Senior government officials overseeing the nation’s cyber defenses told a Senate panel this morning that agencies are doing more to coordinate their far-ranging efforts, but that even in the best-case scenario, the hackers are often one step ahead.
“The harder we can make the general network environment, the easier it’s going to be to detect [threats],” said Richard Schaeffer, director of the National Security Agency’s Information Assurance Directorate. “We believe that if one institutes best practices, proper configuration, good network monitoring … a system ought to be able to withstand about 80 percent of the commonly known attacks.”
The Judiciary Committee’s Subcommittee on Terrorism and Homeland Security convened the hearing to probe the threat of terrorist attacks against the nation’s information and communications systems, though the proceeding ran along the more general lines of cybersecurity, which the panelists described as a scourge that takes many forms.
“There’s no silver bullet here,” said Philip Reitinger, director of the National Cyber Security Center at the Department of Homeland Security. “We do need to up our defensive game.”
Agencies and departments like NSA, DHS and the Federal Bureau of Investigation face a barrage of cybersecurity challenges, both from state-sponsored organizations in hostile nations and terrorist groups, as well as criminal enterprises and lone wolf hackers.
Just this morning, security vendor McAfee released a report warning of the continued rise of politically motivated cyber attacks.
“The risk is that we could have spies, soldiers and criminals in this country placed overnight,” subcommittee Chairman Benjamin Cardin (D-Md.) said this morning. “It’s unclear that we even know when we’ve been attacked.”
The Obama administration has pushed cybersecurity to the top of its policy agenda, highlighted by a speech the president gave at the White House on the subject in May. That address accompanied the release of a report with a spate of short- and long-term recommendations to overhaul federal cybersecurity policy.
James Baker, the associate deputy attorney general, said the administration continues to mull legislative proposals to revamp the statutory framework that governs federal cybersecurity, but that no decision had been made on an agenda to pitch to Congress.
“We are definitely debating these kinds of issues within the administration,” Baker said. “We do not want to mess up — to put it bluntly — the existing authorities that we have.”
Baker noted the complexities of the current legal framework, which involves both domestic statues such as the Foreign Intelligence Surveillance Act, as well as foreign and international laws.
Earlier this year, Sen. John Rockefeller, the West Virginia Democrat who chairs the Commerce Committee, introduced a bill that would enact a sweeping overhaul of federal cybersecurity operations, including controversial provisions that would dramatically expand executive authority over private networks. Rockefeller and co-sponsor Olympia Snowe (R-Maine) have since withdrawn the bill and said they plan to reintroduce a revised version later this session.
The panelists agreed on the importance of government agencies partnering with firms in the private sector, a recurring thread in discussions of federal cybersecurity.
“Key to than nation’s cybersecurity efforts is the public-private partnership,” Schaeffer said. “Cybersecurity is a big job, and [it] is going to take a team to do it.”
He spoke of NSA’s “longstanding relationship” with Microsoft to shore up the operating system and software that runs on government computers, and praised the security features in the recently released Windows 7.
The buck stops where?
But within the government, the question of which entity should take the leading role in cybersecurity policy remains a matter of debate.
Responding to a question from Jon Kyl (R-Ariz.) expressing confusion about federal authority, Schaeffer acknowledged that jurisdictional issues continue to cloud the federal approach to cybersecurity.
“This is a team sport,” Schaeffer said. “You’re absolutely right that there are various authorities that exist in departments and agencies across the government.”
Some experts have argued that NSA should continue its leading role in the cybersecurity arena, claiming that the agency, which is administered by the Department of Defense, has the deepest pool of technical talent.
Others criticize the spy agency for its culture of secrecy, which they say undermines efforts to partner with industry. They generally point to the Department of Homeland Security, which is the leading department that coordinates with the private sector, as the best candidate to run point on cybersecurity.
“We can’t do this through Cold War-era structures,” said Larry Clinton, president of the Internet Security Alliance. “And that’s what we have now.”