All four of the United States’ main global adversaries are investing heavily in offensive cyber capabilities and are more likely to use digital attacks to gain a strategic advantage, Director of National Intelligence Dan Coats told lawmakers Tuesday.
That assessment underscores how the United States is far more vulnerable in cyberspace than on the battlefield, in the air, or at sea, where it remains superior to its adversaries.
As a result, the cyberattack capabilities of China, Russia, Iran and North Korea are “growing in potency and severity” and “threatening both minds and machines in an expanding number of ways,” Coats told the Senate Intelligence Committee during an annual hearing on worldwide threats.
“As the world becomes increasingly interconnected, we expect these actors to rely more and more on cyber capabilities when seeking to gain political, economic and military advantages over the United States and its allies and partners,” Coats said.
He described all four nations in written testimony as capable of launching cyberattacks against critical infrastructure such as energy or electrical systems, which could cause, at least, temporary disruptions to American life.
Moscow, in particular, “is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage,” according to the testimony.
Here are four big takeaways from the hearing:
1. Elections are still a target.
Russia, which launched a hacking and disinformation operation to undermine the 2016 presidential election, remains interested in conducting similar operations during the 2020 election, FBI Director Christopher Wray warned.
What’s more, “other countries are taking a very interested eye in that approach,” Wray said.
The U.S. government has distributed $380 million in election security grants to states since Russia’s 2016 election operations and the Homeland Security Department has helped states with vulnerability scans and cybersecurity advice. Many election systems remain vulnerable to hacking, however, according to independent tests.
2. China is the real threat to watch.
Much of the governmental and intelligence focus of the past two years has been on the threat of Russian hacking and disinformation campaigns, but China poses a greater long-term strategic threat, Wray said.
Chinese digital theft of intellectual property, which declined significantly after a 2015 agreement between President Barack Obama and Chinese leader Xi Jinping, has rebounded dramatically in the fast four years, Wray said, calling China “the most significant counterintelligence threat we face.”
The FBI is conducting economic espionage investigations in “virtually every one” of its 56 field offices Wray said, and “almost all of them lead back to China.”
Intelligence leaders and senators also focused on the telecommunication giant Huawei during the hearing, which officials have warned could be a platform for Chinese digital snooping. Congress banned Huawei from government contracts last year and the White House is considering an executive order barring the company from U.S. systems entirely. The Justice Department also indicted Huawei officials this week for allegedly evading U.S. sanctions on Iran and stealing robotic technology from T-Mobile.
“It seems to me they have to decide: They’re either going to be a worldwide telecommunications company or an agent of the Chinese government,” Sen. Angus King (I-Maine) said of Huawei. “They can’t be both.”
3. The shutdown’s making it harder to recruit top talent.
The Intelligence Committee’s ranking Democrat Mark R. Warner (Va.) fretted during the hearing that the partial government shutdown that concluded Friday could make it far more difficult for the FBI and other intelligence agencies to recruit top talent.
The shutdown forced FBI cyber agents to work without pay and hampered numerous cyber investigations.
“If we cannot guarantee that people who work for the United States government aren’t going to be used as hostages for either side of a political debate, then I think our ability to recruit and retain will go down dramatically,” Warner warned.
The FBI is “still assessing the operational impact of the shutdown,” Wray said, though he described the shutdown as an “incredibly negative and painful experience” for FBI agents and their families. He did not say what effect it might have on recruiting and retention.
4. It's the big four adversaries - with an asterisk.
Intelligence leaders focused almost exclusively during the hearing on cyber threats posed by Russia, China, Iran and North Korea, rather than cyber threats posed by terrorist groups or nations with less advanced cyber capabilities.
That tracks with conventional wisdom in recent years that the sort of large scale cyberattacks that would cause significant disruption to U.S. life or even deaths are beyond the capabilities of existing terrorist organizations.
Coats’ written testimony merely warned of terrorists launching distributed denial of service attacks or defacing Web and social media sites.
The report does warn, however, that foreign criminal groups could launch cyber strikes that disrupt the health care, financial or emergency service sectors “based on the patterns of activities against these sectors in the last few years.”
The intelligence community is also increasingly seeing “nation states enlisting the help of criminal hackers, which is a form of outsourcing that makes it even more of a menace,” Wray warned.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Warner is also seeking answers from Homeland Security Secretary Kirstjen Nielsen about the impact that the shutdown had on the government's ability to fend off cyberthreats. Warner asked Nielsen in a letter whether DHS noticed an increase in attempted cyberattacks during the shutdown. “It’s my sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs,” Warner wrote.
The senator also expressed concerns about the toll that the shutdown took on employees' morale and on the federal government's ability to recruit cyber professionals. “Needless shutdowns like this one have the effect of discouraging talented individuals from joining the Federal workforce, and pushes some of our best towards alluring careers in the private sector,” Warner said, before asking what DHS intends to do to address those issues. He also asked Nielsen what kind of work DHS was able to carry out to strengthen election security as the shutdown went on.
PATCHED: The shutdown might not have been that bad for cybersecurity, according to a report out this morning from the ratings company Security Scorecard. The company assessed government agencies on three security metrics before and during the shutdown — network security, the cadence of installing software patches and the “endpoint security” of government devices.
Government agencies’ scores overall dropped slightly on the network security metric — largely because of a well-documented issue of website security certificates expiring. The government actually raised its score in the other two categories, however.
There’s no definitive explanation for why the government’s patching score improved, but it’s a reasonable guess that IT security staff who remained at work had more time to deal with routine patching while other operations were shuttered, Security Scorecard’s Chief Research and Development Officer Alex Heid told me.
The endpoint security score almost certainly improved because furloughed workers weren’t on their phones and laptops and so they were not making poor security decisions, Heid told me. The survey does not address numerous other potential vulnerabilities that aren't visible on the public internet.
PWNED: Policymakers should expand intensive and hands-on cybersecurity training programs in the United States to teach technical skills that employers often struggle to find among applicants, according to a report from the Center for Strategic and International Studies. While many cybersecurity training and education programs teach skills such as policy planning and compliance audits, organizations seeking to hire cyber professionals often need workers with technical backgrounds. “What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks,” according to the report.
Additionally, employers should set up internal retraining initiatives to help fill cybersecurity shortages and educators should emphasize teaching computing fundamentals, according to the authors. “Instructors should work to incorporate hands-on learning opportunities like competitions, challenges, and cyber ranges into cybersecurity curricula to build practical skills in students and forge partnerships with local employers to allow students to partake in apprenticeships and internships that will expose them to the cybersecurity work environment,” the report said.
— Rep. Jim Langevin (D-R.I.) said Congress should have fewer committees with oversight on cybersecurity issues to accelerate the government's response to cyberthreats, Nextgov's Jack Corrigan reported. “You want to limit [legislation] to a few different committees and put a time frame on how long they have to mark it up — speak now or forever hold your peace,” Langevin told Corrigan. “That would motivate a lot of committees to step up their game and allow legislation to move forward.”
Speaking at the State of the Net conference, Langevin also said he intends to reintroduce a nation-wide consumer data breach notification bill. Under the legislation, businesses would have 30 days to disclose such breaches. Previous versions of the bill have been stymied by disputes over whether states woud be allowed to retain stronger breach notification requirements.
— U.S. District Judge Lucy Koh in San Jose rejected a data breach settlement proposed by Yahoo, Reuters's Jonathan Stempel reported. Three breaches affected about 3 billion accounts from 2013 to 2016. “The settlement called for a $50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly 1 billion accounts,” according to Reuters. “But the judge said the accord did not disclose the size of the settlement fund or the costs of the credit monitoring, and the proposed class may be too big because the number of ‘active’ users that Yahoo disclosed privately to her was far lower.”
— More cybersecurity news from the public sector:
— The cybersecurity company FireEye said in a report that an Iranian cyber espionage group called APT39 has targeted telecommunications companies and high-tech industries to steal personal information, the Hill's Olivia Beavers reported. APT39 is focusing its activities in the Middle East even though its “targeting scope is global,” Beavers reported. “Targeting data supports the belief that APT39's key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms,” the report said, according to the Hill.
— Google's Chrome security team is pursuing efforts to spot URLs that look unusual or suspicious to make Internet users safer, Wired's Lily Hay Newman reported. Hackers can use complicated URLs to trick or confuse users and carry out scams. To help remedy the problem, the Chrome security team is launching a tool called TrickURI “that collects both legitimate and sneaky URL samples to train machine learning algorithms about potentially phishy sites,” according to Wired.
— More cybersecurity news from the private sector:
— Canadian Public Safety Minister Ralph Goodale said a decision by Canada on whether to ban Chinese telecommunications giant Huawei from its 5G networks is “some way off into the future yet,” Reuters reported. “It’s certainly beyond weeks,” Goodale said when he was asked about the timing of a decision, according to the news agency. On Monday, Warner, the U.S. Democratic senator from Virginia, said in a statement following charges against Huawei in the United States that he would “continue to strongly urge our ally Canada to reconsider Huawei’s inclusion in any aspect of its 5G infrastructure.”
— More cybersecurity news from abroad:
- BSidesPhilly cybersecurity conference in Philadelphia on Friday.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
Polar vortex brings snow, plunging temperatures to D.C. region:
Watch Elon Musk's jet flights in 2018:
The political pitfalls in the race to 2020: