Congress, the Executive Branch and the Cyber Threat

Congress and the Executive Branch are getting much more serious about America's vulnerability to cyber attacks, according to a panel of experts at a Congress Project seminar May 17. However, they are only beginning to develop a comprehensive cybersecurity policy strategy and have a long way to go in forging the necessary partnerships with the private sector and other nations. This is a problem of global dimensions that demands immediate attention, the experts agreed.

Marcus Sachs, a former National Security Council cybersecurity staffer under President George W. Bush and now director for cyber policy at Verizon, pointed out that the insecuritiy of cyberspace "doesn't always have to be this way; it's all man made," and we can design a much more secure system if we want to. What we now refer to as the Internet was originally designed for a few academics and scientist back in the 1960s and ‘70s to share their research in an open and trusting environment. In the 1980s the theoretic prospect of malicious network activity emerged with a worm named "Morris" that was not designed to do harm but did. In the 1990s, when the system became publicly available, there were attacks from so-called "script kiddies"—mostly amateur pranks, bujt with some at prominent sites like the White House, FBI and corporations. After 9/11, concerns arose that terrorists would attempt to bring down the system, but Sachs said it soon became apparent that they weren't interested because they depend too much on it—-much as organized crime does. The biggest problem today is cybercrimes committed by those intent on stealing money and intellectual property from others. Exact copies of U.S. factories were built in the East Asia based on stolen blueprints, and which makes products competing with the Amerian originals. The "big wave" coming is "cloud computing"--the creation of fake or counterfeit information. "If they're creating fake hardware, what's to prevent them from creating fake networks." Sachs said we have to determine what we want our national policy on cyberspace to be: What do we want it to be; what laws does Congress need to pass?" "Leadership has to happen this year," he concluded. "Otherwise I'm afraid we're going to see another country step up to the plate and take the leadership on cyberspace away from us."

Deborah Parkinson, a professional staff member with the Senate Homeland Security and Governmental Affairs Committee since 2003, noted that more and more Members of Congress and staff are waking up to the dangers of the cyber threats. Whereas a few years ago maybe four or five staff members would get together for "cyber-jams," today it's more like 40 to 50. While more and more legislation is consequently being introduced to deal with various cyber challenges, it is not chaos, as some might think, because so many of the bills are similar. Moreover, it is a bipartisan issue, and that bodes well for getting something done. Parkinson said Senate Majority Leader Harry Reid has taken a particular interest in the issue and has insisted that the various committees of jurisdiction work together to produce a unified approach to the problem.

One of the difficulties in the past, she said, was the reluctance of the Administration to share information with policymakers on the Hill. So much was secret and classified that it made legislators' work difficult. Today, however, there has been a change in attitude, and executive branch people are now coming to the Congress and asking for help in responding to the cyber threat. The three themes emerging from these discussions are: (1) the Federal government needs to be better organized and take the leadership by setting an example with its own computer network; (2) the market alone will not provide an adequate level of security and some form of government regulation will be necessary; and (3) the government really needs to partner with the private sector if we are to succeed.

Legislation is moving forward in both houses of Congress to develop more cyber warriors in government and to improve the organizational capacity for coordination between federal and state governments, as well as with the private sector and foreign governments. There is increasing support for making the White House cybersecurity coordinator subject to Senate confirmation to ensure greater cooperation between the branches.

Lt. Col. Forrest Hare emphasized that "there does not have to be a war for a security threat to exist," and that is just as true for cybersecurity as it is for conventional warfare. "While we are not at war with any countries today, many nation-states and non-state actors are preparing for that potentiality and do possess a real and credible threat in many domains," including cyberspace." Hare pointed out that cyberspace is not just the Internet but a variety of networks "that are electronically if not logically connected, from a child's laptop in China to a remote terminal unit on a system in critical infrastructure X." The role of the military in defending the nation in cyberspace is not well defined as the other domains, he said, "because we do not have well developed legal or policy regimes concerning sovereignty or the use of force." Hare said it was important to distinguish between cyberspace and information in cyberspace both for assessing vulnerabilities and assigning roles and missions for cybersecurity. Government agencies have differing perspectives on cyberspace based on their differing responsibilities: foreign affairs wants freedom of information and expression and promotion of ideology; national intelligence wants easier access to information; public safety and law enforcement want security of infrastructure and financial safety and security for identity and commerce; and defense wants availability to infrastructure and security of critical information related to strategies and weapons and the ability to counter adversaries' uses of cyberspace. The role of the military is to work closely with other government agencies to help ensure freedom of expression versus countering propaganda, and collecting intelligence versus denying communication; and supporting private actions vs. countering distrust.

Ellen Nakashima, a reporter for The Washington Post, told of her evolving role as a reporter from covering privacy issues to covering cybersecurity issues. The journey began when she learned that President Bush had issued a secret directive to security agencies regarding a special role in securing communications networks—-the Comprehensive National Cybersecurity Initiative (CNCI). The two issues in covering the topic were (1) uncertainty—-whose behind the cyber threats; and secrecy--the government's need to protect what they're up to. One of the stories she wrote that highlights these issues concerned a "honeypot" website the CIA had developed with the Saudis to lure militants. It resulted in the capture of several, but the U.S. military believed it was also used to recruit suicide bombers to go to Iraq and kill U.S. soldiers. After considerable internal debates, a decision was made for the military to take out the website. This angered the CIA and Saudis and resulted in 300 other servers around the world being taken down. The question was raised, should this have been considered a covert intelligence operations, reportable to Congress under the law, or a military operation related to the ongoing war in Iraq? It was decided it was the latter. Such examples raise the question of who should take responsibility for responding to cyber threats and attacks: Defense, NSA, CIA, or DHS. These are all questions being sorted out. She noted some change in attitudes by the private sector of whether and how much to partner with the government. Even Google went to the U.S. government to ask for help after the attack on it from China.

Reported by: Don Wolfensberger and Richard Iserman, May 18, 2010.