[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
EMERGING CYBER THREATS TO
THE UNITED STATES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 25, 2016
__________
Serial No. 114-55
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
21-527 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
John Dickhaus, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Prepared Statement............................................. 47
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 49
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 6
Witnesses
Mr. Frank J. Cilluffo, Associate Vice President and Director,
Center for Cyber and Homeland Security, The George Washington
University:
Oral Statement................................................. 10
Prepared Statement............................................. 13
Ms. Jennifer Kolde, Lead Technical Director, FireEye Threat
Intelligence:
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. Adam Bromwich, Vice President, Security Technology and
Response, Symantec, Testifying on Behalf of the Cyber Threat
Alliance:
Oral Statement................................................. 27
Prepared Statement............................................. 29
Mr. Isaac R. Porche, III, Associate Director, Forces and
Logistics Program, The Rand Army Research Division, The Rand
Company:
Oral Statement................................................. 35
Prepared Statement............................................. 37
For the Record
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Statement of Tom Patterson, VP/GM Security, Unisys Corporation. 50
Letter From the Society for Maintenance & Reliability
Professionals................................................ 51
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Article, ConsumerAffairs....................................... 55
Article, Slate Magazine........................................ 57
EMERGING CYBER THREATS TO
THE UNITED STATES
----------
Thursday, February 25, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 2:06 p.m., in
Room 311, Cannon House Office Building, Hon. John Ratcliffe
[Chairman of the subcommittee] presiding.
Present: Representatives Ratcliffe, McCaul, Marino,
Donovan, Richmond, and Jackson Lee.
Mr. Ratcliffe. Good afternoon. The Committee on Homeland
Security Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies will come to order.
The subcommittee is meeting today to examine the evolving
cybersecurity threats from nation-states such as China, Russia,
North Korea, and Iran, as well as cyber threats from criminal
organizations and terrorist groups such as ISIS.
Over the last several years, we have seen these actors
continue to develop and build even more sophisticated cyber
capabilities. In 2016, these hackers pose an even greater
threat to the U.S. homeland and our critical infrastructure. To
put it simply, cybersecurity is National security.
In 2015, the Nation was victim to one of the most
significant cyber attacks in our history. The breach at the
Office of Personnel Management exposed the personal and
extremely sensitive security clearance information of 21.5
million current and former Government employees. In 2014, we
saw North Korea conduct a cyber attack on Sony Pictures that
not only destroyed computers, but also sought to muzzle free
speech and threaten American ideals.
Unfortunately, the administration's lack of proportional
responses to these cyber attacks has demonstrated to the world
that there are no real consequences for such actions. Without a
comprehensive National cybersecurity strategy that addresses
deterrence effectively, I worry that 20l6 could bring an
increasing number of those willing to push the boundaries.
In recent news, a lot of attention was directed at the
Hollywood Presbyterian Medical Center in Los Angeles that was a
victim of a ransomware attack. This type of malware infects
victims' computers and locks them until a payment, or a
``ransom,'' is made. The medical center was forced to pay
$17,000 to restore its systems.
But this isn't a problem unique to Hollywood. In my own
district in Northeast Texas, the Titus Regional Medical Center
suffered a similar attack. Their electronic health record
system was locked, and they weren't able to access patient
information.
Of the nation states, Russia continues to rank near the top
in terms of capabilities, with increasing aggression across the
globe that may continue to manifest itself in cyber space. The
director of national intelligence, James Clapper, told the
Senate Armed Services Committee in September that the Russian
government is establishing its own central cyber command that
will be responsible for carrying out offensive cyber
operations.
China also ranks high in terms of capability, and it
continues to pose a significant threat to the United States in
terms of cyber espionage and the theft of intellectual
property. In September, the administration announced an
agreement with the Chinese government to refrain from engaging
in hacking of our intellectual property. I look forward to
hearing today from our industry witnesses on their thoughts
about the success of this agreement.
Iran continues to emerge as a top cybersecurity threat, as
well. While many would argue that its intent to carry out its
attacks is strong, it still lags behind other nation-states in
terms of capabilities. However, the administration's recent
nuclear agreement with Iran could have unintended consequences
in cyber space, as the lifting of economic sanctions could
provide the influx of cash to fuel the development of
cybersecurity capabilities.
Criminal organizations continue to pose a great risk to the
American people, as we have seen with breaches at places like
Target and Home Depot, which exposed the credit card
information of millions of people. While the intent of criminal
groups may be different from nation-states, the impact on
everyday Americans is felt very directly.
Last, terrorist groups such as ISIS may currently lack the
capability to pose a major cybersecurity threat to the United
States. But given the vast resources this group has amassed,
developing or purchasing sophisticated cyber tools is not far
out of reach. ISIS followers and the so-called Cyber Caliphate
have had success in hacking social media accounts of our
military personnel and posting home addresses and other
personal information on-line, asking followers to carry out
attacks.
In late 2015, Congress, recognizing these threats, enacted
the Cybersecurity Act of 2015. The act establishes the
Department of Homeland Security National Cybersecurity and
Communications Integration Center, or NCCIC, as the sole
civilian interface for sharing cyber threat information with
the Federal Government. The act establishes liability
protections for companies to share information with DHS and
among themselves.
In light of this legislation, we hope that the private
sector will share more with each other and with the Government,
and we look forward to hearing from our witnesses today on what
they are doing to increase information sharing.
In response to the devastating attack on OPM, the act
bolsters DHS's ability to deploy intrusion detection and
prevention capabilities across our Federal Government. These
capabilities will ensure the proper capabilities to defend
Government networks from nation-state attacks.
Unfortunately, cyber threat actors--be they nation states,
criminal groups, or terrorist organizations--remain undeterred,
continuing to conduct cyber attacks. The problem is compounded
by the lack of acceptable norms in cyber space, and I have
questions on whether or not the administration's lack of
response to these attacks has deterred or even emboldened our
adversaries.
The President recently announced a Cybersecurity National
Action Plan. Whether this is too little too late, and the
clarity of the overall guidance behind the plan, remains to be
seen as we watch the most meaningful part of any grand plan--
its execution. In this day and age, there is agreement that the
battle for security of our information systems is continually
escalating. The testimony today will help inform what actions
Congress can take to further the interests of our National
security.
[The statement of Mr. Ratcliffe follows:]
Statement of Chairman John Ratcliffe
February 25, 2016
The subcommittee is meeting today to examine the evolving
cybersecurity threats from nation-states such as China, Russia, North
Korea, and Iran, as well as cyber threats from criminal organizations
and terrorist groups such as ISIS. Over the last several years we have
seen these actors continue to develop and build even more sophisticated
cyber capabilities. In 2016, these hackers pose an even greater threat
to the U.S. homeland and our critical infrastructure. To put it simply,
cybersecurity is National security.
In 2015, the Nation was victim to one of the most significant cyber
attacks in history. The breach at the Office of Personnel Management
exposed the personal and extremely sensitive security clearance
information of 21.5 million current and former Government employees. In
2014, we saw North Korea conduct a cyber attack on Sony Pictures that
not only destroyed computers, but also sought to muzzle free speech and
threaten American ideals.
Unfortunately, the administration's lack of proportional responses
to these cyber attacks has demonstrated to the world that there are no
real consequences for such actions. Without a comprehensive National
cybersecurity strategy that addresses deterrence effectively, I worry
that 20l6 could bring an increasing number of those willing to push the
boundaries.
In recent news, a lot of attention was directed at the Hollywood
Presbyterian Medical Center in Los Angeles that was a victim of a
ransomware attack. This type of malware infects victims' computers and
locks them until a payment, or a ``ransom,'' is made. The medical
center was forced to pay $17,000 to restore its systems. But this isn't
unique to Hollywood. In my own district in Northeast Texas, the Titus
Regional Medical Center suffered a similar attack. Their electronic
health record system was locked and they weren't able to access patient
information.
Of the nation-state threats, Russia continues to rank near the top
in terms of capabilities, with increasing aggression across the globe
that may continue to manifest itself in cyber space. The Director of
National Intelligence, James Clapper, told the Senate Armed Services
Committee in September that the Russian government is establishing its
own central cyber command that will be responsible for carrying out
offensive cyber operations.
China also ranks high in terms of capability and continues to pose
a significant threat to the United States in terms of cyber espionage
and theft of intellectual property. In September, the administration
announced an agreement with the Chinese government to refrain from
engaging in hacking of intellectual property. I look forward to hearing
today from our industry witnesses today on their thoughts about the
success of this agreement.
Iran continues to emerge as a top cybersecurity threat. While many
would argue that its intent to carry out attacks is strong, it still
lags behind other nation-states in capabilities. However, the
administration's recent nuclear agreement with Iran could have
unintended consequences in cyber space, as the lifting of economic
sanctions could provide influx of cash to fuel the development of
cybersecurity capabilities.
Criminal organizations continue to pose a great risk to the
American people, as we have seen with the breaches of Target and Home
Depot, which exposed the credit card information of millions of people.
While the intent of criminal groups may be different from nation-
states, the impact on everyday Americans is felt very directly.
Lastly, terrorist groups such as ISIS may currently lack the
capability to pose a major cybersecurity threat to United States. But
given the vast resources the group has amassed, developing or
purchasing sophisticated cyber tools is not far out of reach. ISIS
followers and the so-called Cyber Caliphate have had success in hacking
social media accounts of military personnel and posting home addresses
and other personal information on-line asking followers to carry out
attacks.
In late 2015, Congress--recognizing these threats--enacted the
Cybersecurity Act of 2015. The Act establishes the Department of
Homeland Security, National Cybersecurity and Communications
Integration Center (NCCIC) as the sole civilian interface for sharing
of cyber threat information with the Federal Government. The Act
establishes liability protections for companies to share information
with DHS, and among themselves. In light of this legislation, we hope
the private sector will share more with each other and the Government,
and we look forward to hearing from our witnesses on what they are
doing to increase information sharing.
In response to the devastating attack on OPM, the Act bolsters
DHS's ability to deploy intrusion detection and prevention capabilities
across the Federal Government. These capabilities will ensure the
proper capabilities to defend Government networks from these nation-
state attacks.
Unfortunately, cyber threat actors--be they nation states, criminal
groups, or terrorist organizations--remain undeterred, continuing to
conduct cyber attacks. This problem is compounded by the lack of
acceptable norms in cyber space and I have questions on whether or not
the administration's lack of response to these attacks has deterred or
emboldened our adversaries. The President recently announced a
Cybersecurity National Action Plan. Whether this is too little too
late, and the clarity of the overall guidance behind the plan, remains
to be seen as we watch the most meaningful part of any grand plan: The
execution. In this day in age, there is agreement that the battle for
the security of our information systems is continually escalating. The
testimony today will help inform what actions Congress can take to
further the interests of our National security.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of the subcommittee, the gentleman from
Louisiana, Mr. Richmond, for his opening statement.
Mr. Richmond. Thank you, Mr. Chairman, and thank you for
holding this hearing today on information security threats and
how we manage cyber threat intelligence, areas that are central
to our subcommittee's oversight responsibilities.
I also want to thank our witnesses for their participation
in today's hearing, and especially welcome Dr. Porche from
Baton Rouge, Louisiana, for being with us today.
The Department of Homeland Security plays a fundamental
role in the National effort to increase our collective
cybersecurity, but it cannot achieve its mission without a
foundation of voluntary partnerships with the critical
infrastructure community. The information security industry and
our Government are partners.
The privately-owned critical infrastructures that are
everywhere in my district, including ports, energy and pipeline
networks, chemical manufacturers, and refineries, ship and
supply goods and raw materials to all parts of our country and
are vital to the jobs and economic well-being of my part of the
world.
When the cyber information security and network systems
fail for these kind of sites, whether from a natural disaster
or a man-made intrusion, everyone feels it. It is the National
interest to safeguard such critical infrastructure and to make
sure that there are adequate protections from cyber and
information and data interruptions.
This subcommittee has oversight responsibilities for the
Department's US-CERT and ICS-CERT teams that provide the
foundation of the U.S. Government's approach to securing and
safeguarding the resilience of civilian cyber and critical
infrastructure essential services.
It will be necessary for this subcommittee to continue to
do all we can to help DHS develop a workable National cyber
protection strategy and framework for critical infrastructure
entities and small and large businesses in order to protect our
economy.
After this subcommittee and full committee passed important
information-sharing legislation last year, the legislation
found its way to the President's desk, where he signed the
Cybersecurity Information-Sharing Act, or CISA, on December 18,
2015.
Today I hope to hear from our witnesses how the Department
is doing with its new information-sharing authorities and
challenges and how cyber and information-sharing security
industries are expanding their collaboration with the
Department as a result of that legislation.
It will be important to know how cybersecurity companies
can continue to collaborate with the Department to help US-CERT
and ICS-CERT serve as the center of our National integration,
information sharing and collaborative analysis for domestic and
global cyber threat intelligence.
Finally, I hope to find out from our witnesses how we can
help further the ability of DHS's National Cybersecurity and
Communications Integration Center, or NCCIC, to receive and
analyze information at machine speed, an analysis component of
getting a leg up on the ever-changing landscape and world-wide
cyber threat intelligence.
So I look forward to today's hearing. Mr. Chairman, with
that, I yield back.
[The statement of Mr. Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
February 25, 2016
The Department of Homeland Security plays a fundamental role in the
National effort to increase our collective cybersecurity, but it cannot
achieve its mission without a foundation of voluntary partnerships with
the critical infrastructure community, the information security
industry, and our Government partners.
The privately-owned critical infrastructures that are everywhere in
my district, including--ports, energy and pipeline networks, chemical
manufacturers, and refineries--ship and supply goods and raw materials
to all parts of our country, and are vital to the jobs and economic
well-being of my part of the world.
When the cyber information security and network systems fail for
these kinds of sites, whether from a natural disaster or a man-made
intrusion, everyone feels it. It is in the National interest to
safeguard such critical infrastructure, and to make sure there are
adequate protections from cyber and information and data interruptions.
This subcommittee has oversight responsibilities for the
Department's US-CERT and ICS-CERT teams that provide the foundation of
the U.S. Government's approach to securing and safeguarding the
resilience of civilian cyber, and critical infrastructure essential
services. It will be necessary for this subcommittee to continue to do
all we can to help DHS develop a workable, National cyber protection
strategy and framework for critical infrastructure entities, and small
and large businesses, in order to protect our economy.
After this subcommittee and full committee passed important
information-sharing legislation last year, that legislation found its
way to the President's desk where he signed the Cybersecurity
Information Sharing Act, or CISA, on December 18, 2015.
Today I hope to hear from our witnesses how the Department is doing
with its new information-sharing authorities and challenges, and how
cyber and information security industries are expanding their
collaboration with the Department as a result of the legislation.
It will be important to know how cybersecurity companies can
continue to collaborate with the Department to help US-CERT and ICS-
CERT serve as the center of our National integration, information
sharing, and collaborative analysis, for domestic and global cyber
threat intelligence.
Finally, I hope to find out from our witnesses how we can help
further the ability of the DHS's National Cybersecurity and
Communications Integration Center, or NCCIC, to receive and analyze
information at machine speed--an essential component of getting a leg-
up on the ever-changing landscape of world-wide cyber threat
intelligence.
Mr. Ratcliffe. I thank the gentleman. Other Members of the
committee are reminded that opening statements may be submitted
for the record.
[The statement of Honorable Sheila Jackson Lee follows:]
Statement of Honorable Sheila Jackson Lee
February 25, 2016
Chairman Ratcliff and Ranking Member Richmond thank you for your
bipartisan leadership in holding today's hearing on ``Emerging Cyber
Threats to the United States.''
There are critical cybersecurity issues that our Nation must face
to ensure the protection of critical infrastructure and vital computer
communication networks.
I thank today's witnesses who will provide their expert opinion on
the issue of cybersecurity and critical infrastructure:
Mr. Frank Cilluffo, associate vice president & director,
Center for Cyber and Homeland Security, The George Washington
University.
Ms. Jennifer Kolde, lead technical director, FireEye Threat
Intelligence.
Mr. Adam Bromwich, vice president, Symantec Security
Technology and Response. Representing the Cyber Threat
Alliance.
Dr. Isaac Porche, senior engineer at the RAND Corporation,
and associate director of the Forces and Logistics Program for
the RAND Army Research Division.
Last year, this committee and Congress acted in a bipartisan manner
to pass critical cybersecurity legislation that enhanced the ability of
the Department of Homeland Security to work with the private sector and
other Federal civilian departments on cyber threat information sharing
capabilities. Enactment of these bills represents a significant moment
for the Department's cybersecurity mission.
I supported this effort by offering several amendments that were
adopted by the full committee for inclusion in the cybersecurity
legislation we passed.
This committee in particular undertook significant efforts to bring
the bills to passage, and on December 18, 2015, President Obama signed
into law the Cybersecurity Information Sharing Act of 2015 (CISA).
The work the Homeland Security did and particularly the leadership
of this subcommittee is designed to increase cybersecurity information
sharing between the private sector and the Federal Government.
Among other things, it provides various protections to non-Federal
entities that share cyber threat indicators or defensive measures with
the Federal Government.
I am a strong believer in legislative due process for addressing
the most complex issues of the digital communication age.
Vulnerabilities in computing products are the chief method used by
data thieves or terrorist to breach computing systems.
Since 2005 to the present, the Privacy Rights Clearinghouse,
reports that 895,886,345 records have been breached.
The entities and their customers who have fallen victim to data
breaches range in size from small businesses to major corporations and
Federal Government agencies, such as:
The IRS--101,000--the agency block payments to data thieves
who used stolen identity information from elsewhere to generate
pins using stolen Social Security Numbers (date reported 2/10/
2016)
Scottrade lost over 4 million records (October 1, 2015)
Excellus Blue Cross Blue Shield lost over 10 million patient
records (September 10, 2015)
Office of Personnel Management (OPM) lost over 21.5 million
Government employee or former employee records (June 4, 2015)
Most reports include no details on the number of records breached
or stolen.
There is no law that requires companies to report breaches, but
there are laws that require reports to consumers when their personal
information may have been lost or stolen.
The security of Nation's critical infrastructure is critical to our
prosperity and the American way of life.
Critical infrastructure in the form of our Nation's electric
utility grid, water treatment facilities, energy refining and delivery
systems; financial system; and much more needs strong cybersecurity to
protect against threats.
Cybersecurity threats from the earliest days of the modern
computing age.
Microsoft in order to protect their computing products from
cybersecurity threats began to routinely release of updates to their
software products on what has become known as ``Patch Tuesdays.''
Identifying and closing vulnerabilities in software and firmware IS
one important means of securing systems from threats.
The link between commercially-available computing devices and our
Nation's critical infrastructure lies in the role of products in
ensuring the proper maintenance and operation of critical
infrastructure.
ransomware and criminals
The latest threat from cyber criminals is ransomware.
Criminals find vulnerabilities in a computer or computing network
and use it to introduce an encryption application that locks the data
so the owner or user of a computer system cannot access it until a
ransom is paid to criminals who then unlock the data.
There are now ransomware encryption tools that encrypt data that
cannot be unencrypted not even by the thieves.
If criminals find a way into a computer or computer network they
will exploit that vulnerability.
Portable computing devices like iPads, iPhones, and laptops are
used every day to access, perform tasks, and maintain critical
infrastructure.
The security of physical space, such as our Nation's critical
infrastructure, is about to inherit many of the security
vulnerabilities that plague cyber space; because of the introduction of
the Internet of Things (IoT).
The threats posed to computing devices include viruses; worms;
Trojan horses; botnet creation, capture, and exploitation; pharming;
phishing; denial-of-service attacks; and ransomware threats intended to
undermine the proper functioning of physical security that incorporates
or relies upon computing devices.
There are a range of threats presented by unintended actions by
insiders that include introducing devices into the work IoT environment
that carry exploitable vulnerabilities that could be seized upon by
opportunistic applications or technology that probe the environment for
stray information to collect and report back to cloud services or
networks hosted by data and financial thieves.
Physical security in era of IoT environments will present
challenges because of the number, diversity, and fluidity of digital
technology that will traverse physical spaces.
Another challenge will be the speed that devices will change; the
ability or willingness of manufacturers or providers to update software
on every type of IoT device and to what degree remote actor (such as
criminals, nation/states, or intellectual property thieves) may be able
to explore potential vulnerabilities in larger, more complex systems by
using very simple IoT-enabled technology.
Businesses large and small will adopt IoT technology without
hesitation because of the tremendous opportunities for cost savings.
Lowering electricity bills based on actual usage; smart light bulbs
that reduce output or completely turn off when sensors in a space
indicate that it is unoccupied; employee credentials that not only act
as a time clock, but a location service while employees are at work;
and sensors that regulate the function of everything from water coolers
to elevators base on a ``just in time delivery'' of only what is needed
and exactly when it is needed.
Innovation will move at unprecedented pace, as new physical designs
for everyday consumables will be changed to work as a node in the IoT.
The same light bulb from the same manufacturer will now have a
wireless interface that allows it to send and receive wireless
communications.
The same is true for the fleet of vehicles large and small that are
used by employees on or off the campuses of companies or organizations.
In this fast-paced environment, one of the important protections
for digital communications may not be available either through design
or due to the limited capacity of the IoT device.
Password protection may be unavailable for many passive IoT
wireless devices and this may further challenge physical security.
Exploitation of weaknesses found in the poor, or inefficient design
of software or IoT device security may facilitate broader discussions
about its implications for physical vulnerabilities and security
threats.
The IoT appears to be about to project the power of computing into
physical space without much consideration for the totality of the
vulnerabilities and threats that may be imposed on once controlled and
secure environments.
There will be no barriers within the IoT that will preserve
physical security of businesses, government, or personal spaces unless
they are created through broad voluntary adoption of standards that
work both in theory and practice to address real-world challenges to
physical security, privacy, or confidentiality.
Why should the security and privacy of IoT technology matter to
physical security?
Physical security relies upon control over who or what can enter or
exit a defined area or space.
The challenge to physical security posed by the IoT is a lack of
security over the wireless communication signals and/or devices that
may enter or exit a space.
The following are incidents that foreshadow some of the challenges
to physical security in a world dominated by the IoT.
Security professionals responsible for facilities that rely on
industrial control systems should be aware of new paths that may be
used to access networks to cause disruptions to threats posed by cyber
attacks that can result in physical damage to equipment.
A light bulb exploit
In 2014, it was reported that a LiFX system of wifi remote-
controlled light bulb designed to work with a smart phone had security
vulnerability.
Sensors on light bulbs designed to operate in conjunction with a
smart phone offered an opportunity for a breach of other systems.
The problem was discovered in the software application that
translates commands from a device's operating system, in this case the
command to a light bulb to turn on or off.
The request from the computer to turn on or off the light bulb also
asked for any additional information that might be stored in its IoT
components which allowed for insecure code to be downloaded onto the
computing network.
IoT enabled intercom systems (baby monitoring technology)
In September 2015, 2 years after the first cybersecurity warning
regarding the security vulnerability of baby monitoring technology, it
was reported that 9 baby monitor models for top manufacturers remain
vulnerable to hacking.
There are documented cases of monitors being breached, allowing
unauthorized voice communication from hackers over the communication
system, and external access to video live feeds from baby's rooms.
This issue is relevant, because many properties or facilities for
critical infrastructure will use if not already widely using automated
systems to monitor locations.
Compromise of physical security monitoring systems could be used to
prevent detection of physical threats to critical infrastructure.
Physical security of vehicles is in question
In 2015, researchers gained remote access to a Jeep Cherokee and
took control of physical functions such as climate control, windshield
wipers, and the sound-system.
They could even turn off the engine while the vehicle was in
motion. Automobile manufacturers, not just of the Jeep Cherokee,
understood that the computing systems of their vehicles could be
compromised and took action to close the cybersecurity risk that had
consequences for the physical security of their vehicles and the safety
of their customers.
I held a staff briefing to bring this issue to the attention of the
House and key Committees.
Physical security of industrial control systems
In 2010, Stuxnet--roughly 500 kilobytes of code--became known to
computer security experts in the United States who identified it as a
hybrid computer-worm designed to destroy physical equipment.
According to a September 2010 Symantic report, there were 100,000
Stuxnet-infected computers world-wide.
Stuxnet moved from system to system through connected and
unconnected computing technology using the Microsoft Windows Operating
System.
If a machine was not connected to a network, sticking a USB drive
into an infected machine, then into the uninfected machine was
sufficient for Stuxnet to spread. Once Stuxnet is inside of a machine
or network, it replicates itself.
In 2012, the United States Government started to warn of a ``Cyber
Pearl Harbor.''
Stuxnet is not limited to harming the function of gas centrifuges
used to enrich uranium, but can damage or destroy machines or equipment
controlled by industrial control systems used for a range of non-
military purposes.
The capacity of Stuxnet to destroy equipment or make it unusable
poses a threat to physical security.
Another cyber threat is the Flame worm, which appears to have been
introduced through an update to Microsoft's Windows 7 operating system,
which is phenomenal because to get Windows Operating system to accept
an update it has to authenticate that the request source of the update
is coming from the company.
Stuxnet or Flame worms can be altered to attack a wide range of
industrial control systems or critical infrastructure.
Stuxnet-derived worm code could be written to damage water
treatment and delivery systems, electricity delivery systems,
industrial control systems used by food processors, ports operations,
or automobile assembly lines.
Laying the ground work for seeking out vulnerabilities to exploit
and therefore to defend, Hungarian researchers in September 2011
uncovered ``Duqu'' a program that was designed to steal data regarding
industrial control systems.
What will be the IoT physical security challenges of complex
operations?
The security of deep-water and container ports have been wedded
from their earliest beginnings because cargo was personal wealth and
nationstate commerce.
The volume of activity at deep-water and container ports made
innovation and computing necessary for automation of facilities to
management port functions.
However, no one system manages everything that happens at deep-
water and container ports. Arrivals and departures may be managed by
one system; loading and offloading by another entity; container
management by another provider; employee access by another system, and
private companies may track their cargo using proprietary systems.
The number, type, and severity of cyber threats experienced by
ports, service providers, or port customers are unknown.
The preference is not to report incidents and to payor absorb costs
resulting from breaches or thefts.
The other reasons for underreporting is likely that companies and
ports are unaware that their cybersecurity has been breached.
An October 15, 2014, report by CyberKeel entitled, ``Maritime
Cyber-Risks'', reported on financial thefts; alteration of carrier
information regarding cargo location; barcode scanners use as hacking
devices (a variation of the light bulb vulnerability described above);
targeting of shipbuilding and maritime operations; cyber-enabled large
drug-smuggling operations; compromising of Australian Custom and Border
protection; spoofing a vessel Automated Identification System (AIS);
drilling rig cyber attack; vessel navigation control hack; GPS jamming;
vulnerabilities in the Electronic Chart Display and Information System;
and a Danish Maritime Authority breach.
Deletion of carrier information
In August 2011, an incident of deletion of carrier information
regarding the location of cargo occurred against the Islamic Republic
of Iran Shipping Lines. The attack damaged all the data related to
cargo ship contents, which meant that no one knew where any containers
were or the status of containers--off-loaded, picked up, or still on
board ships. The data was eventually recovered, but the disruption in
operation of the business was significant.
Barcode scanner hacking tool
The attack was named ``Zombie Zero'' and involved malware hidden in
the software for barcode scanners of at least 8 different companies.
The malware activated when the barcode readers were connected to
company networks. When connected, the malware launched a series of
automated attacks searching for the location of the financial server.
Upon location of the financial server, the malware would compromise
the target server to be taken over.
Australian customs exploit
A cyber-crime organization breached the cargo system of Australian
Customs and Border Protection, which allowed criminals to verify that
their shipping containers were viewed as suspicious by the police or
customs authorities.
This allowed criminals to abandon contraband that would result in
arrests or confiscation and focus on what they knew would be released
without difficulty.
Drilling rig cyber attack
In 2010, while a drilling rig was being moved from the construction
site in South Korea toward South America, its critical control systems
were infected by malware that shut it down for 19 days to fix the
problem.
A similar attack on a rig reported off the coast of Africa caused
it to be shut down for a week.
These are some of the critical cybersecurity threats facing
critical infrastructure.
I look forward to the testimony of today's witnesses.
Thank you.
Mr. Ratcliffe. We are pleased to have a distinguished panel
of witnesses before us today on this very important topic.
Joining us, our first witness is Mr. Frank Cilluffo, who is the
associate vice president and director of the George Washington
University Center for Cyber and Homeland Security. Welcome, Mr.
Cilluffo.
Also with us is Ms. Jennifer Kolde. She is the lead
technical director for FireEye Threat Intelligence. Thanks for
being here today.
Mr. Adam Bromwich is the vice president for security
technology and response at Symantec and is also representing
the cyber threat alliance. Welcome, Mr. Bromwich.
Finally, last but not least, Dr. Isaac Porche--did I say
that correctly--is the associate director of the Forces and
Logistics Program within Army Research Division of the RAND
Corporation. Welcome, Doctor.
I would now ask the witnesses all to stand and raise your
right hand, and I will swear you in to give your testimony.
[Witnesses sworn.]
Let the record reflect that the witnesses have all answered
in the affirmative. The witnesses' full written statements will
appear in the record. The Chair now recognizes Mr. Cilluffo for
his opening statement.
STATEMENT OF FRANK J. CILLUFFO, ASSOCIATE VICE PRESIDENT AND
DIRECTOR, CENTER FOR CYBER AND HOMELAND SECURITY, THE GEORGE
WASHINGTON UNIVERSITY
Mr. Cilluffo. Chairman Ratcliffe, Ranking Member Richmond,
Congressmen Marino and Donovan, thank you for the opportunity
to testify before you today.
Mr. Chairman, I think you did an amazing job framing the
issues here, so I will try to be even more brief, which is not
my strong suit, since I have never had an unspoken thought, but
I will try to hit on a couple points that weren't addressed.
I mean, obviously today the United States faces a dizzying
array of cyber threats from many and varied actors. Virtually
every day, there is a new incident in the headlines, and the
initiative clearly remains with the attacker. As you mentioned,
Mr. Chairman, last week, it was Hollywood Presbyterian.
Also last week, there was some news of a manipulation, a
Russian hack that took place about a year ago where they were
able to manipulate the U.S. dollar and ruble exchange rate.
Even more disconcerting was the December 2015 cyber attack on
Ukraine's electric grid, which affected 4 dozen substations and
left a quarter million people without power.
At the same time as the attack on the grid itself, call
centers were hit with a telephony denial-of-service attack as
customers were trying to report the outages. So if anyone
thought this was a glitch, think again.
U.S. critical infrastructure, notably lifeline sectors such
as energy and electricity, telecommunications, transportation,
water, and financial services from banks to exchanges and
clearinghouses are in the crosshairs and are primary targets
for cyber attacks and cyber crimes. Our National security,
public safety, economic competitiveness, and personal privacy
are at risk.
The threat tempo is magnified by the speed at which
technologies continue to evolve and by the fact that our
adversaries continue to adapt their tactics, techniques, and
procedures in order to evade and defeat the latest prevention
and response measures.
While breaches to date have largely exemplified data theft
and destruction, a concerning trend looking ahead will be data
manipulation. A few words on the threat itself, and I hope
there will be some time during Q&A to expand.
First, not all hacks are the same, nor are all hackers the
same. The threat comes in various shapes, sizes, and forms,
ranging from nation-states at the high end of the threat
spectrum to foreign terrorist organizations, criminal
enterprises, and hacktivists. Just as diverse as the threat
actors themselves are the intentions, capabilities, and TTPs,
or tactics, techniques, and procedures, and the tools they
ultimately utilize.
Put another way, nearly every form of conflict today and
tomorrow will have a cyber dimension to it. Whereas
technologies will continue to evolve and change, human nature
remains pretty consistent. If it happens in the physical world,
it is happening in the cyber world, and increasingly you are
seeing those two worlds converge, especially with the advent of
the Internet of Things and Internet of Everything.
A couple of quick top-line words on the threat actors. As I
just mentioned, nation-state and their proxies continue to
present the greatest and most advanced and persistent threat in
the cyber domain. My testimony will focus on 4 key actors, all
of which, Mr. Chairman, you identified. But it is important to
keep in mind the broader context.
Every country that has a modern military and intelligence
service also has a computer network attack capability. Topping
the list are countries that are integrating computer network
attack and computer network exploit into their warfighting
strategy and doctrine. The most sophisticated actors are
obviously Russia and China.
Nation-states often use proxies to conceal their
involvement. In turn, there are different grades of proxies.
They may be state-sanctioned, state-sponsored, or state-
supported. While improvements have been made in terms of
attribution, we are by no means at the place where we hope and
need to be.
Both China and Russia are known to use proxies to do their
bidding, largely to provide plausible deniability. After these
2 countries come Iran and North Korea. While as you mentioned,
Mr. Chairman, they are not up to par with Russia and China in
terms of their capability, they are investing very heavily in
their computer network attack capabilities. What they may lack
in capability, unfortunately, they make up for in intent.
Moreover, having fewer constraints, then you are starting
to see more concern that they are turned to attack, not just
espionage, and this is evidenced by the 2013 DDOS attacks on
the U.S. banks, by the Sands Casino attack, by the Saudi Aramco
and Qatari RasGas attacks, just to name a few, and North
Korea's attacks on South Korean banks, energy companies, and,
of course, Sony.
Next up were foreign terrorist organizations. They
certainly possess the motivation and intent, but fortunately
they do not have the same level of capability that nations do,
in terms of cyber means. But the recent doxing attacks and
tactics used against U.S. military and law enforcement is
troubling and indicative of an emerging threat.
It is likely that ISIS or their sympathizers will
increasingly turn to disruptive cyber attacks. What
capabilities they don't possess they can simply buy or rent, as
cyber weapons are readily available and accessible in the deep
web and dark net. Think cyber drive-by shootings--they may not
have a sustained capability, but they can have a disruptive
capability.
By contrast, criminal organizations and criminal
enterprises possess substantial capabilities, but obviously
their motivation and intent differs from terrorists. They don't
want to bring attention to their cause. They are in it for
what? They are in it for money, so by and large they are going
to be the most quiet and subtle actors in the cyber domain.
However, it is disconcerting when you look at some of the
trends where criminal enterprises are working increasingly with
nation-states, notably Russia.
In closing, while I recognize the focus of the hearing is
on cyber threats, I do want to say a couple words on
recommendations going forward. From the standpoint of critical
infrastructure, a sustained campaign of cyber attacks hold the
potential to undermine trust and confidence in the system
itself, irrespective of the perpetrator.
How many companies, even the largest, went into business
thinking they were defending themselves against foreign
intelligence services? That is precisely what is happening
today, companies taking on nations or being exploited by
nations.
We need to impose costs for bad cyber behavior on those who
are currently acting with impunity. This demands articulating
and more importantly demonstrating a cyber deterrence strategy.
Second, cyber crime is the only crime I know of where we blame
the victim. Yes, companies can do and must do more to shore up
their cybersecurity, but the current approach or business as
usual is doomed for failure, as it is completely reactive.
If you think about it, every time we get hit or breached,
it is the equivalent of calling a locksmith, not a police
officer, the locksmith. We can't simply react and continue to
build higher walls or bigger locks.
Moving forward, in connection with this last point, the
U.S. Government must give companies who now find themselves at
the tip of the spear, the framework, parameters, and tools that
they need in order to engage in active defense to protect
themselves and their customers.
Thank you, Mr. Chairman, and sorry for going a little over.
[The prepared statement of Mr. Cilluffo follows:]
Prepared Statement of Frank J. Cilluffo
February 25, 2016
Chairman Ratcliffe, Ranking Member Richmond, and distinguished
subcommittee Members, thank you for this opportunity to testify before
you today. The United States currently faces an almost dizzying array
of cyber threats from many and varied actors. Virtually every day there
is a new incident in the headlines and the initiative clearly remains
with the attacker. Critical infrastructure, such as the U.S. financial
services sector, is in the crosshairs as a primary target; but our
banks are not alone--``lifeline'' sectors such as energy & electricity,
telecommunications, transportation, and water are similarly situated.
According to the Department of Homeland Security, cyber attacks on U.S.
industrial control systems rose 20 percent last year as compared to the
year before, with the energy sector among those hardest hit.\1\ Just
days ago, hackers took a Los Angeles hospital off-line, demanding
ransom in bitcoins to restore systems and operations.\2\ And no one is
immune from digital targeting of crucial infrastructure: earlier this
month for instance, it was reported that hackers ``used malware to
infiltrate a Russian regional bank and manipulate the ruble-dollar
exchange rate by more than 15 percent in minutes.''\3\
---------------------------------------------------------------------------
\1\ U.S. Department of Homeland Security, ICS CERT Monitor,
November/December 2015. https://ics-cert.us-cert.gov/sites/default/
files/Monitors/ICS-CERT%20Monitor_Nov-Dec2015- _S508C.pdf.
\2\ Brian Barrett, ``Hack Brief: Hackers Are Holding an L.A.
Hospital's Computers Hostage,'' Wired, Feb. 2, 2016. http://
www.wired.com/2016/02/hack-brief-hackers-are-holding-an-la-hospitals-
computers-hostage/.
\3\ Katie Bo Williams, ``Report: Hackers use Malware to Manipulate
Russian Currency Value,'' The Hill, Feb. 8, 2016. http://thehill.com/
policy/cybersecurity/268588-report-hackers-use-malware-to-manipulate-
russian-currency-value.
---------------------------------------------------------------------------
The threat tempo is magnified by the speed at which technologies
continue to evolve and by the fact that our adversaries continue to
adapt their tactics, techniques and procedures in order to evade and
defeat our prevention and response measures. While breaches to date
have largely exemplified data theft, the next step that hostile actors
take may go further--such as data manipulation. Just imagine the havoc
that a creative adversary could wreak this way, by changing our most
sensitive and private information, with everything from medical records
to stock exchanges potentially at risk. Against this background, a
strong detection and mitigation program is just as necessary as a
strong defense. While it is important to continue to invest in
technologies and procedures to prevent attacks, the reality is that
nobody can prevent all attacks; but significant steps can be taken to
minimize the impact and consequences of an attack. This posture, one of
substantial resilience, must also extend to our partners in the private
sector, which own and operate 85 percent of U.S. critical
infrastructure.
At the National level, the challenge is to understand as best we
can the threat as it manifests in so many different incarnations; and
to prioritize it so that our limited resources for preventing and
containing the challenge are directed as efficiently and effectively as
possible. This includes supporting the private sector which now finds
itself on the front lines, so as to allow U.S. businesses to engage in
active defense of their ``crown jewels''--from trade secrets to R&D-
related intellectual property and so on.
Taking a global perspective on cyber threats, the bottom line up
front is as follows:
The threat spectrum includes a wide array of actors with
different intentions, motivations, and capabilities.
Nation-states and their proxies continue to present the
greatest--meaning most advanced and persistent--threat in the
cyber domain. This testimony will focus on four key threat
actors, but it is important to keep in mind the broader
context: every country that has a modern military and
intelligence service also has a computer network attack
capability.\4\ Importantly, nation-states vary in terms of both
their capability and intent, with some being more willing to
exercise their cyber capabilities than others.
---------------------------------------------------------------------------
\4\ Over 100 governments have stood up military entities to engage
in cyber warfare, according to Peter Singer and Allan Friedman
(``Cybersecurity and Cyberwar: What Everyone Needs to Know,'' Oxford
University Press, Jan. 3, 2014). The Wall Street Journal recently
reported that ``29 countries have formal military or intelligence units
dedicated to offensive hacking,'' out of 60 that are developing tools
for computer-enabled espionage or attacks (Damian Paletta, Danny
Yadron, and Jennifer Valentino-Devries, ``Cyberwar Ignites a New Arms
Race,'' Wall Street Journal, Oct. 11, 2015). Discrepancies in these
numbers are due to varying definitions of cyber warfare units, but the
underlying point that there are a number of cyber-capable state actors
is clear.
---------------------------------------------------------------------------
Nation-states often use proxies to conceal state
involvement. In turn, there are different grades of proxies:
They may be state-sanctioned, state-sponsored, or state-
supported.
Foreign terrorist organizations certainly possess the
motivation and intent but fortunately, they have yet to fully
develop a sustained cyber attack capability. Recent ``doxing''
tactics against U.S. military and law enforcement personnel by
the Islamic State in Iraq and Syria (ISIS) is troubling and
indicative of an emerging threat. It is likely that ISIS, or
their sympathizers, will increasingly turn to disruptive cyber
attacks.
By contrast, criminal organizations possess substantial
capabilities, but their motivation and intent differs from
terrorists. Rather than being motivated by ideology or
political concerns, criminal organizations are driven by the
profit motive. However criminals are increasingly working with
or for nation-states such as Russia; and this convergence of
forces heightens the dangers posed by both groups.
Yet other entities such as ``hacktivists'' may also possess
considerable skills and abilities; and when their special
interests or core concerns are perceived to be in play, these
individuals can be a significant disruptive force whether
acting alone or loosely in tandem, essentially as a leaderless
movement. Their motive is often to cause maximum embarrassment
to their targets and to bring attention to their cause.
Regardless of actor, there are many different modalities of
attack. Tactics, techniques, and procedures include malware,
exploitation of zero-day vulnerabilities, distributed denial-
of-service (DDoS) attacks, and the use of botnets. Data may be
stolen or manipulated. The use of ransomware and crypto-
ransomware is also on the rise: Hospitals, police departments,
and schools have been hit. For a good overview of these trends,
see Symantec's 2015 Internet Security Threat Report.\5\
---------------------------------------------------------------------------
\5\ ``Internet Security Threat Report, Volume 20,'' Symantec, April
2015.
---------------------------------------------------------------------------
In reference to any threat vector, a worst-case scenario
would combine kinetic and cyber attacks; and the cyber
component would serve as a force multiplier to increase the
lethality or impact of the physical attack.
The insider threat also cuts across vectors and can
materialize within any actor, from the nation-state on down.
Finally, critical infrastructure such as U.S. banks and the
energy sector (oil & gas) are primary targets for cyber attacks
and cyber crimes. A concerted campaign against these crucial
infrastructures holds the potential to undermine trust and
confidence in the system itself, irrespective of the
perpetrator. Below the various categories of actors are
examined in greater detail in terms of the nature of the threat
they pose and how they function.
nation-states
The most advanced and persistent cyber threats to the United States
today remain nation-states and their proxies, and in particular China
and Russia. In addition, Iran has increased its cyber capabilities
exponentially in recent years. And with the hack of Sony Corporation--
which made use of more than half a dozen exploits lest the target be
patched against one or more of these vulnerabilities, North Korea too
has demonstrated itself to be a significant adversary.
Against the growing abilities of these key threat actors for ``on-
line espionage, disinformation, theft, propaganda, and data-
destruction,''\6\ the Director of National Intelligence James Clapper
recently observed (during the annual world-wide threat assessment
offered to Congress earlier this month) that, ``improving offensive
tradecraft, the use of proxies, and the creation of cover organizations
will hinder timely, high-confidence attribution of responsibility for
state-sponsored cyber operations.''\7\ This is significant because the
harder it is to attribute activity, the harder it is to deter and
punish the perpetrator.
---------------------------------------------------------------------------
\6\ Spencer Ackerman and Sam Thielman, ``US Intelligence Chief: We
Might Use the Internet of Things to Spy on You,'' The Guardian, Feb. 9,
2016. http://www.theguardian.com/technology/2016/feb/09/internet-of-
things-smart-home-devices-government-surveillance-james-clapper.
\7\ James R. Clapper, Director of National Intelligence, Statement
for the Record, ``Worldwide Threat Assessment of the U.S. Intelligence
Community,'' Senate Armed Services Committee, Feb. 9, 2016.
---------------------------------------------------------------------------
How do these actors function?
Our adversaries have engaged in brazen activity, from computer
network exploitation (CNE) to computer network attack (CNA). CNE
includes traditional, economic, and industrial espionage, as well as
intelligence preparation of the battlefield (IPB)--such as surveillance
and reconnaissance of attack targets, and the mapping of critical
infrastructures for potential future targeting in a strategic campaign.
In turn, CNA encompasses activities that alter (disrupt, destroy, etc.)
the targeted data/information. The line between CNE and CNA is thin,
however: If one can exploit, one can also attack if the intent exists
to do so.
Foreign militaries are, increasingly, integrating CNE and CNA
capabilities into their warfighting and military planning and doctrine,
as well as their grand strategy. These efforts may allow our
adversaries to enhance their own weapon systems and platforms, as well
as stymie those of others. Moreover, CNAs may occur simultaneously with
other forms of attack (kinetic, insider threats, etc.).
Our adversaries are also interweaving the cyber domain into the
activities of their foreign intelligence services, to include
intelligence derived from human sources (HUMINT).
This said our adversaries are certainly not all of a piece. Rather,
nation-states may differ from one another, or from their proxies, in
their motivation and intent. Tradecraft and its application may also
differ widely. From a U.S. perspective, the challenge is to parse our
understanding of key actors and their particular behaviors, factoring
details about each threat vector into a tailored U.S. response that is
designed to dissuade, deter, and compel.\8\
---------------------------------------------------------------------------
\8\ Frank J. Cilluffo and Rhea D. Siers, ``Cyber Deterrence is a
Strategic Imperative,'' Wall Street Journal, Apr. 28, 2015. http://
blogs.wsj.com/cio/2015/04/28/cyber-deterrence-is-a-strategic-
imperative/.
---------------------------------------------------------------------------
China
China possesses sophisticated cyber capabilities and has
demonstrated a striking level of perseverance, evidenced by the sheer
number of attacks and acts of espionage that the country commits.
Reports of the Office of the U.S. National Counterintelligence
Executive have called out China and its cyber espionage, characterizing
these activities as rising to the level of strategic threat to the U.S.
National interest.\9\
---------------------------------------------------------------------------
\9\ Foreign Spies Stealing U.S. Economic Secrets in Cyberspace,
Report to Congress on Foreign Economic Collection and Industrial
Espionage, 2009-2011, Oct. 2011. http://www.ncix.gov/publications/
reports/fecie_all/Foreign_Economic_Collection_2011.pdf.
---------------------------------------------------------------------------
The U.S.-China Economic and Security Review Commission notes
further: ``Computer network operations have become fundamental to the
PLA's strategic campaign goals for seizing information dominance early
in a military operation.''\10\
---------------------------------------------------------------------------
\10\ http://www.uscc.gov/RFP/2012/
USCC%20Report_Chinese_CapabilitiesforComputer_-
NetworkOperationsandCyberEspionage.pdf.
---------------------------------------------------------------------------
China's aggressive collection efforts appear to be intended to
amass data and secrets (military, commercial/proprietary, etc.) that
will support and further the country's economic growth, scientific, and
technological capacities, military power, etc.--all with an eye to
securing strategic advantage in relation to (perceived or actual)
competitor countries and adversaries.
In May 2015, data theft on a massive scale, affecting virtually all
U.S. Government employees, was traced back to China. Whether the hack
was state-sponsored, state-supported, or simply tolerated through a
blind eye by the government of China, is not yet clear. But military
officers in China are increasingly known to moonlight as hackers for
hire when off the clock; and countries are increasingly turning to
proxies do their bidding in order to provide plausible deniability.\11\
The extent to which China may benefit from the massive data breach such
as by using the information to blackmail and recruit Americans thus
remains to be seen.
---------------------------------------------------------------------------
\11\ Sharon L. Cardash and Frank J. Cilluffo, ``Massive Government
Employee Data Theft Further Complicates US-China Relations,'' The
Conversation, June 8, 2015. https://theconversation.com/massive-
government-employee-data-theft-further-complicates-us-china-relations-
42941; and Kelly Jackson Higgins, ``State-Owned Chinese Firms Hired
Military hackers for IT Services,'' Dark Reading, May 21, 2014. http://
www.darkreading.com/attacks-breaches/state-owned-chinese-firms-hired-
military-hackers-for-it-services/d/d-id/1269102.
---------------------------------------------------------------------------
In September 2015, China and the United States reached an agreement
on refraining from conducting economic cyber-espionage. Earlier this
month, DNI Clapper noted that there is evidence of ``limited on-going
cyber activity from China'', but as yet it has not been confirmed to be
state-sponsored. Mean time however, China appears to be giving
``security and intelligence agencies a larger role in helping Beijing
hack foreign companies.''\12\
---------------------------------------------------------------------------
\12\ Jack Detsch, ``Report: China Bolsters State Hacking Powers,''
Christian Science Monitor--Passcode, Feb. 4, 2016. http://
www.csmonitor.com/World/Passcode/2016/0204/Report-China-bolsters-state-
hacking-powers.
---------------------------------------------------------------------------
Russia
Russia's cyber capabilities are, arguably, even more sophisticated
than those of China, and Russia has been particularly adept at
integrating cyber into its strategic plans and operations.\13\ The
Office of the U.S. National Counterintelligence Executive (NCIX)
observes: ``Moscow's highly capable intelligence services are using
HUMINT, cyber, and other operations to collect economic information and
technology to support Russia's economic development and security.
Russia's extensive attacks on U.S. research and development have
resulted in Russia being deemed (along with China), ``a national long-
term strategic threat to the United States,'' by the NCIX.\14\ Also
concerning, Russia and China recently signed a cybersecurity agreement
pursuant to which they pledge not to hack one another and to share both
information and technology.\15\
---------------------------------------------------------------------------
\13\ Jason Wirtz, ``Cyber War and Strategic Culture: The Russian
Integration of Cyber Power into Grand Strategy,'' NATO Cooperative
Cyber Defence Center of Excellence, 2015.
\14\ http://www.ncix.gov/publications/reports/fecie_all/
Foreign_Economic_Collection_20- 11.pdf.
\15\ Cory Bennett, ``Russia, China Unite with Major Cyber Pact,''
The Hill, May 8, 2015. http://thehill.com/policy/cybersecurity/241453-
russia-china-unit-with-major-cyber-pact.
---------------------------------------------------------------------------
In 2009, the Wall Street Journal reported that cyber spies from
Russia and China had penetrated the U.S. electrical grid, leaving
behind software programs. The intruders did not cause damage to U.S.
infrastructure, but sought to navigate the systems and their controls.
Was this reconnaissance or an act of aggression? What purpose could the
mapping of critical U.S. infrastructure serve, other than intelligence
preparation of the battlefield? The NASDAQ exchange, too, has allegedly
been the target of a ``complex hack'' by a nation-state. Again, one
questions the motivation.\16\
---------------------------------------------------------------------------
\16\ http://www.bloomberg.com/bw/articles/2014-07-17/how-russian-
hackers-stole-the-nasdaq.
---------------------------------------------------------------------------
More recently, Russian hackers believed to be doing their
government's bidding breached the White House, the State Department,
and the Defense Department.\17\ Similar forces were also poised to
cyber-attack U.S. banks against the backdrop of economic sanctions
levied against Russia for its repeated and brazen incursions into
Ukraine.\18\
---------------------------------------------------------------------------
\17\ Evan Perez and Shimon Prokupecz, ``How the U.S. Thinks
Russians Hacked the White House,'' CNN, Apr. 8, 2015, http://
www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/; and Cory
Bennett, ``Defense chief: Russian goals in Pentagon hack `not clear',''
The Hill, May 15, 2015, http://thehill.com/policy/cybersecurity/242213-
pentagon-head-russian-goals-not-clear-in-dod-hack.
\18\ Cory Bennett, ``Russian Hacking Group was Set to hit U.S.
Banks,'' The Hill, May 13, 2015 http://thehill.com/policy/rsecurity/
241965-russian-hacking-group-was-set-to-hit-us-banks; and ``APT28: A
Window into Russia's Cyber Espionage Operations?'' FireEye, October 27,
2015 https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-
window-into-russias-cyber-espionage-operations.html; and Frank J.
Cilluffo and Sharon L. Cardash, ``How to Stop Putin Hacking the White
House,'' Newsweek, April 13, 2015, http://www.newsweek.com/how-stop-
putin-hacking-white-house-321857; and http://www.cnbc.com/id/102025262.
---------------------------------------------------------------------------
Russia has also engaged in cyber operations against Ukraine (2014/
15), Georgia (2008), and Estonia (2007); in the first 2 instances
combining them with kinetic operations. Notably, in December 2015,
western Ukraine experienced a power outage that is believed to have
been caused by cyber attack perpetrated by Russia. Though one power
company reported the incident, ``similar malware was found in the
networks of at least 2 other utilities.''\19\ More than 4 dozen
substations were affected, as were more than a quarter of a million
customers for up to 6 hours. In addition, a simultaneous attack on call
centers (a telephony denial of service attack) hindered communication
and customer reporting of difficulties. The case is truly significant:
It is believed to represent the first time that a blackout was caused
by computer network attack.
---------------------------------------------------------------------------
\19\ Eric Auchard and Jim Finkle, ``Experts: Ukraine Utility
Cyberattack Wider than Reported,'' Reuters, January 4, 2016. http://
m.voanews.com/a/reu-experts-ukraine-utility-cyberattack-wider-than-
reported/3131554.html.
---------------------------------------------------------------------------
Over time, Russia's history has also demonstrated a toxic blend of
crime, business, and politics--and there are few, if any, signs that
things are changing today. To the contrary, a convergence between the
Russian intelligence community and cyber criminals has been observed as
relations between Russia and the West have deteriorated as the conflict
over Ukraine has unfolded.\20\ Evidence of the complicity between the
Russian government and its cyber criminals and hackers became even
starker when the Russian Foreign Ministry issued ``a public notice
advising `citizens to refrain from traveling abroad, especially to
countries that have signed agreements with the U.S. on mutual
extradition, if there is reasonable suspicion that U.S. law enforcement
agencies' have a case pending against them.''\21\
---------------------------------------------------------------------------
\20\ John Leyden, ``Ukraine Conflict Spilling Over into Cyber-
crime, Warns Former Spy Boss,'' The Register, April 16, 2015. http://
www.theregister.co.uk/2015/04/16/cyber_war_key- note_infiltrate/.
\21\ Kevin Poulsen, ``Russia Issues International Travel Advisory
to its Hackers,'' Wired, September 3, 2013. http://www.wired.com/2013/
09/dont-leave-home/.
---------------------------------------------------------------------------
Notably the DNI stated to Congress this month that Russia is
``assuming a more assertive cyber posture based on its willingness to
target critical infrastructure systems and conduct espionage operations
even when detected.''\22\ It has also been reported that Russia's
Defense Ministry is standing up a cyber command which will ``be
responsible for conducting offensive cyber activities, including
propaganda operations and inserting malware into enemy command and
control systems.''\23\
---------------------------------------------------------------------------
\22\ James R. Clapper, Director of National Intelligence,
``Worldwide Threat Assessment of the US Intelligence Community,''
Statement for the Record before the U.S. Senate, Armed Services
Committee, February 9, 2016. http://www.dni.gov/files/documents/
SASC_Unclassified_- 2016_ATA_SFR_FINAL.pdf.
\23\ James R. Clapper, Director of National Intelligence,
``Worldwide Cyber Threats,'' Statement for the Record before The U.S.
House of Representatives, Permanent Select Committee on Intelligence,
September 10, 2015. http://docs.house.gov/meetings/IG/IG00/20150910/
103797/HHRG-114-IG00-Wstate-ClapperJ-20150910.PDF.
---------------------------------------------------------------------------
Iran
Iran has invested heavily in recent years to deepen and expand its
cyber warfare capacity. Under President Rouhani, the country's
cybersecurity budget has increased ``twelve-fold''; and the country may
now be considered ``a top-five world cyber power.''\24\
---------------------------------------------------------------------------
\24\ Cory Bennett, ``Iran has Boosted Cyber Spending Twelvefold,''
The Hill, March 23, 2015. http://thehill.com/policy/cybersecurity/
236627-iranian-leader-has-boosted-cyber-spending-12-fold.
---------------------------------------------------------------------------
This concerted effort and the associated rapid rise through the
ranks comes in the wake of the Stuxnet worm, which targeted Iran's
nuclear weapons development program. How the recently concluded
international agreement on containing that program will affect Iran's
behavior in the cyber domain over the long run remains to be seen--
although early reports indicate that Iran ``has ramped up its cyber
espionage, targeting . . . the emails and social media accounts of
State Department officials whose work is related to Iran and the Middle
East.''\25\ Another important but open question is whether and how
recent reports that the United States had formulated plans to disable
Iran's nuclear program by cyber means, in the event that nuclear
negotiations failed and military conflict ensued, may affect Iran's
cyber-behavior moving forward.\26\
---------------------------------------------------------------------------
\25\ Cory Bennett, ``Iran Launches Cyber Offensive after Nuclear
Deal,'' The Hill, November 24, 2015. http://thehill.com/policy/
cybersecurity/261190-iran-switches-to-cyber-espionage-after-nuclear-
deal.
\26\ David Sanger and Mark Mazetti, ``U.S. Had Cyberattack Plan if
Iran Nuclear Dispute Led to Conflict,'' The New York Times, February
16, 2016. http://.nytimes.com/2016/02/17/world/middleeast/us-had-
cyberattack-planned-if-iran-nuclear-negotiations-
failed.html?smid=nytcore-iphone-share&smprod=nytcore-iphone.
---------------------------------------------------------------------------
We also know that Iran has engaged in a concerted cyber campaign
against U.S. banks.\27\ In January 2013, the Wall Street Journal
reported \28\ on ``an intensifying Iranian campaign of cyber attacks
[thought to have begun months earlier] against American financial
institutions'' including Bank of America, PNC Financial Services Group,
Sun Trust Banks Inc., and BB&T Corp. Six leading U.S. banks--including
J.P. Morgan Chase--were targeted in ``the most disruptive'' wave of
this campaign, characterized by DDoS attacks. The Izz ad-Din al-Qassam
Cyber Fighters claim responsibility for all of these incidents.
---------------------------------------------------------------------------
\27\ Shane Harris, ``Forget China: Iran's Hackers are America's
Newest Cyber Threat,'' Foreign Policy, February 18, 2014. http://
foreignpolicy.com/2014/02/18/forget-china-irans-hackers-are-americas-
newest-cyber-threat/.
\28\ Siobhan Gorman and Danny Yadron, ``Banks Seek U.S. Help on
Iran Cyberattacks,'' The Wall Street Journal, January 16, 2013. http://
www.wsj.com/articles/SB10001424127- 887324734904578244302923178548.
---------------------------------------------------------------------------
U.S. officials also believe Iran to be responsible for a cyber
attack against the Sands Casino in Las Vegas owned by politically
active billionaire Sheldon Adelson. The incident appears to be a first:
``a foreign player simply sought to destroy American corporate
infrastructure on such a scale . . . PCs and servers were shut . . .
down in a cascading IT catastrophe, with many of their hard drives
wiped clean.''\29\
---------------------------------------------------------------------------
\29\ Ben Elgin and Michael Riley, ``Now at the Sands Casino: An
Iranian hacker in Every Server,'' Bloomberg Business, December 11,
2015. http://www.bloomberg.com/bw/articles/2014-12-11/iranian-hackers-
hit-sheldon-adelsons-sands-casino-in-las-vegas.
---------------------------------------------------------------------------
Iran has also long relied on proxies such as Hezbollah--which now
has a companion organization called Cyber Hezbollah--to strike at
perceived adversaries. Iran and Hezbollah are suspected in connection
with the August 2012 cyber attacks on the state-owned oil company Saudi
Aramco and on Qatari producer RasGas, which resulted in the compromise
of approximately 30,000 computers.\30\
---------------------------------------------------------------------------
\30\ Kim Zetter, ``The NSA Acknowledges What we all Feared: Iran
Learns from US Cyberattacks,'' Wired, February 10, 2015. http://
www.wired.com/2015/02/nsa-acknowledges-feared-iran-learns-us-
cyberattacks/.
---------------------------------------------------------------------------
In addition, elements of Iran's Revolutionary Guard Corps (IRGC)
have also openly sought to pull hackers into the fold, including the
political/criminal hacker group Ashiyane; and the Basij, who are paid
to do cyber work on behalf of the regime.\31\
---------------------------------------------------------------------------
\31\ Frank J. Cilluffo, ``The Iranian Cyber Threat to the United
States,'' Testimony before the U.S. House of Representatives, Committee
on Homeland Security, Subcommittee on Counterterrorism and Intelligence
and Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies, April 26, 2012. http://cchs.gwu.edu/sites/
cchs.gwu.edu/files/downloads/Testimony_Cilluffo_April_26_2012.pdf.
---------------------------------------------------------------------------
North Korea (DPRK)
As perhaps the world's most isolated state-actor in the
international system, North Korea operates under fewer constraints. For
this reason, the country poses an important ``wildcard'' threat, not
only to the United States but also to the region and to broader
international stability.
South Korea's Defense Ministry estimates that North Korea possesses
a force of ``about 6,000 cyber agents.''\32\ A frequent DPRK target,
South Korea has attributed a series of cyber attacks--upon its Hydro &
Nuclear Power Company (2014) and upon its banks and broadcasting
companies (2013), for example--to North Korea.\33\
---------------------------------------------------------------------------
\32\ Leo Byrne, ``N. Korean Hacking Threat Leads to Blue House
Cyber-security Office,'' NK News, March 31, 2015. http://
www.nknews.org/2015/03/n-korean-hacking-threat-leads-to-blue-house-
cyber-security-office/.
\33\ Tae-jun Kang, ``South Korea Beefs up Cyber Security with an
Eye on North Korea,'' The Diplomat, April 1, 2015. http://
thediplomat.com/2015/04/south-korea-beefs-up-cyber-security-with-an-
eye-on-north-korea/.
---------------------------------------------------------------------------
From a U.S. standpoint, it is the North Korean attack on Sony
Pictures Entertainment late last year that looms large: `` `There was
disruption. There was destruction of data. There was an intent to hurt
the company. And it succeeded, bringing a major U.S. entertainment
company to its knees.''\34\
---------------------------------------------------------------------------
\34\ James Lewis, ``The Attack on Sony,'' CBS News 60 Minutes,
April 12, 2015. http://www.cbsnews.com/news/north-korean-cyberattack-
on-sony-60-minutes/.
---------------------------------------------------------------------------
Where will the DPRK go from here? In the words of an Australian
expert, ``There's growing concern amongst analysts, and government
officials alike that North Korea has begun to rapidly accelerate its
development of advanced offensive cyber capabilities'.''\35\ This
concern is compounded by the fact that, potentially, ``cyber operations
. . . could be integrated in the future with a military strategy
designed to disrupt U.S. systems.''\36\
---------------------------------------------------------------------------
\35\ Leo Byrne, ``N. Korean Hacking Threat Leads to Blue House
Cyber-security Office,'' NK News, March 31, 2015. http://
www.nknews.org/2015/03/n-korean-hacking-threat-leads-to-blue-house-
cyber-security-office/.
\36\ Harper Neidig, ``GOP Senator: North Korea Cyber Threat
Growing,'' The Hill, October 7, 2015. http://thehill.com/policy/
cybersecurity/256274-gop-senator-north-korean-cyber-threat-growing.
---------------------------------------------------------------------------
These developments are all the more disturbing when considered in
tandem with the following trenchant question raised by one of my CCHS
colleagues: `` `Given North Korea's proclivity to provide other
destructive technologies and military assistance to rogue states and
non-state actors, would the DPRK also assist them with destructive
cyber capabilities'?''\37\
---------------------------------------------------------------------------
\37\ Rhea Siers, ``North Korea: The Cyber Wild Card,'' Journal of
Law & Cyber Warfare, 2014.
---------------------------------------------------------------------------
In addition, reports that the United States targeted the DPRK's
nuclear program with a version of Stuxnet, but without success, may--if
true--further complicate the challenge posed by North Korea.\38\
---------------------------------------------------------------------------
\38\ Joseph Menn, ``Exclusive: U.S. Tried Stuxnet-style Campaign
Against North Korea but Failed--Sources,'' Reuters, May 29, 2015.
http://www.reuters.com/article/2015/05/29/us-usa-northkorea-stuxnet-
idUSKBN0OE2DM20150529.
---------------------------------------------------------------------------
On many levels, North Korea is both a troubling and unusual case.
Ordinarily, it is organized crime that seeks to penetrate the state. In
this case, however, it is the other way around--with the state trying
to penetrate organized crime in order to ensure the survival of the
regime/dynasty.
Foreign Terrorist Organizations
To date, terrorist organizations have not demonstrated the advanced
level of cyber attack capabilities that would be commensurate with
these groups' stated ambitions. Undoubtedly, though, these
organizations will persist in their efforts to augment their in-house
cyber skills and capacities. Of particular concern are foreign
terrorist organizations that benefit from state sponsorship and
support, as well as the Islamic State in Iraq and Syria (ISIS/ISIL).
Given ISIS' savvy use of social media and how it has built and
maintained a sophisticated propaganda machine, it is likely that the
group--and their sympathizers--will turn their efforts towards
developing a more robust cyber attack capability.
The current level of cyber expertise possessed by terrorist groups
should bring us little comfort, however, because a range of proxies for
indigenous cyber capability exist: There is an arms bazaar of cyber
weapons, and our adversaries need only intent and cash to access it.
Capabilities, malware, weapons, etc.--all can be bought or rented.\39\
---------------------------------------------------------------------------
\39\ Frank Cilluffo, ``Cyber Threats from China, Russia, and Iran:
Protecting American Critical Infrastructure,'' Testimony before the
U.S. House of Representatives, Committee on Homeland Security
Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies, March 20, 2013. http://cchs.gwu.edu/sites/cchs.gwu.edu/
files/downloads/Testimony_- Cilluffo_March_20_2013.pdf.
---------------------------------------------------------------------------
In terms of what we have seen recently, ISIS has invoked a new
tactic against members of the U.S. military and law enforcement:
``Doxing''--which involves gathering personal information from sources
on-line and then publishing that data on-line, which puts the victim at
risk of further attack in both the physical and virtual worlds.\40\ A
prevalent theme in the drumbeat of ISIS propaganda videos has been
repeated calls for ``lone wolf'' attacks against Western law
enforcement and military personnel.
---------------------------------------------------------------------------
\40\ Kate Knibbs, ``ISIS Has a New Terrorism Tactic: Doxing US
Soldiers,'' Gizmodo, March 23, 2015. http://gizmodo.com/isis-has-a-new-
terrorism-tactic-doxing-us-soldiers-1693078782.
---------------------------------------------------------------------------
Terrorist organizations also use the internet in a host of ways
that serve to further their ends and put the United States and its
allies, and the interests of both, in danger. By way of illustration,
the internet helps terrorists plan and plot, radicalize and recruit,
and train and fundraise. To help protect and facilitate these on-line
activities, ISIS in particular has created ``a new technical `help
desk' '' that unifies its various tech support efforts, including for
encryption.\41\
---------------------------------------------------------------------------
\41\ Cory Bennett, ``New ISIS `Help Desk' to Aid Hiding From
Authorities,'' The Hill, February 10, 2016. http://thehill.com/policy/
cybersecurity/268940-new-isis-help-desk-unifies-encryption-support.
---------------------------------------------------------------------------
As terrorist cyber capabilities grow more sophisticated, one
especially concerning scenario would involve terrorist targeting of
U.S. critical infrastructure, using a mix of kinetic and cyber attacks.
In this scenario, the cyber component could serve as a force multiplier
to increase the lethality or impact of the physical attack.
Criminal Organizations
Cyber space has proven to be a gold mine for criminals, who have
moved ever more deeply into the domain as opportunities to profit there
continue to multiply. These criminal groups operate in layered
organizations that share networks and tools. Despite reaping 30 cents
on the dollar, there is a low chance that these criminals will be held
accountable for their actions because they benefit from safe havens in
Eastern Europe--which is, according to European Police Office (EUROPOL)
Director Robert Wainwright, the source of 80 percent of all cyber
crime.
The illicit activities of criminal groups in the virtual world are
typically associated with the ``Dark Web,'' a sub-set of the internet
where the IP addresses of websites are concealed. Here, ``the sale of
drugs, weapons, counterfeit documents and child pornography''
constitute ``vibrant industries.''\42\ Cyber criminals have also
demonstrated substantial creativity, such as extortion schemes
demanding payment via cryptocurrencies, such as Bitcoin. For example,
most criminals demand payment for ``ransomware'' attacks (such as
GameOver Zeus or CryptoLocker) to be made via cryptocurrencies, which
are attractive to criminal organizations due to their anonymity or
pseudonymity. Increasingly, more traditional organized crime groups,
such as drug trafficking organizations, are also turning to virtual
currencies for payment and to move their money in the black market.
---------------------------------------------------------------------------
\42\ Andy Greenberg, ``Hacker Lexicon: What is the Dark Web?''
Wired, November 19, 2014. http://www.wired.com/2014/11/hacker-lexicon-
whats-dark-web/.
---------------------------------------------------------------------------
According to EUROPOL whose focus is serious international organized
crime, ``cyber crime has been expanding to affect virtually all other
criminal activities'':
``The emergence of crime-as-a-service online has made cybercrime
horizontal in nature, akin to activities such as money laundering or
document fraud. The changing nature of cybercrime directly impacts on
how other criminal activities, such as drug trafficking, the
facilitation of illegal immigration, or the distribution of counterfeit
goods are carried out . . . General trends for cybercrime suggest
considerable increases in scope, sophistication, number and types of
attacks, number of victims and economic damage . . . This allows
traditional OCGs [organized criminal groups] to carry out more
sophisticated crimes, buying access to the technical skills and
expertise they require.''\43\
---------------------------------------------------------------------------
\43\ ``Massive Changes in the Criminal Landscape,'' Europol, 2015;
and ``Counterterrorism & Cybersecurity: Insights from Europol Director
Rob Wainwright,'' Center for Cyber and Homeland Security, April 30,
2014. https://www.europol.europa.eu/newsletter/massive-changes-
criminal-landscape; and http://cchs.gwu.edu/counterterrorism-
cybersecurity-insights-europol-director-rob-wainwright.
Cyber criminals possess substantial cyber capabilities and,
increasingly, are working with or for nation-states such as Russia.
This convergence of forces heightens the dangers posed by both groups
(e.g., criminal organizations and nation-states). And from a monetary
standpoint alone, the amounts at stake are staggering. Consider:
Russia's slice of the 2011 global cyber crime market has been pegged at
$2.3 billion.\44\
---------------------------------------------------------------------------
\44\ ``Leading Russian Security Firm Group-IB Releases 2011 Report
on Russian Cybercrime,'' Group-IB, April 24, 2012. http://www.group-
ib.com/?view=article&id=705.
---------------------------------------------------------------------------
``Hacktivists'' and Other Entities
Cyber space largely levels the playing field, allowing individuals
and small groups to have disproportionate impact. While some
``hacktivists'' may possess considerable abilities, the bar here is
relatively low, and virtually anyone with a measure of skills and a
special interest can cause harm.
Though great sophistication may not be needed to achieve disruption
and draw attention to a particular concern, individuals and entities in
this category can be a significant force, whether acting alone or
loosely in tandem, essentially as a leaderless movement.
U.S. Response Measures
This varied threat landscape has a direct impact on a wide variety
of cybersecurity policy questions facing the Congress and the Executive
branch, including on current issues such as Federal spending on
cybersecurity, the implementation of the new information-sharing law,
Federal support for our critical infrastructure sectors, and the
``going dark'' debate over encryption in our electronic devices. In the
remainder of my testimony, I will briefly highlight 2 important cyber
issues that the GW Center for Cyber & Homeland Security is currently
focusing on: Deterrence and active defense.
First, I will discuss deterrence. Having just racked and stacked
the wide range of cyber threats that presently exist, and that may
evolve and emerge in the future, the next step is to confront, contain,
and thwart them by imposing significant costs on our adversaries for
engaging in unacceptable behaviors.\45\ Unless our adversaries
experience such consequences, there will be little incentive for them
to cease the actions and attacks in question. Changing their incentive
structure requires signaling to hostile actors that the United States
is both capable and willing to play offense. In turn, this means being
more transparent about U.S. abilities and demonstrating the will to
invoke them as required.
---------------------------------------------------------------------------
\45\ Frank Cilluffo and Rhea Siers, ``Cyber Deterrence is a
Strategic Imperative,'' The Wall Street Journal, April 28, 2015; http:/
/blogs.wsj.com/cio/2015/04/28/cyber-deterrence-is-a-strategic-
imperative/; and https://cchs.gwu.edu/sites/cchs.gwu.edu/files/
downloads/INSS%20Blueprint%20for%20Cyber%20Deterrence.pdf.
---------------------------------------------------------------------------
As things now stand however, our adversaries are acting largely
without penalty and thus continue to transgress. Moreover when an
incident occurs, our tendency is to blame the victim. This is a deeply
flawed state of affairs that must be reversed. In fact, we should go
further than simple reversal by working not only to deter our
adversaries but to dissuade and compel them as well. Further
elaborating U.S. policy and position in such a manner would be
complementary to on-going U.S. and international efforts to enumerate
and flesh out global norms of conduct for cyber space.
The second crucial shortcoming in current U.S. strategy and posture
regards active defense, meaning the use of proactive measures by U.S.
companies to defend themselves and their most critical assets against
sophisticated and determined cyber adversaries. These adversaries
include nation-states and their proxies. Although America's business
community never asked to face off against foreign intelligence and
security services (or those who would do their bidding), this is the
position in which our companies find themselves. Accordingly, at
minimum it is the responsibility of the U.S. Government to delineate
and offer our private-sector partners an operating framework--that
provides the parameters and supports that they need--in order to engage
in active defense. The Center has formed a task force to examine these
issues that is co-chaired by Admiral Dennis Blair, Secretary Michael
Chertoff, Nuala O'Connor of the Center for Democracy & Technology, and
me. We will be releasing a major report addressing these questions
later this year.\46\
---------------------------------------------------------------------------
\46\ ``Center Announces New Project on Active Defense against Cyber
Threats,'' GW Center for Cyber and Homeland Security, February 4, 2016.
http://cchs.gwu.edu/center-announces-new-project-active-defense-
against-cyber-threats.
---------------------------------------------------------------------------
Concluding Thoughts
Looking ahead, many crucial questions on the threat side remain
open, including: Will the nuclear weapons agreement concluded with Iran
curb or embolden Iranian cyber operations against the United States and
its allies over the longer term? Will the December 2015 cyber attack on
Ukraine's electric grid, that caused a power outage in the western
portion of the country, become a more commonplace tactic? Will hackers
engage increasingly in data manipulation, as distinct from data theft?
Equally important will be the attack vectors that, for whatever reason,
we fail to anticipate. While we cannot know in advance every threat
that may lurk around every virtual corner, we can certainly take the
steps necessary to maximize our ability to detect, prevent, protect,
and respond. In some instances, it may be that our ability to bounce
back--our resilience--proves to be a valuable deterrent to our
adversaries. At present however, there is still much work to be done
before we can say that we have done all that we can. That work will be
all the more crucial to accomplish as the Internet of Things expands
exponentially the potential attack surface and leads the cyber domain
to converge ever-further with the physical world. Secure design,
architected from the get-go, will be crucial to resilience.\47\
---------------------------------------------------------------------------
\47\ Michael Papay, Frank Cilluffo, Sharon Cardash, ``Opinion:
Fortifying the Internet of Things means baking in security at the
beginning,'' The Christian Science Monitor, March 6, 2015. http://
www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0306/Opinion-
Fortifying-the-Internet-of-Things-means-baking-in-security-at-the-
beginning.
---------------------------------------------------------------------------
Thank you again for this opportunity to testify on this important
topic.\48\ I look forward to trying to answer any questions that you
may have.
---------------------------------------------------------------------------
\48\ I would like to thank the Center's Associate Director Sharon
Cardash for her help in drafting my prepared testimony.
Mr. Ratcliffe. All right. Thank you, Mr. Cilluffo. The
Chair now recognizes Ms. Kolde for 5 minutes for her opening
statement.
STATEMENT OF JENNIFER KOLDE, LEAD TECHNICAL DIRECTOR, FIRE EYE
THREAT INTELLIGENCE
Ms. Kolde. Thank you, Mr. Chairman, Ranking Member
Richmond, Congressman Marino, Congressman Donovan, thank you
for the opportunity to speak with you today.
FireEye has a unique position within the security field. We
have broad visibility across the threat landscape through a
global network of over 10 million sensors. We have deep insight
into threat actor activity through our Mandiant consulting and
instant response practice, and we combine this visibility with
contextual analysis and intelligence through FireEye
intelligence in our newly-acquired iSIGHT partners.
I have personally spent nearly 20 years in the information-
sharing field in both the Government and private sector,
including nearly 10 years using threat intelligence to identify
and track sophisticated threat groups. I would like to describe
the changing threat landscape as we see it.
FireEye currently tracks several hundred threat groups,
including nation-state sponsor groups, cyber criminals, and
terrorists. Across all of these groups, malicious activity
continues to evolve more quickly than the ability of the
private sector to safeguard assets, including financial data,
personal health information, and intellectual property.
We continue to see operations from nation-state actors.
This includes increased activities from countries such as
Russia, whose actions have become both more public and more
aggressive, as well as from Iran and North Korea, who while not
as sophisticated have shown a willingness to engage in
destructive attacks.
We also see operations from China-based groups, though it
is premature to speculate whether or not this activity
contravenes the recent agreements restricting commercial cyber
espionage. At a minimum, we assess that China will continue to
engage in cyber operations for the purpose of traditional
espionage.
We also see cyber crime continue unabated. This includes
well-known activity such as identity theft, financial fraud,
and theft of payment card data.
However, cyber criminals are becoming more creative in
their methods. Examples include hacking companies for insider
business information in order to gain an advantage in the U.S.
stock market and using extortion against corporations, whether
that is ransomware used to encrypt corporate data or
threatening to expose sensitive corporate information if the
criminals are not paid.
We have directly observed very little activity that we
would ascribe to cyber terrorists and their actions to date
have largely been unsophisticated, such as defacements of
websites and denial-of-service attacks. However, we assess that
terrorist groups remain interested in cyber operations and
recruiting individuals with advanced skills or insider access
and could potentially carry out an impactful attack using only
unsophisticated tools.
We also see an increase in the sophistication of the tools
and techniques used by some of the nation-state and criminal
groups that we monitor. This includes tools that can evade
traditional operating system security and security software or
that reside only in computer memory and leave very few forensic
traces.
We also see increased efforts by the attackers to hide in
plain sight so that hacker activity is indistinguishable from
legitimate user behavior without using advanced detection
methods.
These trends are concerning. Threat groups of all types
continue to believe that cyber operations offer an asymmetric
advantage. That is, groups with otherwise limited resources can
obtain high rewards with low risk. Challenges inherent to our
ability to effectively investigate, analyze, attribute, and
prosecute activity leads to the sense that these groups can
operate with impunity.
The challenges we face are many, and any solution to this
complex problem must be multifaceted. I offer the following as
essential, though not comprehensive, components to that
solution.
First the public and private sectors must share information
about malicious activity in a trusted, timely, and automated
manner. However, the information shared cannot consist solely
of technical indicators, but must be enhanced with contextual
data that will allow defenders to prioritize alerts and respond
faster and more effectively with appropriate countermeasures.
Second, we must understand that it is infeasible to secure
networks or assets to prevent all possible attacks.
Organizations must understand that real risks and advanced
attacks will occur. We must proactively hunt for malicious
activity that may have breached our defenses. We must be
prepared to detect and respond to malicious activity across the
entire attack life cycle.
Finally, we must continue to make it more difficult for
attackers to reach their objectives. This should not be
achieved by implementing compliance-type check lists, but
through a risk-based approach where organizations identify
critical assets and implement appropriate countermeasures based
on a real-world understanding of how attackers operate.
By improving our defenses and the ability to quickly detect
malicious activity, we may slow down attackers to give
defenders more time to respond or, better yet, deter some
opportunistic attackers all together.
Mr. Chairman, thank you for the opportunity, and I look
forward to your questions.
[The prepared statement of Ms. Kolde follows:]
Prepared Statement of Jennifer Kolde
February 25, 2016
Mr. Chairman, Ranking Member Richmond, and Members of the
subcommittee, thank you for the opportunity to contribute to today's
hearing. I am the lead technical director for threat intelligence at
FireEye, a private company that provides software and services to
detect and respond to digital intrusions. My testimony draws on our
company's substantial experience remediating the most devastating
breaches around the world by nation-state threat actors and cyber
criminals and our advanced sensor network that protects our clients
every day.
I have spent nearly 20 years in the information technology and
information security fields, in roles from systems administration to
network security to computer forensics and incident investigation. My
experience includes 5 years as a computer scientist with the Federal
Bureau of Investigation in support of cyber National security
investigations. Following my Government service, I joined Mandiant--
later acquired by FireEye--to help protect the private sector.
FireEye learns about the threat landscape through a unique
combination of sources and methods:
Our security consulting practice,
Our global network of more than 10 million sensors, and
A world-wide team of intelligence analysts.
Our consulting division, Mandiant, investigates and remediates the
world's most devastating breaches; FireEye's endpoint and network
sensors feed data to a repository of active cyber threat operations;
and newly-acquired iSIGHT Partners offers unparalleled analytic
insight. We use this robust set of data to correlate threat activity
and characterize threat actors' capabilities and motivations. This
combination of visibility and resources puts FireEye in a unique
position to observe and analyze threat activity across a range of
countries, industries, and customers, and to gain insight into
adversarial operations during, after, and in some cases before an
attack. I would like to describe the changing threat landscape as we
see it.
threat actors
I have spent nearly 10 years identifying and tracking sophisticated
threat groups, both within the Government and the private sector.
During that time I have watched the number of adversaries increase and
their methods change dramatically. FireEye now tracks approximately 500
threat groups, including 29 advanced persistent threat (APT) \1\ groups
that we strongly suspect are supported by governments. Other tracked
groups include criminals operating for financial gain, as well as
others where we currently have insufficient information to characterize
their activity.
---------------------------------------------------------------------------
\1\ Advanced Persistent Threat (APT) actors are assessed to take
direction from a nation-state to steal information or conduct network
attacks, tenaciously pursue their objectives, and are capable of using
a range of tools and tactics.
---------------------------------------------------------------------------
This multitude of threat actors--suspected government actors and
enterprise cyber criminals alike--continues to evolve more quickly than
the ability of the private sector to safeguard assets, including
financial data, personal health information, and intellectual property.
Governments
FireEye has regularly observed cyber threat activity from
individuals we believe are sponsored by government agencies. While
China has always been a prominent player in this area, in recent years
we have seen additional threats from countries including Russia, Iran,
North Korea, and Syria. This is likely due both to increased visibility
into these threats, as well as an actual uptick in activity as nations
attempt to increase and refine their capabilities in the cyber realm.
China
China-based groups have historically been the most prolific threat
actors we observed in terms of the number of distinct threat groups and
the number of victim organizations. The agreement reached in September
between Chinese President Xi Jinping and President Barack Obama to
restrict commercial cyber espionage has the potential to significantly
realign the threat landscape. FireEye continues to monitor known and
suspected activity from China-based groups, but we believe it is still
too early to draw definitive conclusions about China's compliance or
lack thereof with the agreement and how or whether China may change its
operations. At a minimum, we assess that China will continue to engage
in cyber espionage against the United States to obtain political and
foreign policy information, to gain insight into the U.S. activities of
activists and religious and ethnic minorities advocating change in
China, and possibly to acquire security-related information from
private companies with a clear tie to national defense.
Russia
Russia has become increasingly aggressive over the past few years,
both geopolitically and in cyber space. Russia has always held a
reputation as a skilled and stealthy cyber opponent, but recently their
activities have been more widely exposed and discussed, including by
FireEye in our reporting on groups we call APT28 and APT29. Despite on-
going publicity surrounding their tools and operations, we have seen no
significant drop in their activity. APT28 has used zero-day exploits
and spear phishing to aggressively pursue military and political
secrets in the United States, Europe, the Middle East, and the Asia-
Pacific region. APT29, which we have observed through incident response
engagements, proved to be a skilled and adaptable opponent. Many groups
will go silent or abandon victim networks when discovered. However, in
this case APT29 battled to retain control of the environment using
speed and scale that would outmatch all but the most skilled and
advanced network defenders.
Russia also appears to use its cyber skills in support of real-
world military or information warfare operations. Examples include
suspicions that Russian state-sponsored hackers were behind December
2015 power outages in the Ukraine, as well as a suspected ``false
flag'' operation by APT28: While purportedly a pro-Jihadist activist
group calling themselves the ``CyberCaliphate'' was responsible for an
attack on French media outlet TV5Monde in April 2015, technical
indicators suggest that APT28 was actually responsible.
Iran and North Korea
Iran and North Korea are more recent players on the stage, though
what they currently lack in capability and sophistication they have
been willing to make up for in brazenness. Both have demonstrated the
intent and willingness to employ disruptive operations through denial
of service or destructive malware--Iran purportedly overwriting data on
thousands of computers at Saudi Aramco in 2012, and North Korea in a
similar attack on Sony Pictures Entertainment in 2014.
To date, neither Iran nor North Korea has matched the scope of
operations or level of sophistication seen by countries such as China
or Russia. Iran is believed to have targeted U.S. defense companies,
politicians, and policy makers, as well as political dissidents and
reporters or members of the media. These types of attacks were
documented in FireEye's report on ``Operation Saffron Rose'' and in the
iSIGHT Partners--now part of FireEye--report on the ``Newscaster''
activity.
Both Iran and North Korea have been successful despite relative
isolation from the global computer security community. Iranian
attackers have custom tools including some made by domestic security
companies, but they also use publicly-available tools. Iranian threat
groups frequently rely on spear phishing and social engineering
techniques to trick victims into installing malware or providing
usernames and passwords to fake login sites, as opposed to leveraging
exploits to compromise computers.
Interestingly, as Iran and North Korea attempt to increase their
capabilities in the cyber realm, they appear to be taking lessons not
only in tools and techniques, but also in stealth and ``false flag''
operations. Iran has frequently leveraged social media, creating fake
profiles used to connect with targets to learn about victims'
movements, activities, and other connections. Several operations
believed to have been carried out by North Korea were executed to
appear to be the responsibility of hacktivists or patriotic hackers.
Cyber Criminals
Cyber crime continues to be a concern, impacting individual
citizens through identity theft and corporations through large-scale
financial fraud and associated costs, including network remediation and
reissuance of payment cards. Theft of payment card data continues
unabated, with merchants of all sizes affected. However, as the value
of payment card and bank account data decreases in the criminal
underground, cyber criminals are becoming more innovative in their
methods to steal and monetize organizations' information. For example,
FireEye identified criminal activity in 2014, carried out by a group we
call FIN4, where that group stole insider information from
pharmaceutical, health care, and consulting companies to gain a
competitive advantage in capital markets in the United States.
We are also seeing a rise in the use of ransomware-malware that
encrypts the victim's data, requiring them to pay a ransom to the cyber
criminal to ``unlock'' or decrypt their information. Criminals
originally used ransomware targeted at individual computers to charge
small unlocking fees, but we are now seeing criminals target
organizations with more sizeable extortion demands to restore encrypted
corporate data. These types of attacks could have significant impact if
carried out against organizations that provide essential services or
support critical infrastructure, including agencies and departments in
the U.S. Government.
Beyond ransomware, criminals may take a cue from recent nation-
state activity, and conduct extortion not merely by encrypting data,
but by threatening to destroy computers or expose sensitive company
data. The Sony Pictures incident, where both techniques were used,
played out very publicly and very effectively for the attackers. Given
law enforcement's limited ability to identify and prosecute
perpetrators outside their borders or otherwise impose meaningful
consequences, criminals may be emboldened to raise the stakes in
exchange for a higher ransom.
Terrorists
To date, FireEye has observed very little cyber activity that we
would directly attribute to terrorist groups. Most of the cyber
activity from groups claiming affiliation with terrorist organizations,
including groups claiming affiliation with the Islamic State, has been
unsophisticated. Our company does not monitor terrorist social media
use, but we assess these groups are using social networks to recruit
individuals with advanced cyber skills. Other potential recruitment
targets would include insiders who could facilitate cyber operations,
based on the behavior of cyber crime groups who assemble their teams
this way.
Terrorists are likely to continue using cyber operations to target
and expose seemingly sensitive data, such as lists of Government and
military employees, most of which is gained through careful collection
of publicly-available information or by targeting personal accounts. We
believe that most terrorist organizations currently do not have the
capability to carry out sophisticated cyber attacks on their own, and
would need to cultivate those capabilities through recruitment of
highly-skilled individuals, or through sufficient funds to purchase or
hire such expertise. Current capabilities are likely limited to blunt
attacks such as denial-of-service or destruction of data or resources,
possibly carried out in concert with a kinetic attack.
information sharing
Information sharing is critical to the ability of the United States
to successfully defend itself in cyber space. It will not, however,
eliminate the risk of cyber attacks.
To defeat the most advanced threat groups, the private and public
sector must share information not only about technical indicators--
which are reactive--but about motivations, plans, and intentions that
would enable forewarning. This information must be Unclassified and
shared in near-real-time for network defenders to regain the upper hand
against the best state-sponsored threat groups. Information sharing
must be part of a comprehensive security strategy and combined with
broader efforts to educate organizations about real risks, train
security personnel to combat them effectively, and develop incentives
so that the public and private sectors are motivated to invest in
protecting data, assets, and critical infrastructure.
reward outweighs risk
I have described how threat actors have increased in number and
sophistication, and how groups of all types who once had only limited
cyber capabilities have become more of a threat. This trend is due to
multiple factors, including:
The asymmetric advantage of cyber operations. Groups with
otherwise limited military, political, or economic capabilities
can leverage cyber operations to damage an opponent or deliver
a political message, often with limited investment in resources
and to disproportionate effect.
The on-going perception that threat groups can largely
operate with impunity. The rewards to be had from conducting
cyber operations greatly outweigh the risks, for state-
sponsored, criminal, and terrorist hacking groups alike.
The perception of low risk and high reward for nation-state,
criminal, and terrorist groups alike stems from a number of challenges
related to the investigation, analysis, attribution, and prosecution of
activity in the cyber realm:
Forensic data can be volatile in the best of circumstances,
and many groups take pains to limit or delete traces of their
activity, further undermining investigators' ability to
understand what occurred.
Cyber crime and cyber operations are not limited by
geographical boundaries, and groups may deliberately spread
their activity across multiple countries to mislead and
complicate investigation and prosecution.
The ability to discern a threat group's true purpose and
motivation becomes more difficult as nation-state and criminal
actors adopt each other's tools and techniques. Groups may also
attempt to actively misdirect investigators using ``false
flag'' efforts.
Attribution--the ability to link activity in the cyber realm
to a real-world person or group--remains challenging, whether
attempting to identify a criminal or a foreign government.
The challenges we face in the current threat landscape are many,
but they are not insurmountable. Complex problems require multi-faceted
solutions. I offer the following suggestions to facilitate these
efforts:
Continue to facilitate safe, trusted, and automated means
for the public and private sector to share information about
current and emerging threats. This sharing should encompass not
merely indicators, but also contextual data about the nature,
scope, and risk associated with those indicators. Context
enables prioritization and decision making, allowing defenders
to respond faster and more effectively.
Recognize that the ``fortress'' approach of attempting to
fully secure our networks and assets to prevent all possible
attacks is infeasible. Organizations must secure their
environments to the best of their ability, but understand that
breaches can and will occur, and that they must have tools and
resources in place to detect, respond to, and contain malicious
activity across the entire attack life cycle.
Identify ways that organizations can ``raise the bar''
attackers must overcome to achieve their objectives. While the
complexities of investigation and attribution may make it
difficult to impact threat actors in the wake of an attack, we
can work together to make attacks more difficult and costly to
carry out. This process may deter opportunistic attackers and
slow down determined threats, giving defenders more time to
detect and respond to attacks.
Mr. Chairman, Ranking Member Richmond, and Members of the
subcommittee, I thank you for your attention and time today. I look
forward to answering your questions.
Mr. Ratcliffe. Thank you. The Chair now recognizes Mr.
Bromwich for 5 minutes.
STATEMENT OF ADAM BROMWICH, VICE PRESIDENT, SECURITY TECHNOLOGY
AND RESPONSE, SYMANTEC, TESTIFYING ON BEHALF OF THE CYBER
THREAT ALLIANCE
Mr. Bromwich. Chairman Ratcliffe, Ranking Member Richmond,
and Members of the committee, thank you for the opportunity to
testimony today. Your focus on emerging threats is right on
point, because more than perhaps any other security discipline,
cybersecurity is constantly evolving.
Many of the recent headlines about cyber attacks have
highlighted data breaches in Government and across the spectrum
of industries, but cyber attacks encompass more than just
breaches. The incidents we see today raise from basic
confidence schemes to sophisticated and potentially destructive
intrusions into critical infrastructure systems.
The attackers run the gamut and include highly-organized
criminal enterprises, disgruntled employees, individual cyber
criminals, so-called hacktivists, and state-sponsored groups.
Common attack types range from distributed denial-of-service,
or DDOS, to highly-targeted attacks, to widely-distributed
financial fraud scams.
A DDOS attack is an attempt to overwhelm a system with
data, while targeted attacks typically try to trick someone
into opening an infected file or clicking on a bad link. Of
course, scams and blackmail schemes for profit continue.
One of the most common is ransomware, which locks the
victim's computer and displays a screen that purports to be
from law enforcement. The attackers demand payment of a fine
for having illegal content on the computer. But criminals are
always looking for new ways to make money. They have moved
beyond ransomware and are now frequently using a more insidious
and harmful form of malware known as crypto lockers. While most
scams are classic confidence schemes, ransom script is
straight-up blackmail. Pay a ransom or your computer files will
be lost.
The criminals use high-grade encryption technology to
scramble the victim's computer, and only the attacker has the
key to unlock it. In the past month, Hollywood Presbyterian
Hospital in California fell victim to just this kind of attack.
Over a 10-day period, staff was forced to use pen and paper
until the hospital paid the criminals a $17,000 ransom for the
decryption key needed to unlock their computers. Some medical
devices were reportedly off-line. Wait times increased at the
emergency room. Some patients were directed to other hospitals.
The attacker surface is always shifting, and the enormous
growth of connected devices, commonly referred to as the
Internet of Things, or IOT, will bring with it a new generation
of attacks. Last summer, the remote compromise of a Jeep
automobile by a pair of security researchers received a great
deal of attention. Receiving less attention, but equally
concerning are several alerts about vulnerabilities in drug and
fusion pumps that the Department of Homeland Security issued
over the past year. If a device is running software and it is
connected to the internet, vulnerabilities can enable attackers
to take control.
Attack methods are always evolving and improving. The most
common attack method, spearfishing, uses customized, targeted
e-mails containing malware or malicious links. Social media is
an increasingly valuable tool for attackers, as people tend to
trust links in postings that appear to come from a friend's
social media feed. We have also seen the rapid growth of
targeted, web-based attacks known as watering hole attacks.
These techniques, while originally used only by
sophisticated and well-resourced attackers, are now available
as tool kits that can any criminal can purchase and use.
Attacks are getting more sophisticated, but so, too, are
security tools. Most attacks, including recent high-profile
breaches, could have been prevented if organizations
implemented the latest cybersecurity technology and best
practices.
To block advanced threats and zero-day attacks,
intelligence machine learning and advanced exploit prevention
technologies are necessary. These tools use automation to train
a system to identify an attack, even one that has never been
seen before. It is also increasingly critical to use big data
analytics to evaluate global software patterns. At Symantec,
these analytics are able to identify and block entirely new
attacks purely by evaluating relationships with other devices
and other files across a global network of hundreds of millions
of computers.
Cooperation is also key to improving cybersecurity, and we
participate in numerous industry consortia and public-private
partnerships to combat cyber crime. These include the National
Cyber Forensics and Training Alliance, or NCFTA, the FBI,
Europol, Interpol, the North Atlantic Treaty Organization, and
Ameripol. We have also been involved in numerous operations to
take down criminal networks, including the operations that took
down the ransomware network CryptoLocker, the Dridex financial
fraud botnet, and the Ramnit botnet.
Just yesterday, Symantec participated in a collaborative
cross-industry operation that targeted an aggressive threat
group known as Lazarus. This is the same group thought to be
behind the Sony attack. The initiative called Operation
Blockbuster significantly bolstered defenses against the cyber
espionage group and it is disruptive campaigns.
Cooperation within the security industry is important, and
in 2014, Symantec, Palo Alto Networks, Fortinet and Intel
Security formed the Cyber Threat Alliance to better distribute
detailed information about advanced attacks. CTA shares high-
value, actionable threat intelligence while still maintaining
the privacy and confidentiality of all customer data.
The partnership works because it is not about one vendor
trying to gain advantage. We are all contributing and sharing
with the community to better uncover, understand, and protect
against advanced attacks. The cyber threat landscape is always
evolving, but so, too, are new security technologies.
Preventing cyber crime is a shared effort, and your work to
inform the public is an important part of that.
We appreciate the opportunity to testify today, and I am
happy to take any questions you have.
[The prepared statement of Mr. Bromwich follows:]
Prepared Statement of Adam Bromwich
February 25, 2016
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, my name is Adam Bromwich and I am the vice president of
Symantec's Security Technology and Response (STAR) team. I lead a
global team of engineers, researchers, and analysts who develop our
security technologies, attack intelligence, and security content. My
team is on the front lines of cybersecurity, identifying the latest
attack patterns and campaigns, deploying protection to our customers
around the clock from research centers across the globe, and working
closely with law enforcement agencies to track cyber criminal groups.
Prior to this role, I led the development and launch of our Insight
reputation technology, a fundamentally new protection approach that
leverages big data analytics and anonymous software adoption patterns
from over 50 million endpoints to automatically compute safety ratings
for virtually every software file and web site on the internet. I also
served as director of advanced concepts, an incubator group within
Symantec Research Labs, where I developed new products including the
Norton Online Family child safety software. I received my Bachelor of
Arts degree from Princeton University and an MBA from Yale University.
Symantec protects much of the world's information, and is the
largest security software company in the world with 33 years of
experience developing cybersecurity technology and helping consumers,
businesses, and governments secure and manage their information and
identities. Our products and services protect people's information and
their privacy across platforms--from the smallest mobile device, to the
enterprise data center, to cloud-based systems. We have established
some of the most comprehensive sources of cyber threat data in the
world through our Global Intelligence Network, which is comprised of
hundreds of millions of attack sensors recording hundreds of thousands
of events per second, and more than 1,000 dedicated security engineers
and analysts. We maintain 9 Security Response Centers and 6 Security
Operations Centers around the globe. Every day we scan 30 percent of
the world's enterprise email traffic, and process more than 1.8 billion
web requests. All of these resources combined allow us to capture
world-wide security data that give our analysts a unique view of the
entire cyber threat landscape.
The title of today's hearing is instructive, and I am glad to see a
focus on ``emerging'' threats. More than perhaps any other security
discipline, cybersecurity is not static. Attackers are always
innovating and threats evolve quickly. Just the same, defenses cannot
be static. In my testimony today, I will discuss:
The current and emerging threat environment;
Cutting-edge technologies to counter the latest threats;
How we work with the Government to improve cybersecurity and
stop criminals; and
How we partner with our industry colleagues to counter cyber
attacks.
i. the current cyber threat landscape
Many of the recent headlines about cyber attacks have focused on
data breaches in Government and across the spectrum of industries.
Indeed, the volume of recent thefts of personally identifiable
information (PII) is unprecedented--over just the past 3 years alone,
the number of identities exposed through breaches surpassed 1 billion.
Yet while the focus on data breaches and the identities put at risk is
certainly warranted, we also must not lose sight of the other types of
cyber attacks that are equally concerning and can have damaging
consequences. There are a wide set of tools available to the cyber
attacker, and the incidents we see today range from basic confidence
schemes to massive denial-of-service attacks to sophisticated (and
potentially destructive) intrusions into critical infrastructure
systems. The economic impact can be immediate with the theft of money,
or more long-term and structural, such as through the theft of
intellectual property. It can ruin a company or individual's reputation
or finances, and it can impact citizens' trust in the internet and
their Government.
While many assume that breaches are the result of sophisticated
malware or a well-resourced state actor, the reality is much more
troubling. According to a 2015 report from the Online Trust Alliance,
90 percent of recent breaches could have been prevented if
organizations implemented basic cybersecurity best practices.\1\
Moreover, some breaches are actually second-generation activity--
criminals leverage previously stolen personal information to compromise
an individual's account.
---------------------------------------------------------------------------
\1\ https://www.otalliance.org/news-events/press-releases/ota-
determines-over-90-data-breaches-2014-could-have-been-prevented.
---------------------------------------------------------------------------
The attackers run the gamut and include highly-organized criminal
enterprises, disgruntled employees, individual cybercriminals, so-
called ``hacktivists,'' and state-sponsored groups. The motivations
vary--the criminals generally are looking for some type of financial
gain, the hacktivists are seeking to promote or advance some cause, and
the state actors can be engaged in espionage (traditional spycraft or
economic) or infiltrating critical infrastructure systems. These lines,
however, are not set in stone, as criminals and even state actors might
pose as hacktivists, and criminals often offer their skills to the
highest bidder. Attribution has always been difficult in cyber space,
and is further complicated by the ability of cyber actors to mask their
motives and objectives through misdirection and obfuscation.
Common Types of Attacks
Distributed Denial-of-Service (``DDoS'')
Distributed denial-of-service (DDoS) attacks attempt to deny
service to legitimate users by overwhelming the target with activity.
The most common method is to flood a server with network traffic from
multiple sources (hence ``distributed''). These attacks are often
conducted through ``botnets''--armies of compromised computers that are
made up of victim machines that stretch across the globe and are
controlled by ``bot herders'' or ``bot masters.''\2\
---------------------------------------------------------------------------
\2\ ``Bots and Botnets--A Growing Threat,'' Symantec, http://
us.norton.com/botnet/.
---------------------------------------------------------------------------
DDoS attacks have grown larger year over year, from the equivalent
of a garden hose to a fire hose to the outflow pipes of the Hoover dam.
Even the most prepared networks can buckle under that volume of data
the first time it is directed at them, which is why a few years ago
even some of the Nation's biggest financial institutions initially
suffered outages when they were victims of a DDoS campaign. In addition
to increasing in volume, the attacks are getting more sophisticated and
vary the methods used, which makes them harder to mitigate.
The purpose of most attacks is to disrupt, not to destroy. However,
some sophisticated attackers will use a DDoS attack to distract an
organization's security team while the criminals unleash a more
sophisticated attack. For instance, organized crime groups have been
known to initiate DDoS attacks against banks to divert the attention
and resources of the bank's security team while the main attack is
launched, which can include draining customer accounts or stealing
credit card information.
Targeted Attacks
Targeted attacks are increasingly common. Some are directed at a
company's servers and systems, where attackers search for unpatched
vulnerabilities on websites or undefended connections to the internet.
But many rely on social engineering, conning people into clicking on a
link, opening a file, or taking some other action that will allow an
attacker to compromise their device. The attack can be targeted at
almost any level, even at an entire sector of the economy or a group of
similar organizations or companies. Attacks also can target a
particular company or a unit within a company (e.g., research and
development or finance) or even a specific person.
Most of the data breaches and other attacks that have been in the
news were the result of a targeted attack, but the goal of the attacker
can vary greatly. One constant is that after attackers select a target
they will set out to gain access to the systems they want to compromise
and once inside there are few limits on what they can do if the target
is not well-protected. The malware used today is largely commoditized,
and while we still see some that is custom-crafted, most of the attacks
rely on attack kits that are sold on the cyber black market. But even
these commodity attack kits are highly sophisticated and are designed
to avoid detection--some even come with guarantees from the criminal
seller that they will not be stopped by common security measures. This
makes it all the more important--but also more challenging--to stay
ahead of the attackers.
Scams, Blackmail, and Other Cyber Theft
Like most crime, cyber attacks are often financially motivated, and
some of the most common (and most successful) involve getting victims
to pay out money, whether through trickery or direct threats. One early
and widely successful attack of this type was known as ``scareware.''
Scareware is a form of malware that will open a window on your device
that claims your system is infected, and offer to ``clean'' it for a
fee. Some forms of scareware open pop-ups falsely claiming to be from
major security companies (including Symantec), and if a user clicks on
the window they are taken to a fake website that can look very much
like that of the real company. Of course, in most cases the only
infection on your computer is the scareware itself. Victims who fall
for the scam are lucky if they only lose the $20 or $30 ``cost'' for
the fake software, but most are out much more as they typically provide
credit card information to pay the scammer in the mistaken belief they
are purchasing legitimate security software. Not only did they
authorize a payment to the scammer, but they also provided financial
information that could then be sold on the criminal underground. And by
allowing the scammer to install the supposed cleaning software on their
device, they give the criminal the ability to install additional
malware and potentially steal more financial information or turn their
system into a zombie soldier in a botnet.
First widely seen in 2007, scareware began to diminish in 2011
after users became alerted to the scams and they became much less
effective. Criminals next turned to ``ransomware,'' which has grown
significantly since 2012. Ransomware is another type of deception where
the malware locks the victim's device and displays a screen that
purports to be from a law enforcement entity local to the user. The
lock screen states that there is illegal content on the computer--
everything from pirated movies to child pornography--and instructs the
victim to pay a ``fine'' for their ``crime.'' The criminals claim that
the victim's device will be unlocked once the ``fine'' is paid, but in
reality the device frequently remains locked. Both of these types of
attacks can be removed from your computer and we offer instructions and
free tools on our Norton.com website to assist victims in doing so.
Criminals have now moved beyond even ransomware and are using a
more insidious and harmful form of malware known as ``ransomcrypt.''
While scareware and ransomware are more classic confidence schemes,
ransomcrypt is straight-up blackmail: Pay a ransom or your computer
files will be erased. And unlike scareware and ransomware, there is
often no way to get rid of it--the criminals use high-grade encryption
technology to scramble the victim's computer, and only they have the
key to unlock it. Unless the system is backed up, the victim faces the
difficult choice of paying the criminals or losing all the data. Last
year one police department in Maine paid a ransom in order to regain
control of its data.\3\ The police chief said ``[w]e needed our
programs to get back on-line.''\4\ A more recent example is the
compromise of the systems at Hollywood Presbyterian Hospital. Over a
10-day period, staff was forced to use pen and paper until the hospital
paid the criminals a $17,000 ransom for the decryption key needed to
unlock their computers. Some medical devices were reportedly off-line,
wait times increased at the emergency room, and some patients were
directed to other hospitals.
---------------------------------------------------------------------------
\3\ Stephanie Mlot, ``Maine Police Pay Ransomware Demand in
Bitcoin,'' PCmag, April 14, 2015, http://www.pcmag.com/article2/
0,2817,2481356,00.asp.
\4\ Id.
---------------------------------------------------------------------------
Emerging Threats
Attackers are constantly looking for new devices to compromise and
new vectors to use to attack them, and the enormous growth of connected
devices, commonly referred to as the Internet of Things or IoT, is
significantly expanding the available attack surface. Last summer the
remote compromise of a Jeep by a pair of security researchers received
a great deal of attention, and with good reason.\5\ The video of the
reporter driving on the highway while unable to control the car as
traffic rushed past was frightening and powerful. Receiving less
attention, but equally concerning, are several alerts about
vulnerabilities in drug infusion pumps that the Department of Homeland
Security's Industrial Control System Computer Emergency Response Team
issued over the past year.\6\
---------------------------------------------------------------------------
\5\ Andy Greenberg, ``Hackers Remotely Kill a Jeep on the Highway--
With Me in It,'' Wired, July 21, 2015, http://www.wired.com/2015/07/
hackers-remotely-kill-jeep-highway/.
\6\ See, e.g., https://ics-cert.us-cert.gov/advisories/ICSA-15-337-
02 (January 21, 2016); https://ics-cert.us-cert.gov/advisories/ICSA-15-
125-01B (June 10, 2015).
---------------------------------------------------------------------------
These are just 2 examples of vulnerabilities in connected devices,
and how the explosive growth of such connections can lead to physical
harm. The potential for scams and other financial fraud is just as
great. We need to be prepared for ransomware targeted at a smartwatch--
or a connected thermostat, refrigerator, or automobile. Criminals know
that most consumers would pay a few hundred dollars in blackmail to
regain control of a $50,000 vehicle that was rendered unusable by a
piece of targeted malware.
Yet while the devices that could be compromised are new, many of
the underlying reasons they are susceptible to attack are not. In fact,
many of the new connected devices are not being built with security as
a core design principle, and too many of the deployed devices are not
protected or updated. Last year we released a report titled
``Insecurity in the Internet of Things''\7\ that analyzed 50 ``smart
home'' devices. The findings were shocking: Among other security
issues, none of the devices enforced strong passwords, followed
appropriate authentication protocols, or protected accounts against
brute-force attacks. Almost 20 percent of the mobile apps used to
control the tested IoT devices did not encrypt communications to the
cloud--which means they were transmitting data in clear text across the
internet.
---------------------------------------------------------------------------
\7\ https://www.symantec.com/content/dam/symantec/docs/white-
papers/insecurity-in-the-internet-of-things.pdf.
---------------------------------------------------------------------------
All of these potential weaknesses are already well-known to the
security industry, yet known mitigation techniques are often neglected
on these devices. These findings were consistent with those of a
previous report we issued in 2014, which examined security in health
and fitness tracking devices, many of which transmitted data (including
passwords) in clear text and failed to conduct proper authentication
before connecting with outside devices or systems.\8\ These devices can
be protected, and they can be built with that in mind, but that needs
to start at the design stage to lay the groundwork for strong security
over the life of the device.
---------------------------------------------------------------------------
\8\ https://www.symantec.com/content/dam/symantec/docs/white-
papers/how-safe-is-your-quantified-self.pdf.
---------------------------------------------------------------------------
Another worrisome trend is the increase in destructive malware such
as the one used against Sony in 2014. In the past attackers were
focused on stealing data, holding it ransom, or conducting espionage.
But the Sony malware did much more--it completely erased hard drives
and rendered computers unusable.\9\ While still the minority of
attacks, we expect to see more of them in the future. This only further
highlights the need for organizations to be proactive about security
and to utilize modern tools to protect their systems and contain any
intrusion.
---------------------------------------------------------------------------
\9\ Sean Gallagher, ``Inside the `wiper' malware that brought Sony
Pictures to its knees,'' Ars Technica, December 3, 2014, http://
arstechnica.com/security/2014/12/inside-the-wiper-malware-that-brought-
sony-pictures-to-its-knees/.
---------------------------------------------------------------------------
Methods Attackers Use to Compromise Systems
All of the attacks outlined above started with a common factor--a
compromised device. From this one device, attackers often are able to
move within a system until they achieve their ultimate goal. But the
threshold question is how do they get that foothold--how do they make
that initial compromise that allows them to infiltrate a system?
We frequently hear about the sophistication of various attackers
and about ``Advance Persistent Threats'' or ``APTs,'' but the
discussion of cyber attacks--and of cyber defense--often ignores the
psychology leading up to the exploit. Most attacks rely on social
engineering--in the simplest of terms, trying to trick people into
doing something that they would never do if fully cognizant of their
actions. For this reason, we often say that the most successful attacks
are as much psychology as they are technology.
Spear phishing, or customized, targeted emails containing malware,
is the most common form of attack. Attackers harvest publicly-available
information and use it to craft an email designed to dupe a specific
victim or group of victims. The goal is to get victims to open a
document or click on a link to a website that will then try to infect
their computers. While good security will stop most of these attacks--
which often seek to exploit older, known vulnerabilities--many
organizations and individuals do not have up-to-date security or
properly patched operating systems or software. And many of these
attacks are extremely well-crafted; in the case of one major attack,
the spear phishing email was so convincing that even though the
victim's system automatically routed it to junk mail, he retrieved it
and opened it--and exposed his company to a major breach.
Social media is an increasingly valuable tool for cyber criminals
in two different ways. First, it is particularly effective in direct
attacks, as people tend to trust links and postings that come from a
friend's social media feed (or appear to) and rarely stop to question
if that feed may have been compromised or spoofed. Thus, attackers
target social media accounts and then use them to ``like'' or otherwise
promote a posting that contains a malicious link. Social media is also
widely used to conduct reconnaissance for spear phishing or other
highly-targeted attacks as it often provides just the kind of personal
details that a skilled attacker can use to get a victim to let his or
her guard down.
Beginning in 2012, we saw the rapid growth of a new type of
targeted web-based attack, known as a ``watering hole'' attack. Like
the lion in the wild who stalks a watering hole for unsuspecting prey,
cyber criminals have become adept at lying in wait on legitimate
websites and using them to try to infect visitors' computers. They do
so by compromising legitimate websites that their victims are likely to
visit and modifying them so that they will surreptitiously try to
infect visitors or redirect them to a malicious site. For example, one
attacker targeted mobile application developers by compromising a site
that was popular with them. In another case, we saw employees from 500
different companies in the same industry visit one compromised site in
just 24 hours, each running the risk of infection.\10\ Cyber criminals
gained control of these websites through many of the same tactics
described above--spear phishing and other social engineering attacks on
the site managers, developers, or owners. Many of these websites were
compromised through known attack vectors, meaning that good security
practices could have prevented them from being compromised.
---------------------------------------------------------------------------
\10\ Symantec, ``Internet Security Threat Report, Volume XVIII,''
April 16, 2013, Pg. 21.
---------------------------------------------------------------------------
ii. modern security tools
Attacks are getting more sophisticated, but so too are security
tools. Security still starts with basic measures such as strong
passwords or multi-factor authentication and up-to-date patch
management. But while these steps may stop many older, simpler attacks,
they will be little more than a speed bump for even a moderately
sophisticated attacker.
Real protection requires a modern security suite that is being
fully utilized. To block advanced threats and zero-day attacks,
sophisticated machine learning and advanced exploit prevention
technologies are necessary. These approaches are able to use automation
to train a system to identify an attack, even one that has never been
seen before. It is also increasingly critical to use big data analytics
to evaluate global software patterns to create real-time intelligence.
Today these analytics are able to identify and block entirely new
attacks by evaluating how they are distributed and their relationships
with other devices and other files.
Data protection is equally important, and a comprehensive security
program includes data loss prevention (DLP) tools that index, track,
and control the access to and movement of huge volumes of data across
an organization. Perhaps most importantly, DLP tools will prevent that
data from moving outside an organization. Organizations should also use
encryption technology on particularly sensitive data, which renders it
unreadable to anyone who does not have the specific cryptologic key.
Device-specific protections are also important. For example, in the
retail world, there are tools that can be applied to point-of-sale
systems that will virtually lock down the system and only allow it to
perform those limited functions that are absolutely necessary for
completing a sales transaction. In the IoT world, there are
authentication, encryption, and end-point protection tools that are
designed to run on small and low-power devices. These tools can protect
everything from a connected vehicle to the small sensors built into a
bridge or that monitor critical machinery.
In short, good security does not happen by accident--it requires
planning and continued attention. But criminals will always be
evolving, and security must as well.
iii. public-private partnerships to enhance cybersecurity
Every day we hear about the impact of cyber crime, but we do not
often hear about the many successes that law enforcement and the
private sector have had in stopping these crimes and bringing these
criminals to justice. Recently, we have seen a string of successful
arrests and prosecutions of some of the most notorious cyber criminals
in the world. In July 2015, a New York judge sentenced Alexander Yucel,
the creator of the ``Black Shades'' Trojan to 5 years in prison and the
forfeiture of $200,000. Yucel was swept up by the Federal Bureau of
Investigation (FBI) and Europol last year along with dozens of other
individuals in the United States and abroad. Symantec worked closely
with the FBI in this coordinated takedown effort, sharing information
that allowed the agency to track down those suspected of involvement.
And in June 2015, Ercan ``Segate'' Findikoglu, the man who prosecutors
say orchestrated one of the biggest cyber bank heists in American
history was extradited to the United States to stand trial for stealing
more than $55 million by hacking bank computers and withdrawing
millions in cash from ATMs.
In fact, over the last few years we have had a number of successful
takedown operations against prominent financial fraud botnets. In June
of 2014, the FBI, the United Kingdom (UK) National Crime Agency, and a
number of international law enforcement agencies mounted a major
operation against the financial fraud botnet Gameover Zeus and the
ransomware network Cryptolocker. Gameover Zeus was the largest
financial fraud botnet in operation in 2014 and is often described as
one of the most technically sophisticated variants of the ubiquitous
Zeus malware. Symantec provided technical insights into the operation
and impact of both Gameover Zeus and Cryptolocker, and worked with a
broad industry coalition and the FBI during this case. As a result,
authorities were able to seize a large portion of the infrastructure
used by the cyber criminals behind both threats.
And in February of 2015, a Europol-led operation struck against the
Ramnit botnet and seized its servers and infrastructure. Ramnit
facilitated a vast cyber crime operation, harvesting banking
credentials and other personal credentials from its victims. The group
was in operation for at least 5 years and in that time evolved into a
major criminal operation, infecting more than 3.2 million computers.
These law enforcement operations and others have knocked out or
severely curtailed the operations of some of the most prominent
financial fraud groups in the world. In fact, the number of bots
declined by 18 percent in 2014 compared to the previous year. In large
measure, this decline is because the FBI, the Europol European
Cybercrime Centre (EC3), and other international law enforcement
agencies, working with Symantec and other technology companies,
disrupted and shut them down.
Because cyber space is a domain without borders, where crimes are
often committed at a great distance, every device in the United States
is a potential border entry point, making investigation and prosecution
of cyber crimes a difficult task. This reality makes international
engagement on cybersecurity essential. For example, Symantec partnered
with AMERIPOL and the Organization of American States to publish a
report that provides the most comprehensive snapshot to date of
cybersecurity threats in the Latin America and Caribbean region. The
goal was to raise awareness of cyber crime issues and promote the
importance of cybersecurity throughout the region as a National and
economic security imperative.
Similarly, Symantec is partnering with the African Union to develop
a report looking at the cybersecurity threats and trends in Africa.
That report will be published later this year.
Symantec also maintains relationships in the United States and
around the world with international cyber response organizations and
law enforcement entities including INTERPOL, EUROPOL, and dozens of
National Computer Emergency Response Teams (CERTs) and police forces,
by sharing the latest technological trends, the evolution of the threat
landscape, and the techniques that cyber criminals use to launch
attacks. Our latest partnership, signed in December 2015, is with the
North Atlantic Treaty Organization (NATO), and is focused on boosting
2-way threat information sharing.
iv. private-sector partnerships to enhance cybersecurity--the cyber
threat alliance
In 2014, Symantec, Fortinet, Intel Security, and Palo Alto Networks
formed the Cyber Threat Alliance (CTA) to work together to share threat
information. The goal was to better distribute detailed information
about advanced attacks and thereby raise the situational awareness of
CTA members and improve overall protection for our customers. Since the
founding of the CTA, several contributing members have joined,
including Barracuda Networks, Reversing Labs, Zscaler, and ElevenPaths
(part of Telefonica). Prior industry sharing efforts were often limited
to the exchange of malware samples, and the CTA sought to change that.
Over the past 2 years the CTA has consistently shared more actionable
threat intelligence such as information on zero-day vulnerabilities,
command-and-control server information, mobile threats, and indicators
of compromise related to advanced threats. By raising the industry's
collective intelligence through these new data exchanges, CTA members
have delivered greater security for individual customers and
organizations. In short, the CTA is not about one vendor trying to gain
advantage--we are all contributing and sharing with the community.
It is important to note that we have done this while maintaining
the privacy of all our customer data and in full compliance with our
companies' respective privacy policies. At Symantec, we take very
seriously our obligation to protect our customers' privacy and maintain
the confidentiality of the data they choose to share with us, and our
analysts are rigorous in ensuring that all shared data is anonymized.
In the digital world, security and privacy are intertwined, and the CTA
is operational proof that the two can complement each other.
The CTA has worked because there are minimum contribution
requirements for all members. Each must share at least 1,000 samples of
new Portable Executable (PE) malware per day that were not otherwise
seen over the preceding 48 hours. Further, they must provide one or
more additional sets of data relating either to mobile malware samples,
command-and-control servers, or vulnerabilities. Member company
analysts meet every month to exchange information and plan joint
reports, and the company CEOs meet quarterly. When the group decides to
work on a research paper, company analysts work together more
frequently--often several times a week just before publication.
The CTA's recent research paper on the Cryptowall ransomware trojan
is a good example of what high-impact information sharing can bring.
Each member shared their Indicators of Compromise (IOCs) around a
particular threat, filling in intelligence gaps and allowing an
expanded understanding of the criminal networks and their methods of
operation. In addition to the research paper, the effort led to more
comprehensive protection for all of our customers.
Efforts like the Cryptowall paper, of course, require significant
resources from the member companies. And while members work together on
research, they also compete in the marketplace. But the CTA has shown
that with the proper planning and due care for company-specific
considerations, even competitors can come together and raise the
security level for all internet users.
conclusion
The cyber threat landscape is always evolving--but so too are new
security technologies. Cyber criminals will always seek new ways to
compromise computers, but that does not mean they are always winning.
In fact, we see attackers trying new techniques such as zero-day
exploits because protection has become difficult to evade. These
criminals did not invest the time and resources to develop new attack
methods because they wanted too, they did it because they had too--
because consumers were spotting their scams and security tools were
blocking them. With cybersecurity, the old adage is true--there is no
destination, just a journey. By driving up the cost of doing business
for criminals we can make their journey all the more difficult and less
lucrative. Symantec appreciates the committee's on-going interest in
cybersecurity, and we look forward to continuing to work with you in
the future.
Mr. Ratcliffe. Thank you, Mr. Bromwich. The Chair now
recognizes Dr. Porche for his opening statement.
STATEMENT OF ISAAC R. PORCHE, III, ASSOCIATE DIRECTOR, FORCES
AND LOGISTICS PROGRAM, THE RAND ARMY RESEARCH DIVISION, THE
RAND COMPANY
Mr. Porche. Thank you. Chairman Ratcliffe, Ranking Member
Richmond, distinguished Members of the subcommittee, thank you
for inviting me to this important discussion on cyber space and
cybersecurity.
Let me start--since the creation of the internet's
predecessor, the ARPANET, kaleidoscopic change has been the
single constant in the information environment. What started
out as a relatively wonky communications tool for a small group
of scientists and engineers is now a global information
infrastructure.
Information and communications technology changes rapidly,
and it is difficult for even nimble corporations to keep up
with modifications to stop the next threat or to close the next
discovered vulnerability.
The challenge for the U.S. Government in cyber space is
even greater. First, I discuss two trends that are driving this
challenge. The first trend is that cyber space, which is
expanding every day as more and more devices are brought on-
line, is becoming increasingly vulnerable as cybersecurity
resources are stretched thin. We are straining to keep pace
with the increasing complexity as new devices come to the
market and become interconnected. Meanwhile, cyber space is
hosting increasingly vast amounts of data.
A metaphoric term, cyber space is like a balloon. It is
constantly being filled with air, and constantly trying to
prick the balloon are considerable numbers of people and
organizations, terrorists, nation-states. This is the second
trend. To continue with the metaphor, pins are like a dime a
dozen. To deal with this, we need cybersecurity professionals
working on building a tougher skin for the balloon, taking pins
off the market, tracking down and stopping would-be pin-
prickers.
But aside from hiring more professionals, what are the
options for improving cybersecurity? In earlier RAND work that
I published, we identify two needs. The first, enable
substantially better information sharing and collaboration
among key departments and agencies in the private sector. The
Cybersecurity Information-Sharing Act of 2015 was needed, but
small and careful step towards this goal. So why is sharing
discovered vulnerabilities, defensive measures and best
practices so important? Because bad actors benefit from slow
identification and slow mitigation of the threat.
Given the time taken to identify a malicious intrusion and
determine its extent, which is usually measured in months, the
bad actors are long gone, along with your data. If Government
entities and the private sector are sharing information quickly
and often, they have a better chance of being able to
anticipate and prepare for the eventual attack.
Also we have to go beyond just identifying and responding
to attacks more quickly. Threats have to be anticipated. The
behavior of threat actors has to be identified. Intelligence on
threat actors and their intentions is a necessary ingredient to
significantly improve the chances of predicting and identifying
the next attack.
A challenge for achieving this kind of information sharing
is cooperation, and much of the public is simply not
comfortable with the idea of mass Government surveillance.
Specific attitudes towards this issue are nuanced and complex,
but the Pew Research Center reported 65 percent of U.S. adults
believe that there are not adequate limits on the internet data
that the Government collects. Frankly, even the most well-
meaning proposals to increase information sharing between the
Government and the private sector come across to some as
something out of Orwell's ``1984.''
Public debate and discussion of how to balance the needs of
security and privacy is a critical step. Information sharing is
one perpetual need. A second is to achieve unity of effort
across the U.S. Government, where different agencies and
different organizations have different cyber responsibilities.
Cyber defense requires a coherent response and the bureaucratic
swim lines don't always contribute to synergy for that goal.
Ultimately, perhaps ideally what is needed is the ability
to track cyber intruders, criminals, and other hostile actors
with the same freedom of maneuver and speed these adversaries
enjoy in cyber space today. Achieving this goal will required
sustained, long-term efforts to develop policy and technology.
At present, many ideas for using technology to improve
cybersecurity, such as pooling and mining vast stores of data,
alarm all of us who believe in a right to privacy from
Government intrusion, and perhaps new authorities will be
required to make this happen. There also needs to be
appreciation that everyone has a role to play in improving
cybersecurity--the U.S. Government, developers and purveyors of
internet-connected software and hardware, and individual
consumers.
In conclusion, there is no simple solution to the threat
posed by adversaries in cyber space, but one critical challenge
that must be overcome is to determine how to protect the
cybersecurity of a democratic society that demands both freedom
and privacy in its use of computer systems and networks from
the threats posed by enemies who respect no boundaries, who can
act largely with impunity, and despite National and
international norms and legal frameworks.
The ideas for commissions to discuss security and privacy
are forward-thinking proposals, being put forth both by
Congress and by the President, and I look forward to learning
more about the details of these efforts.
Regarding current events, it is fair to say that today's
debate about whether device-makers should be required to build
backdoors into operating systems so law enforcement can collect
data has jump-started this much-needed discussion. This kind of
public debate is a good thing.
Thank you for your time, and I am happy to answer
questions.
[The prepared statement of Dr. Porche follows:]
Prepared Statement of Isaac R. Porche, III\1\ \2\
---------------------------------------------------------------------------
\1\ The opinions and conclusions expressed in this testimony are
the author's alone and should not be interpreted as representing those
of RAND or any of the sponsors of its research. This product is part of
the RAND Corporation testimony series. RAND testimonies record
testimony presented by RAND associates to Federal, State, or local
legislative committees; Government-appointed commissions and panels;
and private review and oversight bodies. The RAND Corporation is a
nonprofit research organization providing objective analysis and
effective solutions that address the challenges facing the public and
private sectors around the world. RAND's publications do not
necessarily reflect the opinions of its research clients and sponsors.
\2\ This testimony is available for free download at http://
www.rand.org/pubs/testimonies/CT453.html.
---------------------------------------------------------------------------
February 25, 2016
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee, thank you for inviting me to address important emerging
concerns related to cyber space and cybersecurity. Specifically, I will
discuss how cyber space continues to change, expand, and remain
inherently vulnerable. I will discuss both the kind of information
sharing that is needed to help defend cyber space proactively and how
the public's privacy concerns affect that very information sharing.
Finally, I will mention the needed next steps, including more
discussion of the need to balance security and privacy, potential
technological approaches, and the potential need for future
legislation.
introduction
Since the creation of the ARPANet--the internet's predecessor--
kaleidoscopic change has been the single constant of the information
environment. What started out as a relatively wonky communications tool
for a smallish group of engineers, scientists, and computer experts is
now a global information infrastructure: ``a world-wide broadcasting
capability, a mechanism for information dissemination, and a medium for
collaboration and interaction between individuals and their computers
without regard for geographic location.''\3\
---------------------------------------------------------------------------
\3\ Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E.
Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts,
and Stephen Wolff, ``Brief History of the Internet,''
InternetSociety.org, undated.
---------------------------------------------------------------------------
Today, it is useful to think of the information environment as two
partially intersecting areas: Social networks and cyber space (Figure
1). Social networks are the webs of interactions and relationships
among individuals. They are continuing to grow in size, relevance, and
influence, affecting not only how we communicate with one another but
if and how we find employment, housing, and romantic relationships; but
social networks are also influencing the evolution of modern conflict.
The so-called Islamic State, for example, has successfully used the
social-networking platform Twitter to persuade distant potential
recruits to literally--physically--mobilize.
``Cyber space is the technical foundation on which the world relies to
interact, exchange information, conduct business, and so on. It is,
according to the Joint Chiefs of Staff, a global domain within the
information environment consisting of the interdependent networks of
information technology infrastructures and resident data, including the
internet, telecommunications networks, computer systems, and embedded
processors and controllers.''\4\
---------------------------------------------------------------------------
\4\ Joint Chiefs of Staff, Cyberspace Operations, Joint Publication
3-12R, February 5, 2013.
Cyber space is both a global domain and a global commons whose
reach is being constantly expanded not only by wired and wireless
connections, but by sneaker-netted connectors that close all air
gaps.\5\ Everything from home thermostats to the critical
infrastructure that is vital to daily life--water, power,
manufacturing, etc.--is within its reach. It is ``shared by all'' and
currently dominated by none. Eventually, controlling cyber space (and
the intersecting electromagnetic spectrum) could be tantamount to
controlling the information environment.
---------------------------------------------------------------------------
\5\ Sneakernet is an informal term that describes using physical
media (e.g., thumb drives, CDs) rather than a computer network to move
electronic information from one computer to another.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The rapid pace of change makes it difficult for even nimble
corporations to keep up with emerging threats and to close newly-
discovered vulnerabilities, and the challenge for the U.S. Government
is even greater. Governmental controls and processes make rapidly
acquiring materiel difficult, and it is also difficult to make rapid
changes in personnel structure. Thus, keeping up with major changes,
such as the merging of the wired and wireless worlds, poses formidable
challenges to all.\6\
---------------------------------------------------------------------------
\6\ Most of the language and analysis in this section is drawn from
Porche et al., 2013.
---------------------------------------------------------------------------
two trends in cyber space
For a moment, think of cyber space as a balloon that's constantly
being filled with more and more air. As the balloon gets bigger, the
amount of surface area that is vulnerable to a pinprick increases, the
skin of the balloon stretches and gets thinner, and the volume of air
trapped inside grows. I use the balloon metaphor to help illustrate
three key points about today's cybersecurity environment:
First, like the surface of the balloon, the ``attack surface
area'' of cyber space is expanding every day as more and more
devices are brought on-line. Some estimate that, right now,
there are billions of internet-connected devices--a number that
could surpass a trillion in just 10 years.\7\ Each smartphone,
computer, tablet, television, refrigerator, and ``intelligent''
vehicle is a potential cyber target.
---------------------------------------------------------------------------
\7\ Estimates vary. In 2014, Gartner, Inc., forecasted that 6.4
billion internet-connected devices would be in use world-wide in 2016,
and that 20.8 billion would be in use by 2020. ``In 2016,'' Gartner
predicted, ``5.5 million new things will get connected every day''
(``Gartner Says 4.9 Billion Connected `Things' Will Be in Use in
2015,'' Gartner.com, press release, November 11, 2014). In 2015,
Business Insider estimated that 10 billion devices were connected
world-wide and that 34 billion will be connected by 2020 (Jonathan
Camhi, ``BI Intelligence Projects 34 Billion Devices Will Be Connected
by 2020,'' BusinessInsider.com, November 6, 2015). In 2015, Juniper
Research suggested that the number of internet-connected devices will
reach 38.5 billion in 2020 (`` `Internet of Things' Connected Devices
to Almost Triple to Over 38 Billion Units by 2020,''
JuniperResearch.com, press release, July 28, 2015). According to the
2016 Georgia Tech Emerging Cyber Threats Report, there could be a
trillion devices by 2025 (Institute for Information Security and
Privacy, Emerging Cyber Threats Report 2016, Georgia Institute of
Technology, 2015).
---------------------------------------------------------------------------
Second, like the skin of the balloon, cybersecurity
resources--which are already stretched thin--must try to keep
pace with increasing complexity as new devices come to market
and become interconnected. For example, if you upgrade your old
home security system to a new one that connects to your
smartphone, you have complicated the task of protecting your
home by introducing several cyber vulnerabilities.
Third, like the air inside the balloon, the amount and type
of data we are all actively and passively uploading to the
Internet is constantly expanding. One popular traffic app for
smartphones constantly monitors your location, even when you
are not using the app. You have to actively turn this feature
off if you do not want your phone to share your location with
the app--and with the app's partners--every single minute. The
entire ``digital universe'' is already billions of terabytes
and constantly growing. Estimates of the annual growth of this
universe vary, but the increases appear to be exponential (see
Figure 2).\8\
---------------------------------------------------------------------------
\8\ The estimates and projections in the section are drawn from
Isaac R. Porche III, Bradley Wilson, Erin-Elizabeth Johnson, Shane
Tierney, and Evan Saltzman, Data Flood: Helping the Navy Address the
Rising Tide of Sensor Information, Santa Monica, Calif.: RAND
Corporation, RR-315-NAVY, 2014.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
So, cyber space is expanding, becoming increasingly vulnerable, and
hosting increasingly vast amounts of (sometimes critical) data. That's
the first trend. The second trend is that the number of bad actors
seeking to exploit cyber space for criminal or malicious purposes is
growing too: ``Since the mid-2000s,'' RAND Corporation experts warn,
``the hacking community has been steadily growing and maturing.''\9\ In
2014, more than a billion personal data records were compromised by
cyber attacks--a 78 percent ``surge'' in the number of personal data
records compromised compared with 2013.\10\
---------------------------------------------------------------------------
\9\ Lillian Ablon, Martin C. Libicki, and Andrea A. Golay, Markets
for Cybercrime Tools and Stolen Data: Hackers' Bazaar, Santa Monica,
Calif.: RAND Corporation, RR-610-JNI, 2014.
\10\ Arjun Kharpal, ``Year of the Hack? A Billion Records
Compromised in 2014,'' CNBC.com, February 12, 2015.
---------------------------------------------------------------------------
Considerable numbers of people and organizations--including highly
organized groups with cartel, terrorist, or even nation-state
connections\11\--are constantly trying to prick the balloon, and pins
are a dime a dozen. Tools for bad actors in cyber space are, quite
literally, commodities:
---------------------------------------------------------------------------
\11\ Ablon, Libicki, and Golay, 2014.
---------------------------------------------------------------------------
They can be--and are being--bought and sold. For example, cyber
criminals have sold login credentials for Facebook in bulk,\12\ even as
more and more sites are encouraging users to log in using their
Facebook accounts. Training in malicious hacking can be acquired easily
and for free on-line on sites you probably visit a few times a week,
like YouTube. Experts agree that the coming years will bring more
activity in so-called darknets, and more use of crypto-currencies; that
the ability to stage cyber attacks will continue to outpace the ability
to defend against them;\13\ and that there will be more hacking for
hire.\14\ Furthermore, a body of research is emerging called automatic
exploit generation (AEG) that seeks algorithms that automatically
generate large quantities of exploitable bugs.\15\
---------------------------------------------------------------------------
\12\ Amit Klein, ``Fraudsters Selling Login Credentials for
Facebook, Twitter in Bulk,'' SecurityIntelligence.com, February 8,
2012.
\13\ This is a viewpoint echoed by former Deputy Secretary of
Defense William Lynn in Foreign Affairs: ``In cyber space, the offense
has the upper hand . . . [T]he U.S. Government's ability to defend its
networks always lags behind its adversaries' ability to exploit U.S.
networks' weaknesses . . . In an offense-dominant environment, a
fortress mentality will not work. (William J. Lynn III, ``Defending a
New Domain: The Pentagon's Cyberstrategy,'' Foreign Affairs, September/
October 2010.)
\14\ Ablon, Libicki, and Golay, 2014.
\15\ According to Matthew Ruffell's overview of AEG (Matthew
Ruffell, ``Applying Bytecode Level Automatic Exploit Generation to
Embedded Systems,'' Christchurch, New Zealand: University of
Canterbury, October 16, 2015), Brumley et al. discovered in 2008 that
it was possible to automatically generate an exploit by analyzing a
vulnerable binary program and the patched binary program by comparing
the two and pinpointing what code had been changed and ultimately
output an exploit. See David Brumley, Pongsin Poosankam, Dawn Song, and
Jiang Zheng, ``Automatic Patch-Based Exploit Generation Is Possible:
Techniques and Implications,'' IEEE Symposium on Security and Privacy,
2008, May 18-22, 2008, pp. 143-157.
---------------------------------------------------------------------------
why these trends in cyber space will persist
A number of factors guarantee that cyber space will continue to
expand, continue to become increasingly vulnerable, and continue to
host increasingly vast amounts of (sometimes critical) data:
the shift to digitized information (e.g., voice, video, and
data)
the miniaturization of computing and data-storage devices
that carry digitized information, coupled with low costs, which
has fostered an explosion of increasingly networked digital
devices
continued growth in wired and wireless networks and
electronic systems, which make it possible to access, via the
internet, systems that used to be isolated (i.e., off-line)
the accelerating deployment of digital control systems that
operate physical systems, from cars to aircraft, from home
thermostats to the power grid, and so on
the increasing popularity of on-line media and social
networking, which, according to one study, has led some people
to spend more time each day on a phone or laptop (an average of
8 hours and 41 minutes) than sleeping\16\
---------------------------------------------------------------------------
\16\ Madlen Davies, ``Average Person Now Spends More Time on Their
Phone and Laptop than Sleeping, Study Claims,'' DailyMail.co.uk, March
11, 2015.
---------------------------------------------------------------------------
the combined decrease in cost, increase in speed, and
standardization of interoperating electronic systems, which not
only make these systems more accessible to anyone but also
increase the potential for exploitation.
These and other trends enable any government or state to use
capabilities that were once available only to developed countries with
large defense budgets, although it should be noted that these
capabilities simultaneously increase the exposure of those countries.
Additionally, individuals who were previously considered noncombatants
can now join the battle and wage silent, electronic war. Finally, as
information systems become ubiquitous, our reliance on them increases
apace. Today's modern economic, political, and military systems depend
more than ever on information and instructions generated in cyber space
nodes and transmitted across a vast network. Such reliance invites
conflict and exploitation.
options to address the emerging landscape in cyber space and obstacles
to implementing them
So, who do we have working on building a tougher skin for the
balloon, taking pins off the market, and tracking down and stopping
would-be pin-prickers? We have good guys: Cybersecurity professionals,
``white hat'' hackers, and other individuals who are identifying and
patching vulnerabilities and who are trying to take down the bad
actors. However, at the moment, in the U.S. Government, there simply
are not enough of these good guys to go around.\17\ Educating,
recruiting, training, and hiring cybersecurity professionals takes
time, and the most-capable professionals--the elite commercial ``cyber
ninjas''--can command salaries that the Government simply cannot
match.\18\
---------------------------------------------------------------------------
\17\ Joe Davidson, ``Lack of Digital Talent Adds to Cybersecurity
Problems,'' Washington Post, July 19, 2015.
\18\ Martin C. Libicki, David Senty, and Julia Pollak, Hackers
Wanted: An Examination of the Cybersecurity Labor Market, Santa Monica,
Calif.: RAND Corporation, RR-430, 2014.
---------------------------------------------------------------------------
Aside from hiring more good guys, what are our options for
improving cybersecurity? One of the best options is improving
information sharing and cooperation between and among Government
entities and the private sector. The Cybersecurity Information Sharing
Act of 2015, which contains elements to help facilitate information
sharing, is one effort that could stimulate the kind of information
sharing that is needed.\19\ Why is sharing of discovered
vulnerabilities, defense measures, and best practices so important?
Because bad actors benefit from slow identification and slow mitigation
of a threat.\20\ Given the time taken to identify a malicious intrusion
and determine its extent, which is usually measured in months, the bad
actors are long gone, along with your data.\21\ If Government entities
and the private sector were sharing information quickly and often, they
have a better chance of being able to anticipate and prepare for an
eventual attack. So, beyond just identifying and responding to attacks
more quickly, threats have to be anticipated and the behavior of threat
actors known. Intelligence on threat actors and their intentions is a
necessary ingredient to significantly improve the chances of predicting
and identifying the next act.
---------------------------------------------------------------------------
\19\ This includes sharing of knowledge about cybersecurity threats
(including vulnerabilities), indicators of cybersecurity threats (e.g.,
malicious reconnaissance), and sharing of defensive measures and best
practices.
\20\ Many attacks come after the announcement of a vulnerability
and release of a patch: ``When software vendors announce and ship
patches, hackers analyze the patches and can often develop exploits for
the problem faster than companies can install the patch'' (James A.
Lewis, Raising the Bar for Cybersecurity, Washington, DC: Center for
Strategic and International Studies, February 12, 2013).
\21\ According Mandiant's 2015 threat report, A View from the Front
Lines, the median duration that threat groups were present on a
victim's network before detection was 205 days.
---------------------------------------------------------------------------
Unfortunately, several factors make this kind of information
sharing and cooperation a lot easier to talk about than to actually
implement. First is the fact that cyber space is largely a private-
sector construct, subject to private-sector concerns. Working against
the pursuit of perfect (or even good-enough) security is the need to
get software and hardware to the market quickly, at a competitive
price, and with all the innovative features none of us yet know that we
absolutely cannot live without. As of June 2015, developers were
submitting more than 1,000 apps to Apple every day for evaluation.\22\
At that kind of volume, Apple cannot be expected to validate that every
single app it approves is perfectly secure--no matter how it is used,
no matter what other apps the user runs, and whether those apps are
updated as needed. The result is a sprawling universe of software and
hardware, some of which is, as the 2016 National threat assessment put
it, ``designed and fielded with minimal security requirements and
testing . . . [such that they] could lead to widespread vulnerabilities
in civilian infrastructure and [U.S. Government] systems.''\23\
---------------------------------------------------------------------------
\22\ Jerin Matthew, ``Apple App Store Growing by Over 1,000 Apps
per Day,'' IBITimes.co.uk, June 6, 2015.
\23\ James R. Clapper, Director of National Intelligence,
``Statement for the Record: Worldwide Threat Assessment of the U.S.
Intelligence Community,'' presented to the Senate Armed Services
Committee, February 9, 2016.
---------------------------------------------------------------------------
The second obstacle to this kind of information sharing and
cooperation is that most of the U.S. public is simply not comfortable
with the idea of mass Government surveillance. Specific attitudes
toward this issue are nuanced and complex, but the Pew Research Center
reported that, in 2015, 65 percent of U.S. adults believed that ``there
are not adequate limits on the telephone and internet data that the
government collects.''\24\ Frankly, even the most well-meaning
proposals to increase information sharing between the Government and
the private sector can feel like something out of George Orwell's 1984.
---------------------------------------------------------------------------
\24\ Mary Madden and Lee Rainie, ``Americans' Attitudes About
Privacy, Security, and Surveillance,'' PewInternet.org, May 20, 2015.
---------------------------------------------------------------------------
However, despite private-sector imperatives and public concerns
about a ``Big Brother'' nation, there are real, serious threats to,
from, and in cyber space: Threats to American citizens, American
businesses, and critical National infrastructure. It will be
increasingly difficult for the U.S. Government, along with State and
local agencies--including law enforcement--to pursue and prosecute
cyber criminals and other nefarious actors without some kind of
continued information sharing and cooperation that has occurred
routinely in the past. The likely court fight emerging now between the
Federal Bureau of Investigation and Apple over unlocking the phone of
one of the San Bernardino attackers is a timely example. It is
worrisome to privacy advocates that are concerned that this is a ``test
case for the general principle that [the Government] should be able to
compel tech companies to assist in police investigations.''\25\
---------------------------------------------------------------------------
\25\ Ben Adida, ``On Apple and the FBI,'' Benlog.com blog post,
February 18, 2016.
---------------------------------------------------------------------------
bureaucratic and legal issues that can hamper defense
Defending against sophisticated attacks against critical
infrastructure (such as Stuxnet, a computer ``worm'' allegedly designed
to sabotage Iran's nuclear program) requires excellent capabilities
marshaled into a coherent and coordinated response. The United States
has plenty of the former but, in my view, has difficulty conducting the
latter. Responsibilities can overlap or conflict. For example, stealing
financial information is a crime, and the Federal Bureau of
Investigation is charged with dealing with such criminal activity.
However, the Department of Homeland Security has a mandate to protect
the civilian agencies of the Federal Executive branch and to lead the
protection of critical cyber space.\26\
---------------------------------------------------------------------------
\26\ Further, the Defense Department has responsibility for
defending U.S. National interests against cyber attacks of
``significant consequence.''
---------------------------------------------------------------------------
Good intelligence has always been a prerequisite to good defense,
but many attacks come from overseas locations. Therefore, efforts to
garner intelligence outside the United States would involve the
agencies authorized to do so. Many regard the National Security Agency
as the most capable Government entity when it comes to analyzing and
defending against cyber attacks. But legal limits constrain what the
U.S. Department of Defense and intelligence community can do. Much
illicit activity masks itself in emails, but privacy laws preclude how
much the Government can monitor such transmissions.
None of this is to say that these carefully defined limitations
cannot be overcome. Indeed, a number of proposed pieces of legislation
attempt to deal with them. However, the challenge is great and is
compounded by the speed needed to respond to increasingly sophisticated
threats. Worms can be scrubbed from systems if its administrators know
the systems have been breached. But they need to act within the window
of opportunity, whether that is days, weeks, or months. Otherwise, the
worm will have done its damage and then erased itself.\27\
---------------------------------------------------------------------------
\27\ The language and analysis in this section is drawn from Isaac
R. Porche, Jerry M. Sollinger and Shawn McKay, A Cyberworm that Knows
No Boundaries, Santa Monica, Calif.: RAND Corporation, OP-342-OSD,
2011.
---------------------------------------------------------------------------
the way ahead
To better prepare to mitigate the emerging threats and improve the
cybersecurity of this country, two overarching goals should be pursued
continuously:
First, enable substantially better information sharing and
collaboration among key departments and agencies (Department of
Justice, Department of Homeland Security, Department of
Defense, and Office of the Director of National Intelligence)
and the private sector. The Cybersecurity Information Sharing
Act of 2015 was a needed, but small and careful, step toward
this goal, in part because it encourages the private sector
(via liability protections) and U.S. Government to share
knowledge of cybersecurity threats, including Classified
vulnerabilities, best practices, and defensive measures. This
law could better enable the community to anticipate attacks and
have a more proactive defense posture.
Second, achieve unity of effort across the U.S. Government.
Today, different Government agencies have different cyber
responsibilities. This makes perfect sense in many ways,
because different agencies have different capabilities, so they
should be tasked to do what they are good at doing. The trick
is to harness all the capabilities to a common end, and therein
lies the problem. Cyber defense requires a coherent response,
and the bureaucratic responsibilities as currently articulated
hinder progress toward that goal. President Obama's appointment
of a Chief Information Security Officer for the country--part
of his newly-announced Cybersecurity National Action Plan\28\--
is another careful small step toward some needs.\29\
---------------------------------------------------------------------------
\28\ 28 The White House, Office of the Press Secretary, ``Fact
Sheet: Cybersecurity National Action Plan,'' February 9, 2016. A
related news article noted that ``the Obama administration is creating
a new high-level federal official to coordinate cybersecurity across
civilian agencies and to work with military and intelligence
counterparts, as part of its 2017 budget proposal announced Tuesday''
(Tami Abdollah, ``Obama Administration Plans New High-Level Cyber
Official,'' ABCNews.com, February 9, 2016).
\29\ For example, Government information technology modernization.
---------------------------------------------------------------------------
Ultimately, perhaps ideally, what is needed is the ability to track
cyber intruders, criminals, and other hostile actors in cyber space
with the same freedom of maneuver (and speed) these adversaries enjoy.
Achieving this goal will require a sustained, long-term effort. New
authorities will be required, along with substantial revisions to the
U.S. Code (a daunting challenge). Public debate will be lively. Indeed,
I have long argued that public debate is a critical first step:
``Government intrusion into private affairs, even for reasons of the
common defense, evokes an emotional response . . . A first step
requires an honest, public debate [that] calls into question the very
firewalls between public and private sectors that are intrinsic to
democracy.''\30\
---------------------------------------------------------------------------
\30\ Isaac Porche, ``Stuxnet Is the World's Problem,'' Bulletin of
the Atomic Scientists, December 19, 2010.
Furthermore, what is needed is a discussion of how to best balance
the need for security and privacy. There are many ways to facilitate
this kind of discussion, and the proposal put forth by Full Committee
Chairman Michael McCaul and Senator Mark Warner is one way to move
forward, though there could be others.
It is fair say that today's debate about whether device makers
should be required to build ``back doors'' into operating systems so
law enforcement and intelligence agencies can collect data has jump-
started this much-needed discussion. This is a good thing.
In the short term, the next steps are multipronged. Congress needs
to continue to develop strong, smart policies and laws designed to
improve cybersecurity--laws like the Cybersecurity Information Sharing
Act of 2015. Although there is an immediate need for such policies and
laws, Congress would be well-advised to incrementally design these
policies and laws, and communicate them to the public, to earn the
public's confidence in the Government's ability and intentions.
Specifically, the public must be convinced that the Government's
information needs are balanced with individuals' desire for privacy. At
present, many ideas for, and approaches to, using technology to improve
cybersecurity--such as pooling and mining vast stores of data--alarm
those who believe in a right to privacy from Government intrusion.\31\
---------------------------------------------------------------------------
\31\ For example, big data analytics in support of cybersecurity.
---------------------------------------------------------------------------
There also needs to be appreciation that everyone has a role to
play in improving cybersecurity:
The U.S. Government should continue to facilitate and
encourage information sharing and cooperation between and among
Government entities and the private sector to protect citizens,
businesses, and critical infrastructure against cyber threats.
Department of Homeland Security Secretary Jeh Johnson has just
recently announced preliminary guidance for information sharing
between the private sector and the U.S. Government.\32\
Eventually, the U.S. Government should also find ways to
exploit all forms of data and intelligence to identify and
anticipate both threats and bad actors, without unacceptably
infringing on individuals' desire for privacy.
---------------------------------------------------------------------------
\32\ Aaron Boyd, ``DHS Releases Initial Guidelines for Cyber Threat
Info-Sharing,'' FederalTimes.com, February 17, 2016.
---------------------------------------------------------------------------
Developers and purveyors of internet-connected software and
hardware--including large corporations, individual app
developers, and everyone in between--need to be equipped to
understand the security impacts of their work.\33\ Today, a
software developer does not need to have a degree, or any
formal training, or any license whatsoever to write programs
that control our infrastructure. There are few, if any,
engineering fields that find themselves in a similar
predicament. For example, the design of a drawbridge requires
the oversight and approval of a licensed civil engineer,
whereas anyone, in theory, can design the software that
controls that bridge. Cybersecurity is everyone's
responsibility, from the chief information security officer to
the individual app developer.\34\
---------------------------------------------------------------------------
\33\ Threats and vulnerabilities can originate anywhere, including
the usual suspects (e.g., known hackers) or even well-intentioned
amateur code writers. A malicious hacker with a laptop and a seat in an
internet cafe has everything needed to launch an attack in cyber space.
Alternatively, a well-intentioned but naive ``app writer'' can
accidentally propagate a useful utility that unlocks backdoor access.
\34\ Many technology companies insist that they have to train all
new employees, whether hired with a degree or not, on techniques for
secure development. There is a gap in our educational system at all
levels.
---------------------------------------------------------------------------
Individual consumers should do more to protect their
software, hardware, and private information. Simply put, most
of us are either too busy or insufficiently educated (likely
both) to spend our days and nights patching every device in the
home. We often keep old and impossible-to-secure devices and
computers up and running. As the President's Cybersecurity
National Action Plan notes, there is too much old, outdated
equipment on-line today, which makes for easily targeted entry
points and ``botnet soldiers.''\35\
---------------------------------------------------------------------------
\35\ The White House, Office of the Press Secretary, 2016.
---------------------------------------------------------------------------
There is no simple solution to the threat posed by adversaries in
cyber space. However, one critical challenge that must be overcome--
soon--is determining how to protect the cybersecurity of a democratic
society that demands both freedom and privacy in its use of computer
systems and networks from the threat posed by enemies who respect no
boundaries and can act largely with impunity, despite National and
international norms and legal frameworks.
Thank you for your time and I am happy to answer any questions.
Mr. Ratcliffe. Thank you, Dr. Porche. I now recognize the
gentleman from Pennsylvania, Mr. Marino, for 5 minutes of
questions.
Mr. Marino. Thank you, Chairman. Good afternoon, and thank
you all for being here.
I am going to ask a couple questions that I would like each
of you to respond to, so maybe we could start with Mr.
Cilluffo, please. I am constantly doing town hall meetings and
meet with businesses and even individuals, and I am amazed at
the number of people in corporations that really do not
understand what can happen to their personal computers, to
their business operations, and so forth.
So we need to somehow ramp up the ability to educate the
public. How do we do that?
Mr. Cilluffo. Congressman Marino, that is an excellent
question, and I think it is one we are all struggling with
here. But unfortunately, I think there are enough recent
incidents where--shame on us if we keep hitting that snooze
button, whether it is the Hollywood Presbyterian example--this
is an example where you had individuals' medical records locked
up, and it actually had actual operational effect on the OR and
the emergency room of the hospital. It had real impact.
The cyber attack in the Ukraine on the grid, this
actually--people didn't have power. So these are no longer
zeros and ones that are invisible to average citizens, but we
are starting to see that cyber attacks affect not only the
cyber domain, but the physical domain and the physical world.
That said, right now, intellectual property theft is
probably the most rampant concern that we all have. Businesses
realize that. Unfortunately in your own State, some realize
that when it was too late.
Mr. Marino. Okay. Ms. Kolde, how do we educate people?
Ms. Kolde. Thank you. I think that the education needs to
occur across all levels of education, in terms of cyber
education, as well as all levels of the business organizational
infrastructure. I think we need greater awareness among
individual computer users of the risks of on-line operations,
doing your banking on-line and so forth, and what you can do to
protect yourself and your identity and your financial assets.
From the corporate or the organizational standpoint, there
needs to be additional education at the business level, the
management level, of the risks to business. Cyber is one
additional risk that any corporation faces and should be taken
into account, along with other operational risks that a
business must deal with.
In addition, we need better education across technical
personnel, those who are charged with managing information
systems and securing networks, as to both best practices and
the potential risks that can occur to that organization and
ways to defend against them.
Mr. Marino. Okay, I am going to switch now because I only
have a couple minutes. But wouldn't it be a good idea for every
laptop, phone, desktop computer that is put out there, that the
industry can agree on some type of short learning introduction
on that computer before you start doing anything that someone
has to read and pay attention to? Just a thought.
Mr. Bromwich. Yes, actually I was going to answer that kind
of question, actually, which is I think there is been a big
focus on--I think on attacks in the news. I think the public
understands the attacks, but they don't understand at all the
technologies that they need to have, like multi-factor
authentication.
These technologies are actually fairly simple and
straightforward. They can be made easy to adopt. I think it is
a matter of the public understanding--telling the public,
communicating to the public how important it is to adopt these
technologies.
I think we can educate consumers on these attacks more, but
ultimately the technology has to be there to do the protection
for them. I don't think it is enough to ask a consumer to
always just be vigilant or, you know, change their password
frequently. We need to provide them the technologies that make
this a seamless process.
Mr. Marino. Dr. Porche, I want to switch to a question that
shoots off this. What is the Federal Government's ability or
lack thereof to address, prevent, and/or curtail a cyber attack
on a large scale?
Mr. Porche. I think the Federal Government has strengths
that affect everyone in this country, in that the Federal
Government has information and resources to gather about what
the threats are. One of the themes in my testimony was--or at
least I tried to put forth--is get in front of the threat,
anticipate what is going to happen. Your success goes up so
much higher when you have a better idea of what is coming
around the pike, as opposed to a simple reaction. I don't know
anybody else who can help with that concept.
Also as came out in the CISA 2015 bill, sort of a
clearinghouse that DHS can play in gathering all the
information that can be spread out. I mean, no one has the
power to gather the information more than the Federal
Government, and no one is in a position to have to protect it
more carefully because of the power of the Federal Government.
So it is a good balancing act. But the resources of the Federal
Government to gather information are incredible.
Mr. Marino. Thank you. I yield back.
Mr. Ratcliffe. I thank the gentleman. The Chair now
recognizes the Ranking Minority Member of the subcommittee, Mr.
Richmond, for his questions.
Mr. Richmond. Thank you. I would address it to Dr. Porche,
and if any other Members want to comment on it, that is fine.
Dr. Porche, you know that my district probably in terms of
critical infrastructure, we have 3 major sea ports, we have
probably the largest petrochemical footprint of any district in
the country, we have major cross-country pipelines, and then we
have major interstate and rail, and with all different owners
and players that control each.
So I guess the question is, what are some of the unique
cybersecurity challenges that critical infrastructure owners
and operators face? Are there any particular emerging cyber
threats that are unique to critical infrastructure?
Mr. Porche. Yes, sir, thank you. Growing up in Baton Rouge,
down the street from the Exxon refinery plant, I am intimately
aware of the critical infrastructure and what can happen there.
There are some unique things about critical infrastructure.
For one, although it is not a popular target for people trying
to make a profit, that is good and bad, because the flipside is
that the people who--the adversaries who are interested in
potentially targeting critical infrastructure could potentially
be more sophisticated adversaries.
So critical infrastructure today might have to deal with a
more sophisticated threat than, let's say, a hardware store
might have to, although the impact could be the same in terms
of what could happen.
The other issue with critical infrastructure is, you know,
there could be vulnerabilities planted or just designed in that
exist for years before they are noticed. Critical
infrastructure may employ things like programmable logic
controllers and older equipment that is not the latest PC, and
so now you are dealing with a different way to protect
different types of information technology.
So awareness of what is going on in that critical
infrastructure is vital. Understanding what is normal and what
is abnormal is critical and help, because the critical
infrastructure needs to be protected from potentially skillful
adversaries who have resources.
Mr. Richmond. Anyone want to comment or----
Mr. Bromwich. Yes, I would just say that the protection
that critical infrastructure needs is slightly different from
what a typically enterprise would need, and so it actually
raises the bar for critical infrastructure. They have to be a
lot more educated and knowledgeable about the technology.
Today, they are taking common Windows computers and using them
for really important tasks, when they could be really narrowing
down the technology they use and reducing the attack surface.
So that is an important consideration for critical
infrastructure.
Mr. Cilluffo. Mr. Richmond, a couple of other quick
thoughts. I mean, industrial control systems, which are
agnostic to a particular critical infrastructure, this is an
area where you are seeing a major spike in activity. The good
news is, is that the energy sector writ large and the electric
sector in particular is doing some good work with their
information-sharing and analysis centers, but they are not as
far along as, say, the financial services sector is, where you
have the Financial Services Information-Sharing and Analysis
Center, the FSISAC, where they are actually sharing information
in real-time to do patches and the like through tools that are
referred to as STIX and TAXII that the Department of Homeland
Security and others have made available to the private sector.
So I do think that the good news is, is they recognize
obviously the implications and the impact. The bad news is, is
the threat vector is expanding, the attack surface is growing,
and quite honestly, the greatest solution in my eyes will be to
bake security into the design of the infrastructures itself.
So the more you can think about this on the front end,
rather than Lego and attaching security on the back end, would
be money and time well spent.
Mr. Richmond. You mentioned that they are not where the
financial services sector is in terms of information sharing,
collaboration and all of that. What do you think we need to do
to get them there? Do you think we have to do it through
legislation incentives, you know, stick or carrot? I mean, what
do you think?
Mr. Cilluffo. I am always for carrots before sticks, so I
do think there are some innovative approaches we can examine in
terms of tax incentives and other means in the like. I know
that is a very difficult and politically charged set of issues,
but I don't think the regulatory check the box--that is looking
through rear-view mirrors. It is looking at what we saw
yesterday.
The reality is, is the bad guys are thinking ahead, and
they are learning from our mistakes. They are learning from
their own mistakes, their own dry runs. They are consistently
learning and adapting their tactics and techniques.
So I do think the reason the financial services sector
stepped up is the old Willie Sutton principle. Why rob banks?
That is where the money is. They are getting hit. They feel it.
It hits their bottom line. It impacts confidence and trust.
Clearly, I think with the energy sector and when you are
looking at the potential implications from a public safety
standpoint, that ought to also be at the top of the list. But I
think first we want to see them come together as an
organization, and like I said, there has been some real
momentum. I don't want to take away from that, but not as far
along as the financial services sector.
Mr. Richmond. Thank you, and I yield back.
Mr. Ratcliffe. Thank the gentleman. The Chair now welcomes
and recognizes the Chairman of the full committee, Mr. McCaul.
Chairman McCaul. Thank you, Mr. Chairman. I ask unanimous
consent that my statement be put into the record.
Mr. Ratcliffe. Without objection, so ordered.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
February 25, 2016
Our country is under constant attack from adversaries seeking
access to our critical infrastructure and personal data. They are using
our own information systems against us. The reality is this: The web
has become a weapon, and nation states, criminal enterprises, and
terrorist organizations are acting with increasing sophistication on
the on-line battlefield. We must understand these cyber threats in
order to protect our homeland against them.
Today, we expect to hear about the threats we face in today's cyber
landscape. But I hope our witnesses will also discuss how America
should confront them. We cannot stand on the sidelines while faceless
enemies penetrate our networks. Nor can we afford to fail out of
negligence or apathy. Our message to cyber assailants should be clear--
America will not retreat; we will defend ourselves.
I applaud the President's recent Cybersecurity National Action Plan
for proposing increased attention and resources to combat these
threats. However, I still have questions about the overall strategy
guiding these efforts. The administration must release the National
Cybersecurity Incident Response plan, which is required by law in the
National Cybersecurity Protection Act of 2014, which I sponsored. The
administration says the plan will be out this spring, and I urge them
to get it done.
The President's recent cyber proposal is an approach I have been
pushing for us to adopt for more than a decade as a member of the
Cybersecurity Caucus. I am disappointed, though, that it took until his
last year in office for the President to release it. In cyber space, we
know all-too-well that delay can be disastrous. We saw this with the
OPM breach and the Sony Hack, and I fear that leadership lapses on the
cyber front will have consequences for years to come.
I want to thank the witnesses for joining us today. It is
disconcerting--but important--for us to hear the truth about the
severity of the cyber challenges we face. We have not kept pace with
our adversaries. If we want to disrupt their attacks, we must be
vigilant and keep an eye toward the future. Above all else, our task
must be to keep the American people safe.
Chairman McCaul. Thank you. I apologize, I am a little bit
under the weather, but I find this topic fascinating. I agree,
Frank, that we have to be in front of this, not trying to catch
up to it.
I looked at the OPM breach and the fact that the Chinese
were in our systems for somewhere--14 months to 2 years before
we detected that, the fact that according to your testimony,
you know, that Russia and Chinese actors have probably already
penetrated our grid systems, that they may be actually sitting
in the systems, at a point where they could turn it off.
I think the legislation we passed is helpful with
information sharing, malicious codes. It will be interesting,
it is a bit of an experiment to see how well it works. I just
met with the CIO of JPMorgan about their efforts in the
financial sector and also being able to share private-to-
private with liability protection.
But I think that is something that the Congress can do,
obviously. We have oversight. But I am interested in really,
what kind of technologies do we see on the horizon? This is
maybe where FireEye comes in. I got a briefing from FireEye
yesterday, and iSIGHT. In terms of being able to see these
threats before they penetrate or, if they do, be able to detect
aberrant behavior within a network to shut down that actor and
maybe firewall it off.
We know Mr. Snowden did great damage as a systems
administrator. We know the OPM breach involved old credentials
getting inside of the system, so that aberrant behavior is also
another threat that I see. But I think, you know, we can pass a
lot of laws, but I think--I mean, I am interested to hear, what
kind of technology software systems do you see on the horizon?
Ms. Kolde. Thank you. I think you have pointed out some
very good examples, where traditionally in the past much of our
security infrastructure has focused on protecting the perimeter
and identifying attacks as they come into the network, or
signature-based technology that relies on alerting things we
already know about. So I think as we move forward and we evolve
in terms to better protect our networks, those technologies
have to do a couple of things.
One is to be able to engage detection after the fact. So
once the attackers are already in your network, as they are
moving from machine to machine, as they are attempting to
escalate their privileges within the environment, how do we
deploy technology that can detect that type of activity when it
is not necessarily based on a specific signature or a
previously known piece of malware?
We also have to enable our security defenders, those people
who are responsible for modeling those networks, to better be
able to triage the alerts that are occurring in their
environment. If you have been a network analysis and you get
thousands of alerts a day, how do you decide which of those
alerts are the most worthy of your attention and the most
important to respond to?
So context around alert data to help the responders
prioritize is critical. Information sharing, as well. Some of
what iSIGHT does is to proactively look at the threat
landscape. What do we think criminal actors are going to do
based on the chatter that we are hearing? What do we think that
nation-states may attempt?
So getting more of that information out to the people who
need it, to be a bit more predictive, would also be extremely
helpful.
Chairman McCaul. Yes, and in our bill that we passed, we
have the defense of Federal networks act in there. So you have
to look at DHS and their ability to protect the dot-gov space,
that is where I think the private sector really has a lot of
the solutions.
I mean, Frank, do you have any comment on that?
Mr. Cilluffo. Chairman McCaul, I think you raise a number
of excellent points and clearly the ability to repel bad actors
when they are in your system has to be part of that solution
set.
But let me throw another idea out on the table, and I don't
know if this is the right time and place. But we have seen
major improvements in terms of information sharing. Kudos to
all of you on the dais for moving legislation, as well.
The reality, though, is we have got to get beyond static
information sharing. What I think we need to get to is where
the private sector can drive intelligence requirements that the
Government can help then glean and collect against.
So you are never going to get that family jewels, that
secret sauce document. What you need to be able to do is the
private sector needs to be able to levy what their specific
requirements and needs are and then those that have collection
capabilities to be able to meet those needs. I think that is
the next level of discussion that we can translate some of the
good work in terms of legislation into action.
Chairman McCaul. I appreciate that. I see my time has
expired.
Mr. Ratcliffe. Thank the gentleman. The Chair now
recognizes the--oh, yes?
Mr. Richmond. Mr. Chairman, I would like to ask unanimous
consent to enter into the record two letters of comments and
also the Ranking Member's opening statement.
Mr. Ratcliffe. Without objection, so ordered.
[The information follows:]
Statement of Ranking Member Bennie G. Thompson
February 25, 2016
Earlier this Congress, this subcommittee heard from the Federal
Government in detail the roles that the Department of Homeland Security
takes in its mission to secure information networks and provide
resilience, not only to Government systems, but to assist private
networks and data and protecting the Nation's critical infrastructure.
On February 16, the Department of Homeland Security along with the
Department of Justice issued guidelines and procedures required by the
Cybersecurity Act of 2015. These guidelines provide both the Federal
Government and the private sector with an understanding of how to share
cyber threat indicators with the DHS National Cybersecurity and
Communications Integration Center (NCCIC).
DHS and DOJ issued a separate guidance for the private sector.
Today, I would like to hear from our witnesses, their take on the DHS
and DOJ private-sector guidance. Now that this committee has written
and passed useful legislation giving the DHS authorities to use and
share its threat intelligence with private companies, and for companies
to do the same with Government in return, and DHS has published
guidelines, it is our responsibility in Congress to oversee the
realization of a mature risk management process for information
security, and I hope we will hear some of the risk-based management
approaches today.
Given the complexity of emerging threat capabilities, the link
between physical and cyber domains and the diversity of cyber
criminals, I would like to hear what challenges the private sector
faces in working with the Department of Homeland Security.
For Congress to continue to make effective cybersecurity policy,
whether it is related to cyber hygiene or infrastructure protection, it
is our job to understand not only the scope of the problem, but also
how our public and private sectors work together to enhance security.
Mr. Chairman, as an aside, for the past few weeks, cyber space
headlines have been littered with high-profile cases. From the as-yet-
to-be determined cyber-based electric grid problems in Ukraine, to a
California hospital ransom-ware event . . . in which the hospital did
not tell anyone about until after they had paid the ransom . . . to the
encryption dilemma surrounding law enforcement access to some of the
data on the mobile phone of a home-grown terrorist.
All of which need careful consideration, investigation, and
deliberation. I would suggest that to make progress on all of these
issues, we need to tone down the confrontational speech-making, rather
than remaining on this argumentative, and adversarial highway.
______
Statement of Tom Patterson, VP/GM Security, Unisys Corporation
February 25, 2016
emerging cyber threats to the united states
Unisys appreciates the opportunity to contribute to the
Congressional efforts to mitigate cyber threats to the United States,
and share our new and advanced concept that we are using to protect
both governments and businesses around the world. Cyber attacks are
increasing, and leaders in Government and industry are seeking new
approaches to protect critical data.
We all rely on computing and communications systems that are
critical to financial markets, health care providers, energy producers,
schools, governments, and business enterprises. It is not just our
computers that are at risk. Increasingly, cyber attacks jeopardize
careers, wallets, companies, infrastructure, and even lives.
Adversaries boldly wield the power to access personal and corporate
data on-line and take control of systems throughout our interconnected
world. Recently, we have watched as companies, governments, and
institutions report system breaches on a nearly weekly basis. It is
clear that core assumptions and approaches that defined old security
models are failing.
Unisys provides hundreds of organizations with support for their
security requirements for hundreds of organizations. Our clients
understand that the original approaches to cybersecurity are no longer
working.
Unisys is delivering a fresh approach to security to our clients.
The new approach accounts for modem infrastructure--employees that work
from home, users that need access to information on mobile devices,
data that uses the efficiencies of the cloud, and supply chains that
are integrated and interdependent. The new approach also adapts to
changes in the adversaries, who are becoming more skilled and more
motivated.
Furthermore, we understand that new cybersecurity systems need to
assume that infiltrations will somehow occur and must provide tools to
localize, limit, and contain the damage.
At the core of our new approach is the advanced concept of micro-
segmentation. If segmentation is analogous to a bank vault, micro-
segmentation is akin to the many safe deposit boxes within the vault.
Micro-segmentation is much more secure and inclusive, and easier to
implement and manage. It embraces new technologies like clouds, and new
business models like integrated supply chains, while still supporting
all the older existing investments. It delivers real results that are
both cost-effective and resource-efficient. In order to deliver on the
promise of advanced micro-segmentation, Unisys has developed an award
winning product--StealthTM--that makes it fast and easy to
protect enterprises around the world more securely.
Micro-segmentation allows enterprise managers to divide physical
networks quickly and easily into hundreds or thousands of logical
micro-networks, or micro-segments. Setting up micro-segments keeps the
different parts of an organization logically separate, thus lowering
the intrusion risk. If a breach happens, the intruder can only see one
segment.
Micro-segmentation works at the internet packet level,
cryptographically sealing each packet so that only packets within the
approved micro-segment are processed. For every packet, the data is
completely encrypted, and the routing information in the headers is
cryptographically sealed to ensure only authorized delivery. Users can
only send and receive packets for a specified group.
Micro-segmentation is implemented by software, and it therefore
operates independently from any given network topology or network
hardware. Organizations have a single security model that works equally
well in data centers and the public cloud. With micro-segmentation,
organizations can extend security to the cloud while retaining control
of data in motion and the keys that secure it. Micro-segmentation
enables access to the benefits of the cloud--cost savings and network
flexibility--without sacrificing security. Micro-segmentation can also
be implemented quickly and easily within virtual machines to defend
against side-channel attacks and other risks that are specific to cloud
architectures.
Micro-segmentation makes it easier to integrate component suppliers
by providing just the right amount of access. Micro-segmentation can
also protect legacy systems, allowing organizations to use older
operating systems while keeping them isolated from newer systems. By
embracing a new approach to cybersecurity, we can dramatically increase
the strength of our networks and confront the new threat with new
tools.
The benefits to adding micro-segmentation to existing networks--in
data centers, devices, clouds, and even industrial control systems--are
many. It lower costs, affords better protection, and changes
catastrophes into small manageable events. It works on outdated systems
as well as the most advanced industrial control system, and it does not
require expensive hardware or armies of security experts to install or
operate it.
Unisys is proud to be a leading provider of advanced micro-
segmentation products and services to governments and the private
sector. White papers, use cases, demos, and greater technical detail
are available on www.unisys.com/stealth. Thank for you the opportunity
to provide Unisys's perspective on cybersecurity.
______
Letter From the Society for Maintenance & Reliability Professionals
February 24, 2016.
The Honorable John Ratcliffe,
Chairman, U.S. House Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, 176 Ford House Office
Building, Washington, DC 20515.
The Honorable Cedric Richmond,
Ranking Member, U.S. House Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies, 117 Ford
House Office Building, Washington, DC 20515.
Subject: SMRP Comments on Emerging Cyber Threats to the United States
Dear Chairman Ratcliffe and Ranking Member Richmond: I am writing
to provide comments on emerging cyber threats to the United States. The
Society for Maintenance & Reliability Professionals (SMRP) applauds the
U.S. House Committee on Homeland Security's decision to hold a
congressional hearing within its Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies. The maintenance
and reliability of cybersecurity systems and critical infrastructure is
essential to the security of our nation. Please accept these comments
as part of the official record of the subcommittee hearing.
i. smrp introduction and background
SMRP is a professional society formed in 1992 to develop and
promote excellence in the maintenance, reliability, and physical asset
management profession. SMRP members consist of engineers, operations
managers, repair and reliability technicians, worksite and project
planners, and other service providers. SMRP members are experts in
specification, design, purchasing, installation, inspection, testing,
maintaining, decommissioning, and asset disposal.
Maintenance and reliability jobs are skilled positions that provide
competitive advantages to the companies that have them. Companies with
highly trained, certified engineers reap a variety of benefits,
including lower operations and manufacturing costs, reduced onsite
injury risks, reduced environmental risks, and increased net profits.
Nearly every industry sector requires the services of maintenance,
reliability, and physical asset management personnel, including energy,
oil and gas, pharmaceuticals, automotive, government and military,
petrochemical, education, and commercial. Our ranks are made up of
senior reliability managers from such companies as Cargill, BP, General
Electric, General Motors, as well as utilities, Government facilities,
and the organizations that support them.
ii. maintenance & reliability certifications
Certified Maintenance & Reliability Professional
With over 4,800 accredited professionals certified by SMRP, the
Certified Maintenance & Reliability Professional program is the leading
credentialing program for verifying the knowledge, skills, and
abilities of maintenance and reliability professionals, regardless of
education background or work experience. Examining more than just
textbook information, the Certified Maintenance & Reliability
Professional examination is a thorough assessment of a broader scope of
expertise measured against a universal standard. A foundational belief
in developing this examination is that professionals in the maintenance
and reliability profession learn critical knowledge, skills, and
abilities from a variety of sources, both on the job and from outside
training.
The Certified Maintenance & Reliability Professional is accredited
by the American National Standards Institute (ANSI), which follows
International Organization for Standardization (ISO) standards for its
accreditation and processes. It was developed to assess professionals'
aptitude within the 5 pillars of the Maintenance and Reliability Body
of Knowledge: Business management, equipment reliability, manufacturing
process reliability, organization and leadership, and work management.
Certified Maintenance & Reliability Technician
The Certified Maintenance & Reliability Technician program is the
leading credentialing program for the knowledge, skills, and abilities
of maintenance and reliability technicians, regardless of education
background or work experience. Earning the Certified Maintenance &
Reliability Technician credential indicates that you have achieved a
level of ability consistent with the requirements for competence on the
job as a multi-skilled maintenance and reliability technician,
recognized across all industries in the manufacturing world. A
foundational belief in developing this examination is that technicians
in the maintenance and reliability profession learn critical knowledge,
skills, and abilities from a variety of sources, both on the job and
from outside training.
The certification assesses the knowledge and skills of those
responsible for preventative, predictive, and corrective maintenance,
who are multi-skilled individuals with a critical role in the success
of organizations world-wide. The Certified Maintenance & Reliability
Technician exam tests competency and knowledge of specific tasks within
4 domains: Maintenance practices, preventative and predictive
maintenance, troubleshooting and analysis, and corrective maintenance.
iii. cyber attack at target stores
On November 15, 2013, a complex cyber-attack was conducted on
Target stores through credentials obtained from a third-party HVAC
service company. Once cyber-criminals acquired access to a beachhead in
their contractor billing, contract submission, and project management
system, they were able to use information provided via the portal to
access Target's credit card terminals. Over the next month, the cyber-
criminals were able to access over 110 million consumer credit cards.
iv. smrp cybersecurity positions and recommendations
While a focus on the larger organizations is important for a last
line of defense, preventing cyber-attacks on small and medium
organizations that service the larger organizations and critical
infrastructure should be a primary line of defense. It is SMRP's belief
that an understanding of the threats through contractors and
subcontractors, regardless of size, and the development of cyber-
defense processes will further reduce the risk to the economy and
infrastructure of the United States and our allies.
SMRP recommends research into the potential threat through the
first line of defense and the inter-connectivity between companies,
vendors, contractors, and subcontractors with a goal to establish a
cyber-defense strategy. This includes the evaluation of cyber-
information and cyber-physical systems as weil as best methods to
prevent infiltration and damage to the front-line organizations. This
will have the additional impact of improving the security of small
business while reducing the number of attacks on larger organizations
as current business models by all organizations includes contracting
services.
v. summary and recommendations
The maintenance and reliability of cybersecurity systems and
critical infrastructure is essential to the security of our nation. We
need to better understand the threats posed through contractors and
subcontractors in order to truly reduce the risk to the economy and
infrastructure. SMRP recommends research into the potential threat
through the first line of defense and the inter-connectivity between
companies, vendors, contractors, and subcontractors with a goal to
establish a cyber-defense strategy.
Thank you for your consideration and please do not hesitate to
contact me if you have any questions.
Sincerely,
John Ferraro,
SMRP Government Relations Director.
Mr. Ratcliffe. The Chair now recognizes the gentlelady from
Texas, Ms. Jackson Lee, for 5 minutes of questions.
Ms. Jackson Lee. I thank the Chair very much.
To the Ranking Member of the subcommittee and, of course,
the full committee Chairs and Ranking Member, let me speak
quickly. Some bells have started to ring. I want to just join
and say I think our committee made a very important step when
we passed the Cybersecurity Information-Sharing Act of 2015,
and I take note of the bipartisan work on this committee on
these issues, even though I think more than a decade ago we
began to see the unraveling of the issue of cybersecurity and
the sort of importance of going head on in the private sector
with 80-plus percent of the cyber world versus the Federal
Government.
I think all of us were lagging in the response. So even
though we have made some steps in the Judiciary Committee--for
example, today, we were discussing the interests of
international law enforcement, trying to store data in many of
our providers. So everywhere there are questions of either
breaching, because someone wants the information, or breaching
when someone should not be getting the information.
Let me cite a very quick example on this issue of
ransomware. The latest victim, Hollywood Presbyterian, 9,420
beds, and which was forced to pay 4 bitcoins on-line, $17,000,
to get access to their own patient and administrative computer
networks.
Police departments have fallen victim. So let me ask the
question, does anywhere know how often ransomware is used to
get ransom from victims? Are there requirements to report
ransomware attacks or should there be? Anyone care to comment
on that?
Ms. Kolde. We are seeing an increase in the use of
ransomware, and where initially it seemed to be a fairly
background noise-level type of attack used by amateur criminals
largely against individuals, we are now seeing it being used
against corporations, both in terms of the ransomware itself
where the data is encrypted and in terms of other types of
extortion. Basically, the criminals are becoming emboldened.
If you are an organization, particularly one that may
provide criminal services or support critical infrastructure,
you can't afford to not be operational, whether that is due to
ransomware or due to the fact that someone is threatening to
wipe data on your computer and destroy your assets.
So I think that that trend is going to continue. I am not
aware of any current reporting requirements outside of the
current regulatory framework, but I don't think that those
attacks are going to slow down anytime soon.
Ms. Jackson Lee. Would it be helpful--first of all, you
know, fact finding and facts are probably part of a cure, may
not be the total cure. I think it would be helpful for us to be
aware, policymakers, about these attacks. Would you welcome
that, at least providing us with that--when I say providing,
through the regulatory scheme?
Ms. Kolde. I would prefer to consider the business impact
of that, as well. But I think that again generalizing the more
we know about what is going on, the more we are aware of what
specific things we need to defend against, and how we need to
promote education around those issues.
Ms. Jackson Lee. Maybe anyone else, but, Mr. Bromwich, does
Symantec recommend or use backdoors in their cybersecurity
products?
Mr. Bromwich. We most definitely do not. We most definitely
do not recommend the use of backdoors in really any situation.
Backdoors compromise security technologies. Backdoors
compromise the integrity of encryption technologies. We
strongly believe that those should not be compromised.
Ms. Jackson Lee. As I ask this question, I want you to
think of multifactor identification, meaning two methods are
used to be sure the person giving computer access or who they
claim they are, that sort of goes the overall question of the
ransomware and others.
But let me ask this question that I hope that I can get any
of you to jump in. The United States critical infrastructure is
already dependent on our Nation's cyber networks and systems.
These sectors are also increasingly interdependent, and the
disruption is obviously massive. What are some of the unique
cybersecurity challenges critical infrastructure--and that is
across the gamut, the electric grid, et cetera, that I have
been looking at--owners and operators face? Are there any
particularly emerging cyber threats that are unique to the
critical infrastructure?
I have some articles that I want to submit into the record
on the port, but can any of you jump in on any of those that
you see?
Ms. Kolde. I think one of the things to keep in mind about
critical infrastructure is there has been a lot of concern, and
very relevant concern, about critical infrastructure being
subjected highly-sophisticated targeted attacks, and that is
definitely a concern. Those attacks will primarily come from
very well-resourced threat actors, most likely nation-states.
But I think it is important to keep in mind that critical
infrastructure can be impacted by other types of attacks, as
well. There may be threat groups that are interested in doing
something opportunistic, where they don't care specifically if
it is a port, a specific dam, a particular power plant that is
affected, but they want to make a very public statement that
they can do this sort of thing.
So any particular part of critical infrastructure that may
happen to be vulnerable may be a target to simply something
like a destructive attack. Like any other organization, those
types of critical infrastructure organizations are also
potentially subject to damaging attacks that are simply
incidental, the wrong virus, the wrong piece of malware that
gets into the network and shuts down computers, without
necessarily impacting control systems or infrastructure itself,
could still put that utility, that financial system out of
business until they recover.
So it is important to keep aware of the whole spectrum of
threats that are potentially impacting those organizations.
Ms. Jackson Lee. Mr. Chairman, may I submit--I saw Dr.
Porche, but maybe you can answer in writing--it looked like you
were on the verge--but in any event, let me ask unanimous
consent to put into the record ``Nine Major Models of Internet-
Connected Baby Monitors are Extremely Vulnerable to Hacking.''
As I looked at Mr. Richmond, he may have an interest in this. I
know I have 2 twin 8-month-olds, and they are, as they say,
using new technology.
So I ask unanimous consent to submit that into the record.
It makes this hearing very important, Mr. Chairman.
Mr. Ratcliffe. Without objection.
[The information follows:]
Article Submitted by Honorable Sheila Jackson Lee
Nine major models of Internet-connected baby monitors are extremely
vulnerable to hacking
security researchers could hack into home-monitoring systems with ease
http://www.consumeraffairs.com/news/nine-major-models-of-internet-
connected-baby-monitors-are-extremely-vulnerable-to-hacking-
090315.html
09/03/2015, ConsumerAffairs, By Jennifer Abel
Ever since wireless or Internet-connected home baby monitors and
security systems became commonplace, there have been equally
commonplace warnings about how easily hackers can break into these
systems.
There even exist voyeurism websites dedicated to streaming or
archiving camera footage from unprotected Internet protocol (IP)
cameras--almost always without the camera owners' knowledge. Last
April, for example, a Minnesota family learned this the hard way after
they discovered that hackers had hijacked the ``nanny cam'' in their
baby's room--and posted surreptitious baby photos on a foreign website.
Yet recent research by the Rapid7 cybersecurity firm suggests that
the majority of home baby monitors on the market today remain extremely
vulnerable to hack attacks. Rapid7's white-hat hackers were
successfully able to exploit vulnerabilities in 9 different models of
baby monitor. Worse yet, many of those vulnerabilities are inherent to
their systems--meaning that even security-conscious and tech-savvy
users cannot fix them. Mark Stanislav and Tod Beardsley co-wrote
Rapid7's report, which is available as a .pdf here.
Increased hacking threat
Most baby-monitor-hacking stories emphasize the obvious privacy
threats to the baby and others in the house. But Stanislav and
Beardsley, in their executive summary, pointed out that the threat
stretches much farther than that:
While Rapid7 is not aware of specific campaigns of mass
exploitation of consumer-grade IoT [Internet of things] devices, this
paper should serve as an advisory on the growing risk that businesses
face as their employees accumulate more of these interconnected devices
on their home networks.
This is especially relevant today, as employees increasingly blur
the lines between home networks and business networks through routine
telecommuting and data storage on cloud resources shared between both
contexts.
In other words: any Internet connection, or device with one, has
the potential to be hacked. And if a hacker successfully breaches
security for one of your Internet-connected devices, there's a good
chance he can piggyback from there to breach the security of anything
else connected to it.
So let's say a hacker secretly breaches your baby-cam or other
home-security network. You then use your smartphone to watch camera
footage while you're out running errands; now the hacker can get into
your smartphone. And when you use the phone to check your messages at
work, that gives the hackers access to your corporate network, so your
personal, private hacking problem might now place the entire company
you work for at risk.
Though the risk to your family is bad enough. Just last week, an
unknown hacker used a breached baby monitor to harass a family in
Indianapolis.
Jared Denman said that his wife was playing with their 2-year-old
daughter when the baby monitor suddenly started playing music: the
1980s creepy-stalker anthem ``Every Breath You Take,'' by The Police.
Once the hacker realized he had the mother's attention, he started
making ``sexual noises'' over the speaker. Turns out the Denmans, like
many baby-monitor buyers, had made the mistake of not changing the
system's factory-set username and passwords, which meant anyone who
knew them could break in.
Monitoring devices fail security test
Yet even consumers savvy enough to avoid such obvious mistakes
still can't be certain their privacy is protected when there's a baby
monitor in the house. When Rapid7 tested 9 different models of baby
monitors, said Mark Stanislav, ``Eight of the 9 cameras got an F and
one got a D minus.
``Every camera had one hidden account that a consumer can't change
because it's hard coded or not easily accessible. Whether intended for
admin or support, it gives an outsider backdoor access to the camera.''
The tested baby monitors included various models produced by
Gyonii, Philips, Lens Peek-a-view, Summer Baby Zoom, TRENDnet,
WiFiBaby, Withing, and iBaby. A chart on page 7 of Rapidis report (page
9 of the online .pdf) lists the vulnerabilities found in each specific
model.
Some security flaws were more glaring than others. The Philips
In.Sight model, according to Stanislav, streams live video onto the
Internet without so much as requiring a password or account to protect
it. With Summer Baby Zoom, the researchers learned, there's no
authentication process to allow new viewers to see specific camera
feeds; anyone who wishes to can simply add themselves.
According to the timelines in Rapidis report, the researchers
informed various vendors of these security flaws in early July. Yet
Stanislav said that of all the companies he contacted, Philips was the
only responsive vendor.
Protect your privacy
While the vulnerabilities exposed by Rapid7 can't be entirely
eradicated, there are ways users can reduce the possibility of
electronic eavesdropping. For example, unencrypted video files or other
data is most vulnerable to hacking when viewed over a public WiFi
network, so if you must remotely view unencrypted video, Stanislav
recommends using a cell phone Internet connection instead.
Parents should also keep baby monitors unplugged when they're not
in use, use secure passwords, change them frequently, and make sure the
device's software is always up-to-date. You might also consider setting
up a search-engine email alert so that you are notified anytime a news
story mentioning your model of baby monitor gets published; if new
security flaws or fixes are announced, that would probably be the
quickest, easiest way to ensure you hear about it.
Ms. Jackson Lee. Then finally, what if cybersecurity--this
article, I am sorry, Consumer Affairs dated 9/3/2015--and then
``What If A Cybersecurity Attack Shut Down Our Ports?'',
October 7, 2015, and this is not stopping cargo ships, but
actually causing the loss of knowing where products are, like
clothes, electronics, food, and everything. I ask unanimous
consent to put that into the record. Thank you.
Mr. Ratcliffe. Without objection.
[The information follows:]
Article Submitted by Honorable Sheila Jackson Lee
What If A Cybersecurity Attack Shut Down Our Ports?
it's a real, and frightening, possibility
SLATE MAGAZINE, October 7, 2015, by Lily Hay Newman
http://www.slate.com/articles/technology/future_tense/2015/
05/maritime_cybersecurity_ports_are_unsecured.html
Shipping containers lie stacked upon a yard at Port Newark
Container Terminal, the third-largest cargo terminal in New York harbor
on February 21, 2006 in Newark, New Jersey.
The real Internet of Things: Shipping containers lie stacked upon a
yard at Port Newark Container Terminal, the third-largest cargo
terminal in New York harbor, on Feb. 21, 2006 in Newark, New Jersey.
It's easy to forget when you're on dry land that 90 percent of the
world's goods are shipped on boats. While we worry about the
cybersecurity of power grids and nuclear missile silos, most of us have
never thought about whether the container ships and ports that bring us
our clothes, electronics, food--everything--are secured against digital
threats.
The April newsletter from maritime cybersecurity consulting firm
CyberKeel contained a scary stat. According to a spot check the group
conducted, 37 percent of maritime companies with Windows webservers
haven't been keeping up with installing security patches from
Microsoft. As a result, more than one-third of these sites are
vulnerable to denial-of-service attacks and certain types of remote
access.
We already know that companies are slow to protect their networks.
On the first anniversary of the discovery of Heartbleed last month, one
study showed that 74 percent of companies on the Forbes Global 2000
list hadn't comprehensively patched their systems against what was
possibly the worst vulnerability ever discovered. Maritime companies,
though, are responsible not just for customer data (which is already
extremely valuable), but for physical goods. If their systems suffer an
outage, companies might not know where their ships are, or ports might
not be able to unload cargo. Doesn't this sound kind of, um, important?
Over the last few years, groups around the world have been working
to bring maritime cybersecurity to the fore and begin talking about the
reality of the threats. When breaches occur, private companies
currently have virtually no incentive to disclose them, because it will
only generate bad publicity and breed distrust among customers and
investors. Incidents have started to come out, and this first step
toward transparency is promising.
But those steps are taking a little too long, given how critical
maritime infrastructure is to everyday functioning in the U.S. and
abroad. A 2013 report on maritime cybersecurity from Brookings
explained, ``The potential consequences of even a minimal disruption of
the flow of goods in U.S. ports would be high . . . [S]helves at
grocery stores and gas tanks at service stations would run empty.''
When 90 percent of goods come through maritime shipping, it's not
that hard to imagine that situation coming to fruition. CyberKeel co-
founder Lars Jensen says that when he and partner Morten Schenk began
working on maritime cybersecurity consulting in January 2014, the
prevailing idea among maritime executives was that digital threats
either didn't exist or were highly theoretical. But, he says, ``The
thing that started to scare us a little bit was that some of things . .
. where we said, `This is clearly Hollywood-scenario stuff' had already
happened.''
Many of the incidents that have occurred have, as you might expect,
been kept quiet. But examples are trickling out. For example, at a
January public meeting to discuss maritime cybersecurity standards, the
Coast Guard said that in 2014, a U.S. port (it's not clear which one)
suffered a 7-hour GPS signal disruption that crippled operations. Port
cranes use GPS data to establish their own positions, the positions of
the containers they are supposed to move, and the positions to where
they are supposed to move the containers. The incident the Coast Guard
described affected 4 cranes. Without GPS, ports have to switch to
manual operation, which is extremely inefficient and time-consuming.
Four confused cranes probably don't quite evoke the mayhem that the
phrase Hollywood-scenario stuff might conjure in your mind. But
remember that GPS is also crucial for navigation on board ships and for
tracking the whereabouts of different vessels as they move. Jensen
describes one possible scenario (which he says he hasn't heard about
actually happening yet) in which hackers could use GPS jamming as a way
of holding a ship hostage, asking a small enough ransom that it's
cheaper for the shipping company to just pay rather than attempt to
intervene.
GPS's ubiquity is both its strength and weakness. ``The government
provides positioning, navigation, and timing through the GPS system,''
says Dana Goward, president of the Resilient Navigation and Timing
Foundation and the former maritime navigation authority for the United
States. ``It's a free, highly precise signal that engineers have
incorporated into virtually every technology. But because of that, it's
become a single point of failure for much of America. And you see
examples of that in maritime.'' The RNT Foundation advocates for the
creation of a GPS alternative for emergencies. A 2004 Presidential
security directive to the Department of Transportation supported the
initiative, but 11 years later, it still hasn't moved forward.
Another troubling incident occurred in 2012, when malware took out
about three-quarters of Saudi Aramco's files across tens of thousands
of PCs. An image of a burning American flag appeared on every screen.
The company was able to contain and mitigate the attack relatively
quickly, but since the oil company distributes its product through
maritime shipping, it was a wakeup call about how big of an economic
impact a port-related hack could have.
In March, Rutgers University held a maritime cybersecurity
conference co-sponsored by the Command, Control, and Interoperability
Center for Advanced Data Analysis and the American Military University.
``The threat is very real,'' said Rear Adm. Marshall Lytle, the
assistant commandant responsible for U.S. Coast Guard Cyber Command and
the keynote speaker at the conference. ``These intrusions and attacks
are taking place every minute and every second of every day.''
One of the problems with incentivizing both disclosures and
increased cybersecurity vigilance is the lack of international or even
domestic port standards from governing bodies. ``Right now there is
nothing akin to the [International Ship and Port Facility Security
Code] rules on the cyber side. Nothing whatsoever,'' Jensen said. (The
ISPS Code is a set of internationally agreed-upon minimum standards for
physical ship and port security that was developed after 9/11 and
enacted in 2004.) ``There has to be some sort of consensus coalescing
in the industry.''
At the Rutgers conference, Vice Adm. Charles Michel, who is deputy
commandant for operations, outlined some of the Coast Guard's plans for
cybersecurity strategy. ``Probably the most important part of the Coast
Guard's Cyber Strategy is in its key organizing principle: The strategy
is all about embracing a policy framework that will allow our
enterprise to begin to tackle these challenges.''
The issue hasn't exactly reached peak urgency in either the private
or government sector, but Goward thinks it needs to. ``The sooner the
better,'' he says. ``Opportunities for mistakes or for bad people to do
malicious things just continue to grow. The solution can't come soon
enough.''
This article is part of Future Tense, a collaboration among Arizona
State University, New America, and Slate. Future Tense explores the
ways emerging technologies affect society, policy, and culture. To read
more, visit the Future Tense blog and the Future Tense home page. You
can also follow us on Twitter.
Ms. Jackson Lee. I yield back.
Mr. Ratcliffe. I thank the gentlelady. The Chair now
recognizes the gentleman from New York, Mr. Donovan.
Mr. Donovan. Thank you, Mr. Chairman. The next set of bells
you are going to see all of us run, so let me speak quickly.
This Congress passed a remarkable piece of legislation
recently in cybersecurity and sharing of information. What
should we be looking to do now in the current year, in 2016? Is
there anything in particular that we should be doing now? I
mean, the sharing of information was an issue. We kind of
resolved part of that. What should we be looking at now as a
legislative body to help you? Anyone?
Mr. Porche. I will chime in first.
Mr. Donovan. Thank you, Doctor.
Mr. Porche. So, one--you may not like this answer, sir--but
a little bit of wait. Let's see how well CISA works. You know,
if the protections in place are valid, if the voluntary nature
of the bill is still successful, people are chiming in. So
let's see how successful that is, and if there need to be any
changes.
Maybe far into the future, when we can sort-of work out the
privacy and the civil liberties issues that will likely come
up, start thinking about, how do we take advantage of this
information? How do we fuse all the different sources and all
the contextual information that Ms. Kolde talked about to give
us a better picture?
So we have kind of--the CISA 2015 bill got us into the
information age, despite the fact we have been in the
information age for a while. What is next is the knowledge age,
where we can actually pull smarts, pull intelligent fusion,
pull sense-making out of all that data that we have coming in,
doing something quite useful with the data that is collected
that can give us insights into the next attack.
That is in the future, but we should be thinking about, you
know, discussing how do we get there?
Mr. Cilluffo. Mr. Donovan, a couple of quick thoughts.
One--and I touched on in my prepared remarks and maybe in the
oral--to examine the active defense set of issues, in terms
of--there is a lot of policy space behind build higher walls
and bigger moats and hack back. Between that space, we have got
to start identifying what some of the actions and steps
companies can take to more proactively defend their systems.
They can't afford to wait. If Government is not going to
respond, someone needs to be able to respond.
So looking at what those particular rules of the road are,
taking a close examination of the CFAA, the Computer Fraud and
Abuse Act, I think needs to be part of that.
Then the bigger thing--and this may be more of a political
question--but the reality is, is we have got to articulate a
deterrence strategy. Right now, our adversaries are operating
with impunity. Until we can raise the bar, raise the cost for
their behavior, induce changes in that behavior, we are going
to be playing defense the whole time. You know what? I don't
care what--and we have got the best companies in the world
here--but we are never going to be able to firewall our way out
of this problem.
We are going to have to be able to lean forward, and that
is going to include some policy decisions and integrate that
into our overall National security planning process.
Ms. Kolde. From a practice standpoint, again, looking
specifically to things that we can do to better defend and
educate, I think the information exchange is a really good step
forward. I think we should start looking ahead not only to see
how that is going to play out in practice, but what can we do
to exchange richer types of information, not just context
around the indicators themselves, but countermeasures and
recommendations for how to respond.
In addition, continuing to look for creative defensive
measures, technological as well as best practices from
individuals that we can continue to promulgate out in the
private and public sector for how networks can better defend
themselves.
Mr. Bromwich. I would also jump on that and say that an
additional--there is more work to be done on the sharing front.
I think we are doing a good job increasing the sharing that is
happening in industry. We would like it to be more of a two-way
street with Government. That would definitely be much more
helpful.
Then finally, just more--you know, a lot more education and
emphasis on the technologies that are out there that are
available, to encourage their adoption, to build awareness.
There still just is not nearly enough awareness of the
technologies that are available and how important the problem
is.
Mr. Donovan. Many of you hit on this, and the Chairman and
many of my colleagues spoke about anticipation of the new type
of attacks. I kind of equate this--because I am a layman--that
is this like a disease, we wait for the disease to happen, and
then we find a cure? Do we wait for attacks--because I suspect
there are different ways that people attack our systems--and
then try to figure out how to deal with it? Or do we anticipate
what is the next method of attack and try to protect ourselves
from that before it happens?
Mr. Bromwich. We definitely anticipate. I mean, everything
that we do is entirely focused on being proactive and ahead of
the threat. Unfortunately for many individuals and enterprises
and government, it tends to be very reactive. They don't put
the protection in place until they are hit.
Those protections are there. They are designed to be
proactive. We are constantly watching what is happening in the
threat landscape to understand where we need to go with the
technology so that we can get ahead of the attacker.
Ms. Kolde. I think a lot of the good anticipation comes out
of the security research community itself. In my career in IT,
everything is theoretical until it is not. So if you see some
of the briefings coming out of the private sector or the
commercial world at conferences like Black Hat, people who are
researching interesting new techniques, new ways to exploit
devices, new vulnerabilities that may show up on the horizon,
those start out as research and they become reality.
During the past year, we have seen an increasing number of
attacks against network infrastructure devices, people going
after routers. Those types of attacks were discussed at Black
Hat as far back as 2007 as part of the research community where
we are now seeing them in the wild.
Mr. Donovan. Thank you all. I yield back, Mr. Chairman.
Mr. Ratcliffe. I thank the gentleman. I now recognize
myself for 5 minutes.
I want to focus on some nation-state concerns, and I am
going to start with you, Ms. Kolde, because some of the trends
and developments have started in Russia, and you have talked
about that in your testimony a little bit. So I really have a
two-part question.
First part is: Is it concerning to you that Russia and/or
Russian actors seem less concerned about being attributed? Then
the second part of my question is: Based on James Clapper's
testimony and the establishment of a Russian cyber command,
what do you think the implications are of this? Is it a game-
changer for Russia? What is FireEye seeing in terms of threat
reporting in connection with that, if anything?
Ms. Kolde. I can speak most directly to the first part of
your question in terms of what we are actually seeing.
Historically, Russia has operated in a very stealthy manner.
They were always assumed to be very skilled at what they did,
but we typically did not see them operating.
What has changed over the past few years is that we have
had more visibility into their activity, there has been much
more public reporting of what they are doing, and despite that
public reporting, we do not see them changing their tactics. So
they are being talked about in the press and the media and the
security community, and they are continuing to operate.
We have also gotten to see some actors that we suspect very
strongly are Russian nation-state through some of our incident
response engagements. They have been extremely aggressive
within victim environments. Some threat groups when they are
detected will go silent and they will abandon the network, so
that they just disappear once you know that they are there.
We have had engagements where we have been working with
Russian threat groups where they fight very strongly to stay
within that network, and they do so with a great deal of skill
and adaptability that challenged even our responders to keep
ahead of them.
So they are very determined and they are very well-
resourced. Again, I don't see that changing operationally,
unless something specific would cause them to do that.
In terms of Russia establishing a cyber command, that
speaks more to policy, which is not my strong suit, but I think
it just shows that nation-states in general are going to
continue to see the cyber realm as a realm of engagement,
similar to any other military, economic, political forum, and
that is going to continue.
They have clearly stated their intent to keep playing in
that world, and they have the skill and resources to be a very
powerful player.
Mr. Ratcliffe. Let me--thank you. Let me shift to Iran and
something, Mr. Cilluffo, based on your research, as we all
know, the administration announced a nuclear agreement with
Iran and lifted a number of sanctions.
Can you give me your thoughts on whether or not Iran may
move beyond the denial-of-service attacks into more destructive
malware attacks against our critical infrastructure as a result
of that Iranian nuclear deal that I referenced in my opening
and influx of cash?
Mr. Cilluffo. Well, Mr. Chairman, that is the $64,000
question, because I do think there are some legitimate concerns
and considerations in terms of not only do they have additional
cash to be able to devote to building out their computer
network attack capabilities, but they had shown that they were
willing to turn to those tools for quite some time now.
Historically, Iran was home to one of the most
sophisticated hacking underground communities. The Ashiyane
network, and many others have been in business for an awful
long time. During the so-called green revolution, the way they
were able to turn to basically shut down access to anyone
inside Iran to the rest of the world was a clear indicator that
they have some of those capabilities.
I think most importantly, though, is that they are willing
to work with proxies. Clearly, when you look at the energy
sector in particular, this is an area I think we need to be
very concerned about.
Let me just underscore one point, because--and it gets to
the question on Russia, as well--when we think of cyber, we
can't treat it in isolation of the overall strategies and
objectives that these nations may have. So the Russian computer
network attack and Cyber Command capability is an extension of
what they have been engaging militarily, diplomatically, and
through other means for quite some time. To them, it is about
psychological operation. It is perception management, first and
foremost. It is computer network attack second.
Same goes with Iran. The big question is, is whether or not
cyber is off the table. Is it off the table? I think we need to
make explicitly clear that it better be.
Mr. Ratcliffe. My last question--thank you--my last
question--and I am going to try and give all of you a chance to
answer it--relates to something I said in my opening about the
fact that despite the increasing magnitude and number of cyber
attacks that we are seeing, we are seeing in my opinion little
response or a clear deterrent strategy from this
administration.
Now, if you agree with that opinion--you may or may not--
but if you do, what actions should the United States take, in
your opinion, to clearly articulate that there are serious
consequences for those types of actions?
I will go down the row. Start with you, Mr. Cilluffo.
Mr. Cilluffo. I have been pretty vocal on this, so I do
feel that we have not articulated and certainly haven't
demonstrated a cyber deterrence strategy. While I think there
has been recognition that we need to be moving in that
direction--and I think Secretary Carter, Ash Carter at the
Department of Defense has glommed onto this issue as a
priority, I think is important. But what is the litmus test?
Is OPM, the OPM hack, would that have been a litmus test to
be able to demonstrate a commensurate sort of response? I think
we have had enough of those litmus tests. So the question is,
is, if we articulate it, we better be willing to signal and
respond. So assuming that we do get our arms around this, we
better have the political wherewithal then to be able to
respond, and not only through cyber means.
At the end of the day, cyber is its own domain, but it
transcends air, land, sea, space. So the question is, is: Where
do we have the greatest strength? When are we willing to
utilize these tools?
Mr. Ratcliffe. I realize, Ms. Kolde and Mr. Bromwich, you
may or may not want to weigh in on that question, but feel free
to.
Ms. Kolde. Yes, I think the one step that is needed is
obviously a clear articulation of our policy. I won't
personally speak to what that policy should or should not be,
but we need to be clear about what that policy is and what we
may or may not do in response.
One thing I would like to point out with respect to that is
regardless of the consequences, if we are going to implement
some form of consequences, we need to be sure we are
implementing it against the right nation-state, the right
criminal group. The challenge there is in attributing an attack
and in being highly confident, fairly quickly, who is actually
responsible. That is a big challenge currently.
Mr. Cilluffo. I agree.
Mr. Bromwich. Yes, I would agree, the attribution is super
difficult. I think the only thing that I would say is that more
discussion and more diplomatic outreach so that we can better
find and prosecute criminals would be certainly helpful. Today,
many of these criminals operate outside of the realm of law.
Mr. Ratcliffe. Dr. Porche, I will give you the last word.
Mr. Porche. Thank you. I would say--and this has been said
by panelists here--just remembering that cyber space is one
domain. The United States military operates in many other
domains. So we have heard press articles talk about potential
Iranian hacktivists attacking a U.S. dam. I don't have any
information that says it is there. But what prevents nation-
states from taking action are the fact that they would have to
deal with the United States in other domains.
So it always has to include all domains, not just cyber.
Our response to a cyber attack may not be in cyber.
Mr. Ratcliffe. I thank you all for being here today.
Members of the committee may actually have some additional
questions for each of you, and I would ask you to respond to
those in writing. Pursuant to committee rule 7(e), the hearing
record will be open for 10 days. Without objection, the
subcommittee stands adjourned. Thank you all.
[Whereupon, at 3:20 p.m., the subcommittee was adjourned.]
[all]