On March 22, 2017, the U.S. House Committee on Homeland Security heard testimony on the current state of the global cyber battleground, how rapid changes in technology and the expanding Internet-of-Things (“IoT”) present new threats from a wide range of malicious actors, and what steps the public and private sectors must jointly undertake to protect the nation.
In his opening statement, Chairman Michael McCaul (R-TX) did not mince words, stating that “we are in the fight of our virtual lives, and we . . . are . . . NOT . . . winning.” Describing a nationwide cybersecurity defense system in desperate need of improvement, McCaul said that “the U.S. government is fighting 21st century threats with a 20th century mindset and a 19th century bureaucracy.” Echoing McCaul’s appeal for immediate and substantial overhaul of the nation’s cybersecurity infrastructure, several witnesses spoke about how cyber threats are evolving, what is at stake, and most importantly, what can be done to combat existing and future threats to safeguard America.
Bruce W. McConnell, Global VP of the EastWest Institute, emphasized the ever-increasing role of the internet and connectivity among all facets of modern life, calling cyberspace “the global endoskeleton of commerce, trade, and all manner of human interaction.” Alongside our increasing reliance on connectivity, McConnell said, is a new breed of malicious cyber actors, including state-actors like Russia, China and Iran. The dilemma in addressing these new threats, according to McConnell, is that cyberspace remains a virtual Wild West. For example, McConnell pointed to the well-established protections in modern cargo aviation (airport security, pilot licensing, and registration of airplanes and flight plans), saying that corresponding safeguards are nonexistent for cyberspace, yet the financial value of commercial transactions routed through the internet “is actually 100 times greater on an annual basis than the value of goods transported in the air cargo system.”
Similarly, Gen. (ret.) Keith B. Alexander, current President and CEO of IronNet Cybersecurity, stressed that cyberspace is misguidedly being addressed differently than the “real” world, even though organized crime groups and terrorist organizations, as well as state-actors, are increasingly using the internet to carry out illegal and even military activities. For example, Alexander said that the U.S. is not treating nation-state threats and actions “in cyberspace as we would treat the presence of nation-states’ key naval assets inside our territorial waters,” viewing them instead “largely as nuisance[s].” Alexander emphasized that the “future of warfare is here,” and that the United States must “structure and architect our nation to defend our country in cyberspace.”
But while cybersecurity in the United States may currently be lagging behind the evolving threats, the Committee also heard testimony on tangible ways to address existing shortcomings and develop a robust, integrated system of cybersecurity protection. According to Frank J. Cilluffo, Director of George Washington University’s Center for Cyber and Homeland Security, a “multidimensional response” requires action not just from the U.S. military but all stakeholders, with public-private partnerships an “instrumental” component of a comprehensive cybersecurity framework. Cilluffo further stressed that cybersecurity is a global problem that must be addressed on a global level, with military and non-military alliances between nations a key to effectively stopping cyber threats.
Finally, cooperation between all stakeholders should be leveraged through the use of rapid cyber threat information sharing, according to Michael Daniel, President of the Cyber Threat Alliance, who said that such information sharing across the “entire cybersecurity ecosystem is a necessity in achieving our shared goals of enhanced cybersecurity.” To that end, the Cyber Threat Alliance has already assembled an Information Sharing and Analysis Organization (“ISAO”)—featuring six of the largest global cybersecurity companies—to “enable[] real-time sharing of rich, contextual cyber threat information among all cybersecurity companies, which can be leveraged on an individual basis to update and improve their products and services.” Daniel said that information sharing can be used to expose the “playbooks” (tactics, techniques, etc.) of malicious cyber actors so that entities can proactively implement defenses specifically designed to protect against known threats.
A full video of the hearing and the prepared witness statements can be found on the Committee’s webpage.
