Responsibility for the nation’s cybersecurity is spread piecemeal throughout the government without a single person or agency in charge. That creates dangerous gaps that U.S. adversaries could exploit to hack the government or critical infrastructure, two prominent Senate Republicans told me.
Homeland Security Chairman Ron Johnson (Wis.) and Mike Rounds (S.D.), chair of the Armed Services Committee’s cyber panel, are mulling how they might create a centralized government authority for cybersecurity issues.
The goal would be an office that could make sure the Homeland Security, Defense and Justice departments are effectively sharing information and working toward common goals, the senators said.
For example, the Defense Department, which is authorized to conduct clandestine military activities in cyberspace, might not be as clued in as DHS is to how some of those activities could prompt retaliation against U.S. businesses. Rounds also noted that some parts of the government were concerned for several years that Chinese telecom giant Huawei could use its position inside global telecommunications infrastructure to spy on behalf of the Chinese government -- but the U.S. did not act until recently.
“Our role is to make sure we don’t miss the seams between the Defense Department and the Department of Homeland Security, between DoD and the intelligence community,” Rounds told me.
The senators don’t have a firm proposal for what the office would look like and are in the very early planning stages, they both said. Examining the issue probably will be a major focus for the Homeland Security Committee this Congress, Johnson told me.
He’s also open to considering vesting the authority in an existing agency, such as DHS or DoD, he said.
“We need someone in charge,” Johnson repeated several times.
While details are far from clear, any solution would have to reduce bureaucracy rather than increase it, Rounds said.
He praised a recent White House memo that eased the process for the military to launch offensive hacks as an example of a sucessful effort to make government cyber policy more agile and responsive to the nation's needs. That move was paired with new legislation that explicitly defined the military's authority to launch offensive cyber operations.
“Before we take any action, we want to make sure we’ve basically vetted the process out and tried to take the whole nation into account,” Rounds told me. “We’ve got several different concepts laid out but not one that I’ve felt comfortable enough to move forward with yet.”
DHS currently has primary authority for civilian cybersecurity while the Pentagon manages the military side. A DHS official told me in an email that the department's "top priority is ensuring effective operational relationships with our interagency partners in support of the private sector."
The idea of a new overarching cyber agency got mixed reviews from former cyber officials I spoke to.
Frank Cilluffo, a former White House cybersecurity official, said that reorganizing government cyber authorities would be a “difficult task but probably worth doing.”
There probably would be turf battles between agencies, he said, and conflicts about broader goals. But that would be outweighed if the change resulted in a government that’s fully coordinated around securing the nation against cyberthreats and punishing adversaries that launch them, said Cilluffo, now the director of the McCrary Institute for Cybersecurity and Critical Infrastructure Protection at Auburn University.
Cilluffo compared the shift to the reorganizing of the intelligence community after 9/11, when the shock of a major attack forced agencies to break down information stovepipes and to work more closely together. The government also created a director of national intelligence in the wake of that attack.
“I do think you need a quarterback who can orchestrate some of these pieces, and an offensive coordinator and a defensive coordinator who can put together a full game plan,” Cilluffo told me.
Yet Phil Reitinger, a former DHS cyber official, warned that reorganizing government might be less effective than making sure the current system is working as well as it should. Creating a new agency without working out exactly what’s wrong with the current system is “a recipe for disaster,” he said.
If agencies aren’t coordinating enough on cybersecurity issues, then maybe DHS or the White House should be in charge of fixing that rather than a newly created agency, suggested Reitinger, who now leads the Global Cyber Alliance, a public-private partnership focused on raising international cybersecurity standards.
“I worry that reorganization as a solution is magical thinking,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: In other Johnson news: the Senate Homeland Security chairman and his staff have stalled efforts to enact cybersecurity legislation on issues such as election security and Internet of Things devices over the past four years, Politico's Tim Starks and Eric Geller reported. Critics say Johnson, who used to work in manufacturing and has helmed the committee since 2015, has opposed legislation that could establish new standards for the private sector to follow because he regards regulations with aversion. Mieke Eoyang, vice president for the national security program at the centrist think tank Third Way, told Politico that Johnson's committee “is the place where legislation goes to die on cybersecurity.”
But Johnson and his aides defended his record on cybersecurity, and Johnson also said he has sent more than 100 letters to government agencies in an effort to conduct oversight on cybersecurity matters. “Protecting our nation against ever-evolving cyber threats is a significant challenge and one I take very seriously,” Johnson told Politico in a statement. “We will continue our bipartisan, aggressive oversight and legislative efforts in the 116th Congress.”
PATCHED: Sens. Amy Klobuchar (D-Minn.) and John Thune (R-S.D.) introduced a bipartisan bill to help the federal government remedy its shortage of cybersecurity workers, according to a news release from Klobuchar's office. The legislation would create an exchange program allowing cyber professionals from the private sector and the academic world to do tours of duty of up to two years in the federal government. “Our country’s cybersecurity should be a top priority, but currently, our government needs additional cyber security experts to ensure we are not vulnerable to attacks from adversaries and cybercriminals,” Klobuchar said in a statement.
The Cyber Security Exchange Act would also set up a program for federal cyber workers to do tours of duty in the private sector and use the knowledge acquired there to help secure the government's systems. Thune said in a statement that “the exchange of ideas and best practices that this bill would facilitate would better position our national security community” to fend off cybersecurity threats. Klobuchar last week also reintroduced cybersecurity legislation with Sen. Dan Sullivan (R-Alaska) to create a program at the State Department to help share information about election security with U.S. allies.
PWNED: The European Union is mulling a potential response to alleged attacks from the Chinese government-linked hacker group APT10, according to Bloomberg News's Natalia Drozdiak, Nikos Chrysoloras and Kitty Donaldson. Responses that have been discussed include sanctions or a joint warning. E.U. member states considered potential responses after a briefing from British experts last month about software and hardware attacks from APT10.
“For any retribution against China tied to the APT 10 attacks, the EU would need to agree unanimously that the country was responsible and not all EU members currently agree, according to one of the people familiar with the matter,” Bloomberg News reported. “The EU is developing protocols to respond to malicious cyber activities, for instance by imposing sanctions, but it can be challenging to clearly attribute actions to any individuals or nation-state.”
The Department of Homeland Security said last week that APT10 still represents a threat to U.S. businesses even though it has kept mostly quiet following the indictments of two of its members last year, FCW reported. The cybersecurity companies Recorded Future and Rapid7 also said in a report last week that the hacking group penetrated the network of the Norwegian software company Visma.
— Secretary of State Mike Pompeo said in Hungary that U.S. allies using equipment from Chinese telecommunications giant Huawei would make it harder for the United States to “partner alongside them,” Reuters's Lesley Wroughton and Gergely Szakacs reported. “We want to make sure we identify (to) them the opportunities and the risks of using that equipment,” Pompeo said in Budapest, according to Reuters. U.S. officials have said that Huawei equipment could be used as a platform for Chinese spying.
— Sen. Ron Wyden (D-Ore.) demanded that Apple and Google “immediately remove” from their app stores an app from the Saudi government that can allow Saudi men to track Saudi women's travel and prevent them from leaving Saudi Arabia. Wyden made the request in a letter to Apple chief executive Tim Cook and Google chief executive Sundar Pichai after Business Insider's Bill Bostock reported that Google Play and Apple's iTunes are hosting the app, which is called Absher.
“By permitting the app in your respective stores, your companies are making it easier for Saudi men to control their family members from the convenience of their smartphones and restrict their movement,” Wyden said in the letter. “This flies in the face of the type of society you both claim to support and defend.”
— More than a third of employees in a sample of Federal Housing Finance Agency workers failed an email phishing test, according to a report from FHFA's Office of Inspector General, FCW's Derek B. Johnson reported. “Auditors ran a mock phishing attack against 50 employees as part of an annual Federal Information Systems Management Act audit and found that 17 — or 34 percent — failed the test,” Johnson wrote. “The report is substantially redacted, and it's not clear how many employees may have actually clicked on a malicious link or failed to follow other internal protocols.” You can read the report here.
-- Russian officials are considering temporarily unplugging the nation from the Internet to test how it would fare during a major cyberattack, NPR’s Sasha Ingber reported.
The plan comes as part of a bill in the Russian parliament that would require internet providers to ensure they can still operate even if adversaries attempt to isolate the Russian internet, according to the report, which cites Russian media.
— A Pew Research Center survey found that respondents around the world see climate change, terrorism from the Islamic State group and cyberattacks as major security threats. Cyberattacks from other countries were seen as the top international threat by respondents in the United States, according to the survey. Cyberattacks were also named as the top threat by respondents in Japan, the Netherlands and South Africa. The report said that there has “been a substantial jump in those who see cyberattacks from other countries as a top threat. In 2018, a median of 61% across the countries see cyberthreats as a serious concern, up from 54% who said this in 2017.” The survey was conducted from May 14 to Aug. 12, 2018, among 27,612 respondents in 26 countries.
— More cybersecurity news from abroad:
- House Homeland Security Committee hearing on election security tomorrow.
- The Center for Strategic and International Studies holds an event on digital surveillance tomorrow.
- Senate Homeland Security and Governmental Affairs Committee business meeting to consider several cybersecurity bills tomorrow.
- The Bipartisan Policy Center and the Democracy Fund hold an event titled “The voting experience: 2018 and the future” on Thursday.
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
Trump's softened tone toward North Korea:
Lawmakers react to Rep. Omar’s apology:
Voices from Venezuela: Why Hugo Chávez still looms large over his nation and its people.