The Trump administration isn’t doing enough to deter Russian cyberattacks, according to an overwhelming 94 percent of cybersecurity experts surveyed by the Cybersecurity 202.
The White House insists that it’s mounting a robust response to digital offensives against election systems and other critical infrastructure. We asked The Network, a panel of more than 100 cybersecurity leaders from government, academia and the private sector, to share their opinions in our ongoing, informal survey. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Our survey revealed broad doubts among experts about the country's deterrence strategy, after President Trump chose not to back the U.S. intelligence community's conclusions that Moscow directed the cyberattacks aimed at disrupting the 2016 presidential election at a July press conference with Russian President Vladimir Putin.
“Deterrence depends on a credible promise to take stern action. The Helsinki summit makes it impossible for the world to believe that this president will take stern action against Putin,” said Peter Swire, former chief counselor for privacy at the Office of Management and Budget and a member of President Barack Obama’s Review Group on Intelligence and Communications Technology.
And it's not just Helsinki: Even though Trump later tried to walk back those comments to say he believed the election interference took place, he also insisted it "could be other people also" besides Russia. “When the President casts doubt on whether Russia is responsible, that undercuts any responsive actions the administration may take — such as sanctions — and sends the message that Russian malign activity in cyberspace is okay — not deterring them but encouraging them to do it again since there are no costs if doing so,” said Christopher Painter, the State Department’s former top cyber-diplomat.
Another expert who spoke on condition of anonymity put it bluntly: “The president must set the tone.”
Some experts pointed to steps the Trump administration is taking to counter Russian aggression in cyberspace. Officials have imposed sanctions on Kremlin-linked individuals and businesses (though they did so under a mandate from Congress). The Justice Department has indicted Russian government hackers and Internet trolls for their roles in the Kremlin’s 2016 election interference. The Department of Homeland Security is leading a nationwide push to help states improve election security ahead of the November midterms. And the National Security Agency and U.S. Cyber Command have teamed up to combat Russian election interference.
But many still said those efforts aren't strong enough to prevent future attacks. “Russia appears to feel no compunction about continuing to penetrate our critical infrastructure whenever and wherever possible,” said Ashley Deeks, who serves on the State Department’s Advisory Committee on International Law. “This suggests that sanctions and criminal indictments are not having a strong deterrent effect.”
“Deterrence means stopping someone from doing what they would otherwise do by threatening a retaliation that is both credible and potent,” said Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “I can’t find, within the Trump administration's policies and actions, signals of a clear deterrent that meets either of those thresholds. If the administration believes differently, then their deterrence policy is clearly failing.”
Part of the problem is that there’s no clear leader in the White House heading up the government’s response to Russian cyberattacks, some experts said. The two logical choices recently left: Tom Bossert, Trump’s homeland security adviser and cybersecurity czar, was forced out in April amid turnover on the National Security Council, and White House cybersecurity coordinator Rob Joyce departed soon after.
“While the White House is allowing individual agencies to do some good work to bolster our cyberdefense against additional Russian hacking, no senior official in the Trump administration has been empowered (and held accountable) to drive this effort, and no clear outcomes or metrics for measuring success have been articulated,” said Michele Flournoy, who served as undersecretary of defense for policy during the Obama administration.
“We need a White House cyber-coordinator,” said Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode. “Cybersecurity is a multicountry and private-public sector challenge. It requires someone in the White House to coordinate over the State Dept., Commerce Dept., DHS, and the intelligence agencies.”
Mark Weatherford, a former deputy undersecretary for cybersecurity at the Department of Homeland Security, agreed there was a leadership vacuum in the administration. “It isn't clear they are doing anything and even less clear who is in charge and supposed to be doing something,” he said. "The lack of urgency on an issue so important to our democracy is astonishing.”
Flournoy noted that the president had recently convened a meeting with top national security and intelligence officials to discuss the administration’s efforts to safeguard the 2018 elections. But the high-profile engagement was “for show — so the White House could say the president had a meeting on the subject,” she said. “No new actions, urgency or resources resulted from it. Nor has the White House imposed serious costs on Russia for its meddling to date, which undermines its ability to deter future meddling.”
Others said the administration needs to outline a concrete, comprehensive strategy for responding to cyberattacks. “Sanctions are not enough. Naming and shaming does not provide any deterrence. And having only one person advise the president on all cyber-issues has been ineffective for years,” said Geoff Hancock, a principal at Advanced Cybersecurity Group adjunct professor at George Washington Center for Cyber and Homeland Security. “We need to have a strong cyber-doctrine and deterrence plan and an offensive strategy.”
Such a strategy “must be a whole-of-government project, involving diplomacy, political activity and military force,” added Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center.
Better deterrence should also include better cyberdefense and more training for government pros, said Steve Grobman, McAfee's chief technology officer. "A combination of deploying defensive technology to defend the broad range of systems that are attractive targets along with training cyber-security professionals at all levels of government to respond effectively needs more attention."
There's also a public education component, he added. "The administration also needs to more aggressively help educate the public on how information warfare campaigns work and inoculate the public from being influenced by propaganda that can result from cyberattacks. Specifically, more education is needed to educate the public that released breached data should never be trusted as it can be intertwined with fabricated information for the purpose of creating a false narrative."
The Obama administration shares blame for the country's failure to stave off digital attacks, said Nuala O’Connor, president and CEO of the Center for Democracy and Technology. “Our government — under multiple administrations — has been slow to recognize the very real threats posed to critical infrastructure, to private-sector companies, and to our political discourse, leaving the responsibility of securing our digital borders to the hard-working CIOs, CISOs, and security teams of U.S. companies, large and small,” she said. “Our government has also been far too slow in securing some of our basic institutions and functions of democracy from cyber attack, perhaps most notably, our election systems.”
But the Trump administration shouldn't keep trying to pin the country’s failures in cyberspace on its predecessor, another expert said: “There’s no action taken that they can point to that would make the Russians think twice about their active measures campaigns. Their most commonly used talking point is ‘Obama did nothing.’ When you’re spending your time arguing someone else didn’t do enough, you’re just trying to guide the conversation away from your own lack of effective action.”
A handful of respondents said they believed the administration was doing enough to deter cyberattacks from Russia.
One pointed in particular to a recent report released by Deputy Attorney General Rod J. Rosenstein that outlined a new Justice Department policy to alert the public to malign foreign influence operations targeting U.S. democracy. The report also lays out the department's efforts to fight cybercrime. “This is about optics as much as anything else,” the expert said. “Do not take my word for it, read Rod Rosenstein's report. If you can do better, stand up.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “The Federal Communications Commission misled the public when it claimed last year that a cyberattack was hindering Americans' ability to make their views known about net neutrality, according to an internal investigator’s report released Tuesday,” The Washington Post’s Brian Fung reported. “The report finds that the FCC — relying on information provided by its then-chief information officer — ‘misrepresented facts and provided misleading responses to Congressional inquiries related to this incident.’ The report also said that despite describing the event as a cyberattack, the FCC failed to follow the established cybersecurity policies that are routine in the aftermath of such an event.”
A May 8, 2017, press release attributed the disruption of the commission’s systems to cyberattacks after HBO host John Oliver aired a segment on net neutrality on his show late on May 7. But the FCC inspector general’s report contradicts this account. “Investigators were unable to find evidence backing up an FCC press release, published under the name of David Bray, the chief information officer, asserting that ‘the FCC was subject to multiple distributed denial-of-service attacks’ overnight between May 7 and May 8, 2017,” according to my colleague. “Although Bray said the FCC’s electronic comment system remained functional throughout the incident, his statement also blamed unidentified outside actors for clogging the system and making it harder for ‘legitimate commenters’ to participate in the agency’s decision-making process.”
PATCHED: The Knight First Amendment Institute at Columbia University is asking Facebook to modify its terms of services in order to create a “safe harbor” for journalists and researchers who carry out investigations in the public interest on the social network, my colleague Ellen Nakashima reported on Tuesday. The institute sent the letter Monday to Facebook chief executive Mark Zuckerberg on behalf of several journalists and researchers who work or used to work for the New York Times, PBS NewsHour, Gizmodo Media Group, Princeton University and the University of Michigan School of Information.
“Automated collection allows journalists and researchers to generate statistical insights into patterns and information flows on Facebook’s platform, said Ramya Krishnan, legal fellow at the Knight institute,” Ellen wrote. “Sometimes journalists and researchers have attempted to set up temporary research accounts, using a variety of names and biographical attributes, to enable them to assess how the platform responds to different profiles, she said.” But Facebook’s rules bar those practices, according to the Knight institute. “We have spoken to a number of journalists and researchers who have modified their investigations to avoid violating Facebook’s terms of service, even though doing so made their work less valuable to the public,” the institute said in the letter. “In some cases, the fear of liability led them to abandon projects altogether.”
PWNED: Sens. Chris Van Hollen (D-Md.) and Benjamin L. Cardin (D-Md.) want an investigation into an investment by a Russian-backed fund in a company hosting Maryland's election management system. “ByteGrid hosts Maryland’s voter registration system, candidacy and election management system, online ballot delivery system, and unofficial election night results website,” Van Hollen and Cardin wrote Tuesday in a letter to Treasury Secretary Steven Mnuchin. “Access to these systems could provide a foreign person with ties to a foreign government with information that could be used for intelligence or other purposes adverse to U.S. interests.”
The senators asked for the Committee on Foreign Investment in the United States, a panel chaired by Mnuchin that is tasked with reviewing whether transactions that may give control of American businesses to foreigners could threaten national security, to examine a transaction between ByteGrid LLC and AltPoint Capital Partners. “In 2015, ByteGrid LLC was financed by AltPoint Capital Partners, whose fund manager is a Russian and its largest investor is a Russian oligarch named Vladimir Potanin,” my colleague Ovetta Wiggins reported last month. Van Hollen and Cardin said the relationship between the two companies “must be carefully scrutinized, and if the administration determines that it poses a threat to national security, appropriate remedies must be pursued.” For instance, the CFIUS could require AltPoint Capital Partners to divest from ByteGrid LLC, the senators wrote.
— The FBI’s Internet Crime Complaint Center said scammers increasingly mention personal information about the people they try to extort online or by postal mail in order to make their threats seem more real and frighten their victims. For instance, extortionists may send an email that includes a user name or password of the victim “to add a higher degree of intimidation to the scam,” according to a notice released by the center on Tuesday.
Scammers may say they installed malware on an adult-video website that they claim the victim visited, and they could also threaten to reveal embarrassing stories about the recipient. Another feature of extortion schemes is a demand that a ransom be paid in bitcoin and usually within 48 hours. “The FBI does not condone the payment of extortion demands as the funds will facilitate continued criminal activity, including potential organized crime activity and associated violent crimes,” the notice said.
— “Research funded by the Department of Homeland Security has found a ‘slew’ of vulnerabilities in mobile devices offered by the four major U.S. cell phone carriers, including loopholes that may allow a hacker to gain access to a user’s data, emails, text messages without the owner’s knowledge,” Fifth Domain’s Justin Lynch reported Tuesday. “The flaws allow a user ‘to escalate privileges and take over the device,’ Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate told Fifth Domain during the Black Hat conference in Las Vegas.”
— More cybersecurity news from the public sector:
— “Software giant Oracle is challenging the Pentagon’s decision to choose just one company for a not-yet-awarded $10 billion cloud computing contract, according to a bid protest document reviewed by The Washington Post, firing off a salvo in what is shaping up to be a heated competition among tech giants for one of the biggest government software contracts in years,” my colleague Aaron Gregg reported on Tuesday. “Oracle took the unusual step of bringing its protest long before contractors have even submitted bids, alleging that the procurement of what is called the Joint Enterprise Defense Infrastructure (JEDI) has been problematic from the outset.”
— More cybersecurity news from the private sector:
— “Iranian hackers are developing software attacks that render computer systems inoperable until a digital ransom is paid, a new report says, a threat that comes as the U.S. moves to reimpose tough economic sanctions on the country,” The Wall Street Journal’s Robert McMillan reported on Tuesday. “Over the past two years, researchers at Accenture PLC’s iDefense cybersecurity-intelligence group have tracked five new types of so-called ransomware they say were built by hackers in Iran. The ransomware appears to be an attempt to secure payments in digital currencies such as bitcoin, Jim Guinn, head of Accenture’s industrial cybersecurity business, said in an interview.”
— More cybersecurity news from abroad:
- Black Hat USA security conference through tomorrow in Las Vegas.
- DEF CON security conference tomorrow through Aug. 12 in Las Vegas.
Troy Balderson holds narrow lead and declares victory in Ohio special election:
Who is Rashida Tlaib?
Rick Gates admits extramarital affair in court: