in many ways, a far more complex problem than terrorism. 
Within government, cybersecurity responsibilities are spread across dozens of agencies, including the defense, homeland security, commerce and state departments. And any one of dozens of U.S. industries could be the target for a devastating cyberattack, including finance, energy, telecommunications and health care.
There’s some analogy to 9/11 but the scope of what you’re dealing with with cyberthreats is much more comprehensive,” Chertoff said. “There are many more kinds of harm that can occur in cyberspace and it requires a much more integrated approach.”
Commissioners may be helped, though, by the sense of urgency created by the coronavirus pandemic.
The pandemic began upending American life and prompting quarantine orders just weeks after the Solarium report came out. But as government and the public struggle to manage the virus it may drive home the importance of tackling big challenges before it’s too late.
Commissioners also released an additional set of recommendations last month focused on new digital vulnerabilities created by the pandemic, including a large share of the nation working from home.
“One serious lesson out of the pandemic is the importance of having a plan in advance,” Chertoff said.

Former DHS secretary and Pennsylvania governor Tom Ridge. (Matt Rourke/AP)
Hacking has also become so pervasive that it could prompt government to take the issue more seriously. 
“All the actions I’ve taken over the years have been to prevent a cyber 9/11 from happening,” Langevin, a co-founder of the Congressional Cybersecurity Caucus, told me. “I felt like a lone voice in the wilderness initially, but people’s awareness has been raised. Ask anyone who’s had their credit card numbers or medical records stolen, and they understand this is an issue.”
The pervasiveness of cybersecurity also separates it from the pre-9/11 era when terrorism wasn't top of mind for most Americans.
“One observation from the 9/11 Commission that’s embedded in my head is when they talked about a failure of imagination,” Ridge said. “This [Solarium Commission] report is saying that based on everything we know we can’t plead surprise anymore. And before we have a cataclysmic cyber event we’d better get our act together.”

The keys
A California university working on a coronavirus cure paid more than $1 million in ransom to hackers. 

An employee uses a pipette. (SeongJoon Cho/Bloomberg News)

University of California at San Francisco officials don't believe any patient medical records or coronavirus research were exposed to hackers, but paid out the $1.14 million ransom because hackers encrypted some files that were important to academic work, the university said in a statement
This is the third attack on a university tied to a ransomware gang called Netwalker since the coronavirus pandemic began, Joe Tidy at BBC News reports.  
The FBI and international agencies have discouraged ransomware victims from paying hackers.
India's government banned TikTok and dozens of other Chinese apps for allegedly stealing user data.

The icon for TikTok. (AP)

India's tech minister said the 59 banned apps were using the data to undermine India's national security, Rajesh Roy and Shan Li at the Wall Street Journal report. The ban comes amid rising military tensions between the two countries over a disputed border.
Chinese companies dominate India’s growing app market and the bans could cost TikTok and other companies millions of users. 
India's actions could also bolster U.S. criticism of TikTok. U.S. officials have accused the app of stealing users’ data and transmitting it in an unauthorized manner. Members of Congress have called for investigations into the app and many military branches have banned it.
India’s ban also included the popular Chinese messaging app WeChat.
Wisconsin Republicans voted by mail even as they try to restrict the practice. 

Voters observe social distancing guidelines as they wait in line to cast ballots in the presidential primary election in Milwaukee. (Morry Gash/AP)

More than 80 percent of Republican members of the state legislature voted by mail during the state’s April primary, which was held amid the coronavirus pandemic, the Associated Press reports. That’s up from less than 35 percent in previous elections.
Republican lawmakers blocked efforts by Democratic Gov. Tony Evers to delay that primary resulting in thousands of requested absentee ballots not arriving on time and hours long lines in Milwaukee and Green Bay.
“If absentee ballots are good enough for Republican legislators, they should be accessible to all Wisconsin voters,” Nicole Safar, executive director of A Better Wisconsin Together, a liberal advocacy group that compiled the voting records, told the AP's Scott Bauer. “They risked people’s lives in the April 2020 election and they’re at [it] again. 
Many high-profile Republicans pushing against voting by mail in Washington also voted that way themselves, including President Trump and Vice President Mike Pence.
Meanwhile, in Georgia, lawmakers voted down a bill that would have barred election officials from mailing voters absentee ballot applications, the Atlanta Journal-Constitution reports

Securing the ballot

Democrats say Facebook's guards against election disinformation don't go far enough to protect voting by mail.

Stacey Abrams. (Robert F. Bukaty/AP)

The social media platform's recent announcement that it will increase resources to remove false claims about polling conditions in the 72 hours leading up to Election Day, for example, does not do enough to protect mail voting that can happen weeks earlier, former Georgia politician Stacey Abrams said.
In the era of covid-19 voting starts almost 40 to 60 days ahead of Election Day. Seventy-two hours cannot solve the problem when you have vote by mail sweeping the country," said Abrams, who founded the voting rights group Fair Fight and is being discussed as a potential Democratic vice presidential candidate. Abrams was speaking at an event on disinformation hosted by George Washington University.
Abrams also criticized Facebook for allowing President Trump to post false and misleading information about voting by mail. Twitter, by contrast, has added fact checks to some of the president's dubious claims.

Chat room

One of Trump's recent misstatements drew a phony distinction between absentee voting and voting by mail. They're actually the same thing, as several people pointed out. Edward Perez, global director of technology development at the OSET Institute:
Cars are fine. A person has to go through a process to get and use a driver’s license. Automobiles, on the other hand, will lead to the most dangerous highways in US history!
— Eddie Perez (@eddieperezTX) June 29, 2020
CNN media correspondent Brian Stelter:
Absentee ballots and mail-in ballots are the same thing, but it won't surprise you to learn that Paterson, NJ was invoked on Fox News Sunday afternoon...
— Brian Stelter (@brianstelter) June 29, 2020

Hill happenings

Major universities and tech companies are backing legislation that would establish a national artificial intelligence research task force.

A man wearing a protective mask walks past an office building with the IBM logo in Sydney. (Loren Elliott/Reuters)
The National AI Research Resource Task Force Act aims to spur artificial intelligence research in the United States and to make it easier for smaller companies and research institutions to take part in it. University supporters of the measure include Stanford, Princeton and John Hopkins. Companies include Google, IBM, Microsoft and Amazon. The bill is spearheaded by Rep. Anna G. Eshoo (D-Calif.) and Sen. Rob Portman (R-Ohio).
More news from the Hill:

National security watch

The United States will ban high-tech defense exports to Hong Kong.

The flags of China, left, and of the Hong Kong Special Administrative Region (HKSAR) are flown in Hong Kong. (Paul Yeung/Bloomberg News)
The move comes in response to China's new national security law that gives Chinese communist leadership a tighter grip over the semi-autonomous province, Matthew Lee at the Associated Press reports.
The move comes as U.S. officials are struggling to limit China's access to U.S. technology over national security fears.
“The United States is forced to take this action to protect U.S. national security,” Secretary of State Mike Pompeo said in a statement. “We can no longer distinguish between the export of controlled items to Hong Kong or to mainland China.”
More national security news:

Amid a global anti-Huawei effort that has seen mixed results, the U.S. sets another Chinese tech company in its crosshairs: Nuctech, a state-controlled firm that is quietly dominating Europe’s cargo and airport screening market.
The Wall Street Journal
Cybersecurity news from abroad:

Officials promised to recruit at least 500 cyberspies and build on the country’s offensive capabilities to take the online battle overseas.
New York Times

Russia’s surrender to Telegram’s Pavel Durov shows the increasing challenges for states seeking to control social media.
Isabelle Khurshudyan


  • The House Intelligence Committee will hold a hearing on U.S.-China relations and its impact on national security and intelligence in a post-coronavirus world on Wednesday at 12 p.m.
  • The Senate Judiciary Committee will consider the EARN IT Act, which critics say could undermine encryption, on Thursday at 10 a.m. 

Secure log off

Oregon's secretary of state talks about voting by mail on 60 Minutes. The state is one of five that votes almost entirely by mail.
“Try it, you might like it.”
Oregon’s Republican Secretary of State, Beverly Clarno, responds to President Trump’s claim that vote by mail is dangerous and subject to fraud. Oregon pioneered the practice in 1998.
— 60 Minutes (@60Minutes) June 28, 2020

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.