America’s cybersecurity efforts could be strengthened posthaste if operations were overseen by a separate nationwide combat command, witnesses on Wednesday told members of the powerful U.S. Senate Homeland Security and Governmental Affairs Committee.
“The government and military need to move beyond trying to secure itself and move into an active and supporting role in defending America, just as it does in all other warfighting domains. We need to remove the seams between the military, government and the private sector,” testified Kevin Keeney, director of the Cyber Incident Response Team at Monsanto Co., and a captain who works in cyber defense operations for the Missouri National Guard.
Specifically, Keeney recommended that legislation be created to fund a new uniformed service known as U.S. Cyber, which would be responsible for Internet security—not just .mil or .gov, as Keeney put it—but which would consolidate all cyber personnel, equipment and missions.
“This will enable a single organization to provide the needed focus on recruiting, training, doctrine, retention and care for its service members,” Keeney said.
U.S. Cyber would be made up of no more than 50 percent active and no less than 50 percent reserve forces, he suggested, adding that the transition “between the active and reserve should be as simple as applying for an opening and being accepted.”
“The creation of U.S. Cyber could close the cyber capabilities gap more quickly than the current strategy. We must build a unified cyber force that can fight and win as an equal stakeholder in the battle. It is essential that we begin acting upon what we know is happening within our borders—the rampant theft of the Intellectual Property created and owned here in the United States,” Keeney said.
Meaningful consequences
The committee’s ranking Democrat, U.S. Sen. Claire McCaskill of Missouri, supported Keeney’s recommendation and said more solutions are needed from people who will think boldly, aggressively and outside the box to address the country’s cybersecurity needs.
“We have critical vulnerabilities. The federal government, states and the private sector have all experienced cyber breaches with devastating outcomes. We need to fix this and we need to do it now,” McCaskill said.
Republican Sens. James Langford of Oklahoma and Steve Daines of Montana also supported the idea of instituting severe consequences for bad cyber actors by elevating cybersecurity to its own combat command.
Intellectual Property (IP) is the power to be protected, said Daines, who added that when IP is attacked or stolen, the U.S. response shouldn’t be any different than it is for an enemy that destroys a physical asset of the United States.
Keeney told the committee members that Congress could help corporate America by doing what corporate America can’t do for itself, which is “to strike back against someone who continues to bloody their noses and do damage to their shareholders,” he said. When the U.S. does engage in targeted offense, he said, it’s generally in response to traditional military operations.
Instead, offense operations should be used as countermeasures to stealing IP, for example, and U.S. laws should allow companies to protect themselves, Keeney said.
Daines also raised concerns about how to hold hackers accountable once they’ve been identified. It’s an area where the government also can help, said Steven Chabinsky, global chairman of data, privacy and cybersecurity at White & Case LLP.
“Unless we get out there and get rid of the threat, we’re really going to see this rise to unsustainable levels,” Chabinsky said. Some solutions offered included publicly exposing and sanctioning nation states, better funding U.S. agencies like the FBI, working out multinational agreements or conducting international takedowns of bad cyber actors.
“We’re the United States of America. If we’re going to be here haranguing that we have no influence internationally against rogue nation regimes, then we might as well hang it up and call it a day as a country,” Chabinsky said during Senate committee questioning.
“We have enormous elements of international power. It’s time to get serious and develop a strategy,” he said.
There’s a reason the United States hasn’t taken such drastic steps, said Brandon Valeriano, the Donald Bren Chair of Armed Politics at the Marine Corps University and an adjunct fellow at the Niskanen Center. “It’s because we’re all vulnerable.”
Wanted: qualified professionals
Equally critical to improving U.S. cybersecurity would be the hiring of a high number of qualified, trained professionals to work in both the government and private sectors, witnesses suggested during the May 10 Senate committee hearing, Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape.
“We’ve got to figure out how to employ, engage and utilize the absolute best and brightest minds when it comes to dealing with this enormously difficult and complex issue of how do we protect the internet, the internet of things, our cyber assets, from the relentless and incredibly destructive attacks that are ongoing virtually every second of the day,” said committee chairman Sen. Ron Johnson, R-Wis.
McCaskill agreed and said that the demand for cyber professionals is way beyond the supply both in government and the private sector.
“We’re also missing leadership on cybersecurity,” McCaskill said, “and scores of senior cybersecurity positions throughout the federal government remain unfilled. We are waiting for nominees to be announced for two of the top cyber-related jobs at the Department of Homeland Security (DHS): the undersecretary at the National Protection and Programs Directorate and the deputy undersecretary for cybersecurity and communications.”
Likewise, she said the departments of Defense, Judiciary, State and Commerce also await nominations from the White House to fill related empty positions.
“Cyber currently appears to be a secondary function within DHS and that needs to change. Bipartisan solutions are needed but first we need the government to be properly organized,” McCaskill said. She likened it to trying to fight enemies “with one hand tied behind our back.”
More suggestions
“The cyber threat is real and growing as is the risk to our national security, our finances, our energy sector … and health records. These and more all appear to be at growing risk,” Chabinsky said. “In short, the problem is getting worse and we are losing. I believe we are following a failed strategy that can and must be changed.”
But the nation’s cybersecurity “downward spiral isn’t inevitable,” he added. “We have to stop thinking that cybersecurity is something end users can fix. It has to be moved as far as possible from the end user; that’s a 180-degree switch from what we’re doing now. We must resolve cybersecurity problems primarily at their source rather than at their destination.”
Financially incentivizing companies “that can add security higher up in the internet stack should be a budget priority with perhaps as much as 10 percent of our roughly $600 billion defense budget being set aside for the advancement of higher-level cybersecurity solutions,” Chabinsky said.
Lawmakers also should explore other financial models, suggested Chabinsky, who pointed out that a national fund exists to bring broadband to rural areas, “but we don’t have a fund to bring cyber protections to everyone in the nation.”
Such funding might be the answer to what Keeney testified was a much-needed “whole-of-nation response” to the growing problem of destructive cyberattacks, which Johnson said the Center for Strategic and International Studies has estimated carries a global price tag of roughly $375 billion up to $575 billion per year.
“Cyber threats are many and they cannot be dealt with effectively committee by committee,” said Keeney, who would like to see the Senate wholly address cybersecurity.
Jeffrey Greene, senior director of global government affairs and policy at Symantec Corp., said that “good security isn’t going to happen by accident … and criminals are always evolving.” The United States needs to go after both the business and technological models of the attackers, he said.
At the same time, Valeriano said lawmakers should form policy in the context that considers the attackers’ methods of coercion. Bad actors have different motivations and therefore shouldn’t be lumped together as one actor, he said.
And lawmakers need to take a holistic view of cyber challenges that encompasses sociology, psychology, legality and biology, among other disciplines. “Manipulation of information is a new warfare,” Valeriano said. “The geopolitics matter.”