with Aaron Schaffer

The United States should get far more aggressive at punching back against cyber adversaries including ransomware gangs operating in Russia, Sen. Angus King (I-Maine) says. 

President Biden denounced cyberattacks from both the Kremlin and Russian criminal gangs during his summit meeting with President Vladimir Putin this month. That was a good first step, King told my colleague Ellen Nakashima during a Post Live event.

But the next vital move is for U.S. officials to respond to such attacks with swift and harmful consequences, said King, who co-leads a major cybersecurity commission that is pushing for far more rigorous government cyber policies. 

We've been a cheap date in cyber where we've been attacked repeatedly in a variety of ways [with] no real serious response,” King said.  

He added, “I want somebody in the Kremlin, in the Politburo to say, ‘Gee, boss, I'm not sure we ought to do this because we're liable to get whacked in some way by those Americans.’”

Sen. Angus King (I-Maine) says while he doesn’t know whether the U.S. should engage in cyber retaliation in response to attacks from adversaries, he does believe there should be some sort of deterrent or disincentive for bad actors. “We’ve been a cheap date in cyber, where we’ve been attacked repeatedly in a variety of ways, and no real serious response…I believe having a deterrent is absolutely critical…Cyber is cheap. Putin can hire 8,000 hackers for the cost of one jet fighter. Think of that for a second. So that means cost is not a deterrent or a disincentive.’’ (Washington Post Live)

King stopped short of insisting that the United States retaliate for cyberattacks by hacking back — something critics say the government has been too hesitant about. 

He did say that U.S. responses thus far — which have focused on sanctioning Russian officials and state-owned enterprises and indicting hackers who are not likely to reach a U.S. courtroom — haven’t been nearly punitive enough. 

“The important thing is that we have a clear declaratory policy that there will be a costly response,” he said. “I think it has to be specific and it has to be quick.”

King also wants the U.S. Cyber Command to disrupt the operations of criminal ransomware gangs.  

Those gangs are responsible for a slew of attacks that tied up computer networks at Colonial Pipeline and the JBS meat processing firm as well as schools, local governments and other organizations.

It would seemingly be an expansion of work the military cyber unit is already doing to halt criminal hacking groups in Russia from aiding the Kremlin. 

For example, Cybercom disrupted the world’s largest botnet — a band of zombie computers harnessed by Russian criminals for ransomware and other attacks — to ensure it wasn’t used to interfere in the 2020 election. Military hackers also disrupted Internet connectivity at a Russian troll farm the Internet Research Agency before the 2018 midterms and digital operations of the Islamic State

However, it could backfire if the U.S. military gets too aggressive in cyberspace, Kevin Mandia, CEO of the cybersecurity firm FireEye, warned at the same Post Live event.

Because the United States relies more on Internet connectivity than other nations, it is also more vulnerable in a hacking exchange, Mandia said. 

“We're in the glass house in cyber,” he said. “If the cyber domain is where we choose to go tit for tat, the challenge we've got is we stand to lose more as a nation than other nations.”

FireEye CEO Kevin Mandia says one challenge the U.S. faces using cyberattacks as a defense is the asymmetry of it. “We’re in the glass house in cyber. That doesn’t mean our defenses are bad. What I’m saying is we’re in the expensive house…we stand to lose more as a nation than other nations.” (Washington Post Live)
King pressed for stronger cybersecurity requirements for critical U.S. industries. 

The Department of Homeland Security is in the process of creating mandatory cybersecurity requirements for oil and gas pipelines in the wake of the Colonial Pipeline ransomware attack, which disrupted oil supplies to the southeastern United States. Government has been slow, however, to consider cybersecurity mandates for other critical sectors such as agriculture, energy and water. 

Some critics are skeptical that government regulations can be nimble enough to keep up with cyber threats. 

One option, King suggested, would be to require critical industries to undergo live fire cybersecurity testing by ethical hackers working for either a government agency or cybersecurity companies contracted for the purpose

“There's nothing like a skull and crossbones coming up on the CEO's desktop to let them know how vulnerable they are,” he said, referring to a not-so-subtle message the ethical hackers might send a company. 

Those reviews, called penetration testing, are increasingly common in some industry sectors such as financial services, but are far from widespread.

Mandia endorsed the idea of penetration testing critical infrastructure. Those tests may be part of a broader expansion of cybersecurity regulations for the most critical industry sectors, he said. 

“As a private-sector CEO, whenever you hear the term regulation, you have to twitch and say, ‘No, not that.’ That's the default answer out of the gates,” he said. “But…here's the facts. I think regulated industries ordinarily, when they're regulated in regard to the cybersecurity risk, probably are better defended.”

The keys

We're heading into the July 4 holiday without a permanent CISA leader.

A confirmation vote for Biden's nominee to lead the Cybersecurity and Infrastructure Security Agency, Jen Easterly, was blocked by Sen. Rick Scott (R-Fla.). Scott lifted his hold after Vice President Kamala Harris visited the southern border last week, but a vote on the Easterly's confirmation will still wait until after the holiday. 

Sen. King urged a confirmation as quickly as possible. 

Sen. Angus King (I-Maine) says he’s hopeful Jen Easterly, the nominee to serve as Director of the Cybersecurity and Infrastructure Security Agency, will be confirmed by the Senate immediately after they return from recess. (Washington Post Live)
House lawmakers proposed a big budget boost for CISA.

The $2.4 billion for the agency in this year’s House appropriations bill would be an increase of nearly $400 million compared to last year’s budget. It’s also an increase of $288 million over Biden’s budget request for the agency. 

The House Appropriations Committee’s homeland security panel plans to discuss the proposal today.

Former CISA director Chris Krebs called the budget proposal “an indicator of Congress’s confidence in a growing/maturing agency”:

Federal agencies' use of facial recognition systems raises major privacy concerns, a government watchdog says.

Use of the technology is widespread with at least 20 U.S. government agencies adopting it in recent years, Gerrit De Vynck reports. Facial recognition has been used to identify people suspected of breaking the law during protests after the killing of George Floyd and people who participated in the Jan. 6 Capitol riot. 

Some agencies told the Government Accountability Office that they used their own facial recognition databases, but most said they used databases created by outside companies like Clearview AI, which claims to have scraped 3 billion face images from the Internet. 

Many agencies couldn’t say for sure what systems they used, something the GAO said needed to change.

An NSA surveillance program continues to operate with little oversight.

Years after it was publicly exposed by NSA contractor Edward Snowden, the XKeyscore program has serious issues, Privacy and Civil Liberties Oversight Board member Travis LeBlanc told Ellen Nakashima. LeBlanc was the only member of the board to vote against approving a classified report on an investigation into the program in December.

“What most concerned me was that we have a very powerful surveillance program that eight years or so after exposure, still has no judicial oversight, and what I consider to be inadequate legal analysis and serious compliance infractions,” LeBlanc said. 

NSA officials defended the program, saying the agency conducted appropriate legal reviews into its use and has protections to safeguard the privacy of Americans.

Government scan

Global cyberspace

Daybook

  • The House Energy and Commerce Committee holds a hearing on cybersecurity legislation and securing U.S. networks today at 10:30 a.m.

Secure log off