Experts Tell Congress Serious Deterrence Needed to Impede Foreign Cyber Attacks

The House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats typically is more concerned with economics and political issues than cyber attacks, but the members spent this morning in a hearing trying to come up with an answer to a fairly straightforward, but thorny question: What consequences are serious and meaningful enough that they will deter U.S. enemies from infiltrating the country’s networks?

The House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats typically is more concerned with economics and political issues than cyber attacks, but the members spent this morning in a hearing trying to come up with an answer to a fairly straightforward, but thorny question: What consequences are serious and meaningful enough that they will deter U.S. enemies from infiltrating the country’s networks?

After hearing from several witnesses and chewing the subject over, the members didn’t emerge with a solid answer, but there seemed to be consensus around the idea that national laws alone would not solve the network security problem.

In the opening panel, Dana Rohrabacher (R-CA) grilled Christopher Painter, the State Department’s Coordinator for Cyber Issues, about his office’s apparent inability to punish attackers in the hostile nations that support these sorts of activities. The Republican subcommittee chairperson from California was considerably tougher on Painter, the Obama Administration’s point man on cybersecurity, than he was on any of the other panelists.

Painter stressed the importance of convincing the global community that he U.S. cyber-worldview is the correct one and called on Congress and the administration to fully promote the Budapest Convention and its rules, claiming that it would help prevent the establishment of cybercriminal safe-havens by establishing strong cross-national cyberlaws.

He shrugged off suggestions that the Obama administration was not taking the problem seriously, citing the Lisbon Conference, where cybersecurity and allied information sharing were implemented as key components of NATO strategy, and a recent executive order issued by the president that is designed to protect national critical infrastructure.

When pressed by the subcommittee to draw a line where cyberattacks become acts of war, Painter made a connection between two types of conduct: devastating and outright attacks against the nation’s critical infrastructure, which would seem like an obvious act of war to most, and large scale intellectual property theft. He emphasized the need to protect against intellectual theft over the need to prepare for catastrophic cyberattack scenarios while downplaying the importance of drawing lines of war. This kind of theft needs to be universally condemned as unacceptable, Painter explained, and the countries outside of this value system need to be marginalized.

Painter also explained that the private sector necessarily carries the heavier burden when it comes to cyberattacks. Private sector companies own the infrastructure, they are seeing attacks that the government isn’t, he said. He readily admitted the government does not have all the answers but also called on the private sector to understand the full scope of the problem, and to know that the government is here to help when it can.

There was also a good deal of concern among subcommittee members about whether U.S. universities are training the computer scientists that turn around an attack our networks.

Mandiant’s Richard Bejtlich discussed the findings of his company’s APT1 report before calling on private companies to perform their own, similar network analyses. The time for watching is over, it’s time to talk, he said, explaining that the government needs to be more forthcoming with what it knows about these attackers and that private companies need to start seeing security spending as a continual and core business process.

When asked if APT1 was home to individuals with advanced degrees in security-related fields from U.S. schools, Bejtlich could not answer that question with certainty. He did, however, say that Mandiant had come across conference submissions that listed APT1’s unit number, 61398, as the organization for which they worked.

Greg Autry of the Coalition for a Prosperous America characterized cyberattacks as 21st century acts of war. He compared the relationship between American businesses operating in China and their host country to that of a domestic abuse victim, saying that American companies in China tolerate endless abuse in the fleeting and unrealistic hope that one day they may benefit from the enormous potential for profit that China’s populace represents.

“Why does China get a pass on their economic and human rights abuse?” he asked.

Like Bejtlich, he argued that the time for research is over, reasoning that we know enough as is and that we should stop analyzing and start doing. He called on Congress to enact a ban on the import of Chinese networking equipment, particularly that which is produced by the Chinese networking giant Huawei, who is constantly accused of stealing valuable data from the companies it services at the behest of the Chinese government.

The American Enterprise Institute sent Michael Mazza to the hearing, and he organized the ambitions of allegedly state-sponsored Chinese hackers into three categories: they engage in espionage in the pursuit of establishing a technical advantage, as part of an anti-access strategy to keep America at arms’ length and limit our ability to wage war against them, and to create strategic cyber-weapons that degrade the defenses of their enemies so that potential kinetic wars are more easily winnable.

Mazza endorsed the idea of deploying sanctions that would block China and the other known threat-actors’ access to valuable U. S. markets. He was also emphatic that the U.S. will lose the war if it only plays defense.

Christopher Painter SHFWire photo by Matt Nelson.

Suggested articles