Michael Daniel, cybersecurity coordinator at the White House, Michael McCaul, chairman of the House Committee on Homeland Security, Raj Shah, senior director of strategy at Palo Alto Networks, join Stewart A. Baker, partner at Steptoe & Johnson, to discuss the state of U.S. cybersecurity. CFR President Richard N. Haass delivers opening remarks, outlining the urgency of cybersecurity as a U.S. national security policy priority. The panelists explore a range of issues related to U.S. cybersecurity readiness, including the security of critical infrastructure, federal government information, and private sector data. The discussion addresses the countervailing issues of privacy and national security, norm-setting in cyberspace, and countering state-sponsored cyber espionage.
This symposium is held in collaboration with CFR’s Digital and Cyberspace Policy Program.
HAASS: Well, good morning and welcome to the Council on Foreign Relations. I’m Richard Haass, and I’m fortunate enough to be the president of this outfit. And today we are dedicating the bulk of the day to issues related to cybersecurity. More specifically, we’re calling it Improving Cybersecurity in a Connected World.
I just wanted to say a few things. I will not—unlike many others in this town, I will not filibuster. (Laughter.) And then we will get on with it. I want to say one or two things, though, about this set of issues and this institution. CFR’s digital and cyberspace policy program now has a comprehensive research agenda. And the idea is to explore the links, interconnections, what have you, between and among cybersecurity, Internet governance, and such issues as data, privacy, and trade.
And what we’re trying to do and we’re committed to doing is working with the private sector, with government, this government and others, and civil society so that the policy recommendations reflect business concerns, privacy issues, and political and national security realities.
This institution was founded on the idea of policy-relevant work. And that is what we are trying to produce here. And what I want to communicate also is that this is a real priority. Like many of you, as I look around the world, I see Alton Frye. I see Jessica Mathews, Andrew Pierre. A lot of us cut our teeth on the arms control set of issues. Indeed, many of us look back on our misspent youths and wonder why we spent so many years counting warheads on launchers and arguing over the arcane features of this or that SALT or TNF or INF agreement. All right, that’s—what’s done is done.
But what was interesting about that period for us and some who came before us, it really was a time of tremendous intellectual creativity in the ’40s and ’50s, a little bit before us, which was with the Tom Schellings and Bernard Brodies and Henry Kissingers and others, who really came up with some of the basics of how to regulate and structure this new set of technologies called nuclear weapons. And out of that came deterrence theory, and out of that came arms control. And the whole idea was how to channel the good aspects of this and try to discourage or prevent the bad aspects of it. And some of that tension was obviously in the nonproliferation treaty itself.
I actually think the challenge that we’re dealing with today is related to that in some ways. It’s akin to that, though it’s incomparably more complicated simply because the number of actual and potential actors—the civilian uses of this are so many and so deeply entrenched. Yet the potential for all sorts of uses that would create heartburn and worse is great.
And this is a truly under- and in some cases unregulated area of international endeavor. To use a phrase that’s come into popularity in recent years of regime theory, the regime that deals with this is truly underdeveloped. And this is an area where, I believe, outsiders have something of an opportunity and something of an obligation to make—to contribute to the advancement of thought and policy in this area.
We’re trying to do just this. Craig Mundie, who’s here, has agreed to give a part of his time to us and to this set of issues. And he and I have been working together and talking about this for a number of years now. We’ll produce a report for the next administration. We’ve got a series of briefs on this subject, the fourth of which just came out, looking at technology supply lines.
We’ve got a blog up on our website, CFR.org, Net Politics—just finished its first year; over 180 posts dealing with the full gamut of issues. We’ve got the Internet global governance monitor, which has all sorts of features to it, from videos to issue briefs to interactives, that look at what is going on in this area; the web, if you will, of—no pun intended—of governance.
Adam Segal, who is the principal fellow here at the Council working this set of issues, I’m very happy to report, has just finished his manuscript on this called “The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age.” It’ll be published early in the new year, in 2016.
So what I’m trying to convey is that we’ve got lots going on, and we are committed to, again, contributing to the public debate and understanding of this issue. I mentioned Adam. We’ve got Rob Knake, David Fidler, Gordon Goldstein, Karen Kornbluh, Craig, and others. And what we think we’ve got is a critical mass of people who are coming at it from different directions, given their backgrounds and the constituencies involved.
The timing for this is good today in particular; just over a year left to this administration. Certain things are in the air, in the wind. But I wouldn’t exaggerate what’s been accomplished. What we’re beginning to see is more of a public and private debate on what ought to be the rules of the road. But it’s, shall we say, incomplete intellectually, and even more incomplete in terms of actual acceptance and implementation. There’s some enormous gaps there.
So I think there are some real questions for what ought we to try to accomplish over the next year, the remaining time of this administration. Indeed, the election is literally a year from this week, mercifully, or unmercifully, depending on how you look at things. And then it’s time to start thinking very hard about what the new administration and the next Congress ought to be doing on this set of issues.
The first session is on the state of U.S. cybersecurity. Secondly, then we’ll move to a conversation about cyber offense and rules of the road. Thirdly, we’ll deal with cybersecurity elsewhere, which will basically take a comparative look around the world to see how others are dealing with it. And fourth, and last, we will have a keynote talk from Secretary of Homeland Security Jeh Johnson about how things look from his large and important department.
So again thank you for coming this morning. I want to thank all the panelists and presiders who are going to share their insights.
And with that, let me turn things over to the first panel.
BAKER: Thank you, Richard.
And welcome to the audience, to this opening session of the Council on Foreign Relations symposium. As a reminder, this session is on the record. And we’ve covered that ground rule in advance with the panelists, who are a particularly distinguished group for this opening symposium.
Chairman Michael McCaul, on my immediate right, is the chairman of the Homeland Security Committee; has done a remarkable job of shepherding cybersecurity legislation through his committee and through his House.
Next to him is Michael Daniel, who’s a special assistant to the president and the cybersecurity coordinator, and has been for now many years. You look better than you should. (Laughter.)
And next to him is Raj Shah, who’s the head of strategy and corp dev now for Palo Alto Networks.
So a very sophisticated opening panel. And let me jump right to it. I’m going to ask about where we are in cybersecurity. And I think everyone will say, of course, our cybersecurity is better than it was five years ago. We work harder at it. We spend more money. But the bad guys are spending more money and they’re better at their jobs.
So my first question for each of you, starting with the chairman, is are we winning or losing, and why?
MCCAUL: I would say we’re losing, because the threat level has gotten so high recently. Our defenses—we’re very good at offensive capability, not so great at defensive capability to defend both the federal networks and the private sector. I think the OPM breach was a very good example of how we’re not able to defend as well as we should when you have 20 million security clearances stolen by, in my opinion, a nation-state, China, in an act of espionage; North Korea in the Sony attacks, and Target, Home Depot by the Russians in response to Crimea. It just seems like every almost week we’re hearing about some new attack.
The secretary of homeland security will come here later. His personal, you know, computer was hacked into; CIA director hacked into. Iran continues to apply destructive attacks to the financial sector. So it’s hitting at all points. The tempo has gone up, I think, tremendously, at a more dangerous rate. And that’s precisely why, working with Michael, we’ve tried to come up with this legislation in the Congress to respond to that.
BAKER: Michael, winning or losing?
DANIEL: So I would say that we’re not nearly making as much progress as we would like in this area.
BAKER: This is Pentagon-speak for losing. (Laughter.)
DANIEL: What can you say? I represent the administration. I think that, you know, if you look at the trend lines, you know, they’re particularly disturbing right now. You’re watching—we’re watching our adversaries become, you know, more sophisticated. And I don’t mean just in the tools that they use, right? They’re becoming more sophisticated in their organizational structure. They now run—many of the criminal organizations run this like a business. You know, the malware developers have help desks. You know, if your malware doesn’t work, you can call them up and, you know, they’ll help you out with it.
They’re becoming—you know, the threat surface is becoming much broader as we move into the Internet of things. So for those of us who have been doing this for a while, we thought that doing cybersecurity in a world of wired desktops was hard.
And then, three, you’re seeing them become more dangerous. They’re willing to move up the threat spectrum. As the chairman said, you know, you actually had a destructive attack on Sony. And then the nation-states are actually incorporating this tool into their toolkit for what they want to—for pursuing their interest in cyberspace.
So all of this together, in our view, means that we’re very much rapidly approaching a strategic inflection point where, for 40 or 50 years, we have been able to leverage cyberspace and the Internet as a strategic advantage, to drive economic development, to drive our military and intelligence capabilities, to drive human rights and democracy. And now, if we don’t start to actually deal with some of these cybersecurity problems and the inherent asymmetry there, we risk cyberspace becoming a strategic liability as well.
BAKER: Raj, winning or losing?
SHAH: Well, given the recent breaches that the chairman identified in both the government and the private sector, it’s very hard to say that we’re winning. It doesn’t look like victory. So my view is, again, given the advances of the adversary, again, the attack surface and how it’s expanded and they’re approaching it, you know, I don’t think—we’re certainly not winning.
Now, on the other hand, if we look at what the full range of losing could look like, right, we’ve been fortunate. The power grid has not gone down. Major public companies, while breached and suffered some financial loss, have not gone out of business. So I think we’re at a very interesting point where we have an opportunity, where we’ve recognized that this is serious. This is an existential threat to our way of life. But we have the opportunity to put in the right controls and protections before we see things like the power grid going down.
BAKER: Well, one of the signs that this is being taken seriously in Washington is that the administration and this Congress have agreed on something, which is passing an information-sharing bill. In fact, the Senate just finished its work. The House finished it long ago. It’s going to conference. I’m not sure I remember how that works. But—and it’s a relatively minor set of differences. The bills both say we’re going to get rid of certain outmoded privacy protections that prevented people from sharing information, put in other privacy provisions, and encourage everyone to share information free of fears of liability under these old laws. And that’s common across the bills.
The differences are minor but heartfelt. And I’m going to ask Michael Daniel first and then the chairman, among the contested issues, the differences between the bills, what’s your highest priority for fixing? What would you most want to see come out of conference?
DANIEL: Well, I think, from our perspective, you know, both of the bills actually—well, actually, all three, because there’s also a House Intelligence bill as well—so, you know, very much what we want to get out of those sets of bills is that reinforcement of the liability-protected channel with a civilian agency, DHS, and that operates near real time, sharing that information across the government, with really robust privacy controls.
I mean, I actually think that’s a goal that we share with both the House and the Senate. And I actually think that we’re, particularly—by the current standards of Washington, we’re actually very close. And I actually think that we’ll be able to get to conference and have the House and Senate pass a bill that the president can sign.
BAKER: Is there one provision on one side or the other of the bills that you really would not like to see survive in the conference?
DANIEL: I think that the main concern that we have is ensuring both that we meet several different tests, one of which is clarity. The feedback that we hear from the private sector quite a bit is that they want clarity, both of the rules that they operate under and how they want to interact with the government; who’s doing what in the government. And so what we don’t want is to muddy that up. We actually want to add clarity.
We also hear very strongly from the privacy community that this has got to be done in a way that still actually protects privacy and civil liberties. And we very much want to do that as well.
And then, third, importantly, it’s actually got to provide some value added, both on the government side and on the private-sector side and actually incentivize the companies to share information, and then the government actually provide some valuable information back to the private sector. So that’s really what’s driving us and what we want to see out of this.
MCCAUL: Well, I think first that he didn’t mention he likes my bill the best. (Laughter.) But, I mean, the first—I think it’s important—
BAKER: That might actually be true, from everything I’ve heard.
MCCAUL: Well, it’s—you know, I find it’s an odd, you know, bedfellow. We’re actually—we’re in a lot of agreement.
BAKER: I’m from DHS. I’m not used to having us be a privacy hero, but apparently we are.
MCCAUL: We are championing that at this point. But I think it’s first important to sort of understanding why this is important and what we’re talking about. We’re sharing malicious codes with the private sector. The private sector has about 80 to 85 percent of these codes, and they’re sharing these codes with the federal government.
And why is that important? Because if you don’t have the codes, the codes are the keys to either locking or unlocking the door to stop the intrusions coming from an enemy, whether it’s a nation-state, whether it’s hacktivists, criminal actors, whatever it is, to protect your network. So we want to provide this idea of a safe harbor at DHS within the NCCIC, which is cyber operations, which I codified last Congress, so that in all these agencies working together, with DHS as the storefront, not NSA or FBI—NSA can spy on you and FBI can prosecute you—rather a civilian portal that shares only for cybersecurity purposes only. So it’s safe to do that.
And what we do to enhance that is we add liability protection so that JPMorgan can share with Chase Manhattan without any fear of lawsuits, because currently your general counsel is going to go to you in big companies and say, you know, if you share this with somebody else you’re going to get a lawsuit, and I’d advise you against this. So we set a very high standard of liability protection so you can’t get sued. And this liability attaches both federal to private, private sharing with federal.
But I think, most importantly, to really enhance the sharing is private to private. And I think that was kind of a breakthrough in this bill. Last Congress the other side of the aisle objected to the liability protection. This Congress, thanks to the White House, actually went forward with the liability protection, which is key, and enhanced it a great deal. That, I think, will really foster and enhance that relationship of sharing the threat information and we hope go a long ways to protecting not only federal but private networks.
BAKER: And looking at the Senate bill, is there one provision that you think will be particularly difficult for your side of the aisle or for your committee to swallow?
MCCAUL: Well, first, I think they came a long ways. I think the privacy groups—I thread the needle between privacy and security in my bill. I got 355 votes in the House, which is pretty amazing. Their bill got much better, I think, by the end of the process. It was more NSA-centric in the beginning. It became more DHS-centric by the end.
And I go back to that storefront. You want the civilian portal as the face of this apparatus, not the NSA. NSA is in the back. And so it moved in that direction. They do—the only thing that concerns me is they kind of put—before DHS can be certified to do this, even though my bill that passed last Congress already does this, they put them on sort of probationary status of 60 to 90 days to demonstrate their capabilities. That’s putting a red light on current operations, which I don’t think—I don’t think that’s consistent with existing law. And I think that’s one of the biggest concerns I have.
BAKER: Raj, how much difference will information-sharing and elimination of some of these barriers to information-sharing actually make, do you think, in terms of our cybersecurity?
SHAH: I think it’ll be a very important thing and will go a great deal. And maybe I’ll explain my perspective on it by stepping back, by saying, OK, we’re in a situation where it’s a marketplace, right. The adversaries know that if you’re a criminal gang or if you want to steal innovation in IP, this is the best way to do it, right. And the cost of it, given Moore’s Laws and just reducing cost of technology, makes it easier and easier for the bad guys to be successful.
And so this is where information-sharing comes in is it begins to place monetary costs and pressure on the bad guys, right. So, for example, right now if you’re an adversary and I want to steal some credit-card data from Target, I can go buy an army of botnets. Maybe it’ll cost me a couple of thousand dollars and they’ll be using a specific vulnerability to be successful, have a specific signature.
Well, today, without information-sharing, I buy it once and I can use it on a hundred or a thousand companies around the world. And so I’m getting a lot of efficiency and leverage from my investment. Now, if we have real-time information-sharing and a way to automatically take that information and actually create a protection, now if I’m the bad guy and I buy that $1,000 piece of malware, I can use it once. And then once I use it once, everybody else gets that information and then they’re blocked. So it makes it more expensive for me as a bad guy. And I think, as we think long term, that’s the only way we can change the economics.
BAKER: So there’s been talk about near real-time sharing. It sounds as though you want real-time sharing for this to really work.
SHAH: Absolutely. In fact, there’s a—you know, we have a private-sector sharing alliance between my company and our competitors called the Cyber Threat Alliance, which does that in real time. We send malware samples back and forth and they get ingested and sent.
BAKER: And so can we start, just as we measure the war on drugs by the street price of cocaine, can we start measuring the success of our cybersecurity by the price per thousand of a botnet?
SHAH: I think that’s definitely a way to do it, or the value of it. I wouldn’t necessarily say the price, but the value to the adversary, meaning how much time and money does he have to spend to be successful?
BAKER: So one of the things that’s been really, I think, productive in the last few years is the extent to which we focused on trying to disincentivize the adversary. And as part of that, there was a widespread threat of sanctions before President Xi came here. And President Xi and President Obama reached agreement on a statement condemning cyberespionage for commercial purposes.
Since then, President Xi has sort of made a tour of the world, agreeing to that with the Brits and the Germans and others. So it’s now a kind of principle. That raises the question, since what we hear from the intelligence community is, well, it’s too soon to tell whether they’ve actually stopped stealing our secrets—and at least one report is out saying that nothing has changed on the ground or in cyberspace—that raises the question, are we going to impose sanctions?
And I’ll ask the—I’ll start with Chairman McCaul. Does the Xi-Obama agreement make sanctions more appropriate? Or does it mean we need to have a pause to give President Xi time to make his commitment felt in the lower ranks of the PLA?
MCCAUL: Well, I think the outcome is to give him time is my understanding, with an agreement that they will assist with prosecutions. My understanding is they have arrested several in China. I don’t know if those are more cosmetic more than anything. I mean, they denied that they had anything to do with the OPM breach.
BAKER: Well, and the OPM breach wouldn’t violate this undertaking in any event. It wasn’t commercial espionage.
MCCAUL: Well, that’s—well, it was certainly espionage.
BAKER: That’s for sure.
MCCAUL: And, of course, they say the individuals in China responsible had nothing to do with the Chinese government. I find that hard to believe. The attribution, interestingly, from both Anthem and Blue Cross, same attribution as the OPM breach, same big-data theft, which is clearly designed to exploit data for espionage purposes.
So, you know, what you do see, going back to the sanctions, you see cause-and-effect things here that I find interesting. For instance, when we started applying sanctions on Iran, they started heightening their cyberattacks against our financial sector. As we started negotiating with Iran, we saw these denial-of-service attacks go down. We saw the targeted Home Depot attack by Russia, organized criminal activity, in response to Crimea and what we were doing in Crimea. So you see world events with a cyber connection, a cyber-tied consequence to them.
The one thing that is lacking, I would argue, are no real rules of the game, no consequences in many cases. In other words, what consequences took place against China for this—the largest breach in United States history against the federal government? And that’s because we don’t have any well-defined roles. What is cyber warfare? Does NATO apply it? What’s a proportionate response? That’s all very unclear. And Congress hasn’t defined it by law either. I think you have to have a lot of discretion given to the administration. But it’s a very—I think, as the guy who kicked this thing off talked about, there are no rules of the game here. It’s ill-defined.
BAKER: So Michael, do you think that the Xi-Obama accord means that we need to wait on sanctions? Or does it mean that if we find somebody engaged in commercial cyberespionage, we now have a clear channel to say, well, nobody is defending you; we’re going to sanction you?
DANIEL: So I think, you know, from—if you take a step back and think about a couple of the key parts of that commitments that we reached with China that are actually really important, in my view, the first one of which is actually—you know, the very first part of the commitments are actually related to the agreement to investigate malicious activity that emanates from each other’s territory.
And that’s actually the first time China has admitted that any malicious activity emanates from their territory. Set aside the question of whether or not they’ve admitted that they as a government do anything. Their line has always been we’re just the victim. They’ve never actually admitted that any bad stuff comes out of China before. And so that, in and of itself, is actually a big step forward.
And then, as you rightly pointed out, they agreed to this norm on cyber-enabled economic espionage for commercial gain, which is a huge step forward. And they agreed to set up a high-level dialogue on our side from the attorney general and secretary of homeland security, which actually gives us a mechanism to talk about these issues specifically and try to make some progress on them about these cases that we’ve asked them to investigate or that they’ve asked us to investigate. And we’ve never had that direct kind of mechanism before. So as a result, I think it actually puts us in a much stronger position to raise these issues and, you know, have that kind of dialogue with China that we need. I for—
BAKER: That sounds like dialogue. It doesn’t sound like sanctions. Are you ruling out sanctions in the near term?
DANIEL: No, we certainly have not taken those off the table. And the president was very clear about that. I think that it remains to be seen how well China actually lives up to the commitments that they made. They have certainly undertaken certain action. And I agree with the chairman that the jury is still out as to whether or not those were designed just to make sure that they got through the summit without bad news or whether there’s—you know, whether it represents, you know, an actual change in their thinking. I hope it’s the latter. And I think it could be the latter, but that remains to be seen.
I think that we will have to continue using all the tools at our disposal to protect U.S. interests in this area, and we will do that at a time and place of our choosing, as both the national security adviser and the president were very clear on that subject.
I think that, you know, the relationship between the U.S. and China is an incredibly complex one. It’s probably one of the most complex relationships, you know, out there, just because of the size of our economies and our interrelationship. And I think that, you know, we’re going to continue to have areas where we cooperate and continue to have areas where there’s friction between us.
BAKER: So Raj, are you seeing a decline in Chinese-origin cyberespionage?
SHAH: I think it’s a—you know, attribution is always the most difficult thing when you’re looking at cyberattacks. So I guess I’m not well-positioned to say whether or not in recent times or recent weeks have we seen a change in Chinese attacks. I think what I would say though, to sort of piggyback on the previous conversation, is the private sector, there are certain types of attacks, particularly nation-state, that no matter how much you shift costs we’re going to suffer. And you know, by the fact of it being a private corporation, are limited in the types of things and reactions you can do.
And it’s those—for those attacks, where ever a broader partnership with the government I think is very, very important. There’s authorities and abilities that the government can do that a private sector company just cannot, but is required. Right? So you know, historical precedents, right, the U.S. Navy protects our shipping lanes to ensure free trade. The Marines used to, you know, protect some of our growers in nations. There is a role here for the government to ensure free commerce in cyberspace.
BAKER: So one of the questions that arises in this context of Rose and the DDoS attacks that Iran sponsored against the banks, was what the private sector can do. The private sector obviously can defend itself, but there was widespread dissatisfaction with the ability of the United States government to stop those attacks and to clean up the machines that were being used, often innocent third parties’ machines. And the question arose, could U.S. industry hire their own set of actors who could go in and clean up those machines? And we’ve certainly seen efforts to do that. There’s a router piece of malware that’s actually—I guess, I don’t know what you would call it, bene-ware—that is going around and cleaning up all of the holes in people’s routers. And so one of the questions that I have, and I guess I’ll start with Raj, do you think the private sector needs more authority to act when it’s under attack?
SHAH: So I know there’s several chief information security officers that would love that capability to take the fight back to the bad guy. But, you know, I think if you look at that holistically, it just don’t make sense, right? And it goes from escalation and attribution issues, right? So if you’re a company, you’re being attacked by, say, a Russian server, you don’t know is that really a Russian server? Is it a Vietnamese gang that has hijacked that server? And oh, by the way, that server also runs a hospital in Moscow. And so if you unleash some sort of attack you could bring that down. You know, now you’ve escalated things far beyond—
BAKER: Well, let me push you on that.
BAKER: Because we’ve certainly seen—Microsoft and a bunch of other companies went out and took over a bunch of botnets and got them to start taking orders from the U.S. government. And in that case, we didn’t know every computer or where it was, but we knew it had been infection, and that we could cure the infection simply by redirecting where it was getting its instructions. Why shouldn’t somebody who’s under attack with a DDoS be able to do that?
SHAH: Sure. I mean, I think it—again, it’s a matter of degree. And it can become a very slippery slope, right? So in that Microsoft case, it’s taking over the command and control, outbound versus going in and shutting down a system. There’s also—the FBI was involved as they did that. So they didn’t do it in a—in a vacuum. I think there’s just too much risk as a private corporation to do that. And then the liability—I mean, I don’t see any GC that would authorize that sort of activity. But, to your point, this type of activity’s important. And this is where the government has a role to play.
DANIEL: So I think that the idea of sort of the private companies exercising activities well beyond their networks, as Raj said, it’s a very dangerous path to go down. I think the questions of attribution are still very difficult. The questions of collateral damage are very strong because, as he said, the bad guys don’t tend to use, you know, servers labeled bad guy server. I mean, you know, they take over innocent third parties. And it’s very distributed.
I do think that the partnership that you mentioned there between—and some of the efforts—some of the botnet takedowns that have occurred, like the Gameover ZeuS botnet takedown is something that we actually ought to work on pursing and developing that capability to do on a much more robust level, at a great—a much greater degree of frequency than we can do right now. And I do think that it’s going to take a partnership between the private sector and the government in a way that we haven’t traditionally seen before. But I do think that limiting that is important.
BAKER: I think that’s useful. Let me just push on that. It’s easy enough to do it within the law with the FBI’s authorities inside the United States. But the FBI’s authorities outside the United States are modest, at best. So will effective action by the private sector and the U.S. government have to wait for 150 nations to agree on what the ground rules are for dealing with those botnets?
DANIEL: So, no, I don’t actually think so. If you—first of all, if you actually look at—if you take a look at, for example, where the botnets are actually distributed, it’s a much narrower set of countries. In fact, we tend to be the biggest—
BAKER: Yeah, we’re always—we’re number one. (Laughter.)
DANIEL: —the biggest culprits. Well, it’s the old line about why did—why do you rob banks? Because that’s where the money is, right? You know, it’s why do you use the United States? Because that’s where the computers are.
But the—I think that, you know, we are working very hard to develop better cooperation with key allies in this area to be able to take action where we—where we need to. And again, you know, we do reserve the right to protect U.S. interests. And there are maybe times when we need to take action. But I think that the—you know, in general, this is—this points to the fact that we need to develop much greater cooperation between law enforcement agencies so that we can take action internationally when we need to, at a speed that actually matters in cyberspace.
BAKER: Mr. Chairman?
MCCAUL: Well, I agree with most of the points. It’s not—it’s complicated. It’s not well-defined. A talk to a lot of companies that talk about how they get hacked into Silicon Valley, corporate espionage takes place. But under the law, hack-back is illegal. There’s a hack-back provision in the law that says you can’t do that. A lot of other countries don’t—they don’t play by the rules around the world that we do. And we’re losing. You asked if we’re winning or losing.
I think from the economic standpoint we’re losing because of all this corporate espionage going on, theft of IP, and these private sector companies are very frustrated because by law they can’t respond, even though they do the attribution, they know where it’s coming from, they cannot respond to that. And they believe that’s the role of the federal government. You know, that’s your role to respond. And I think you wisely pointed out, FBI’s got jurisdiction in the United States. But what happens when it’s across, you know, the ocean? So another foreign nation-state, for instance?
It seems to me, if it’s a nation-state, that the—that really ups the ante. And attribution’s hard to prove that, but if you can prove it’s a nation-state, that’s more of an active warfare and the military should be able to respond to that in some form or fashion. You know, how they respond, that’s ill-defined as well. But they are looking to the federal government for a solution. And I think as Michael pointed out, this is a new frontier. And we need to figure out how the federal government, working with the private sector, can help them respond to these malicious actors. Right now, it’s with impunity. There are no consequences. And the economic damage is great. And it’s hard to be competitive in a world where they go in and just steal all of your IP and you have no effective response to that.
BAKER: Let me pick on an attack where attribution doesn’t seem to be a problem, and it’s one that hasn’t got as much attention as it probably deserves. There was a denial of service attack on GitHub. GitHub had been making it possible inside China to read The New York Times, which as a series of stories on corruption in President Xi’s own family and obviously was not well-received in official circles in China. The denial of service attack was launched essentially, and according to Citizen Lab, by leveraging the great firewall that intercepts all communications between China and the rest of the world.
And so when someone from outside China asked for information from Baidu or some other site inside China, it got back a bunch of code. And the Chinese government, it would appear, simply inject some additional code that caused the computers in the United States, in Taiwan, in Hong Kong to start attacking GitHub. There’s nobody else who had the capability to inject on that scale. And it was a use of American computers to attack an American institution, because of its speech. Could hardly be more brazen.
I have heard of nothing that suggests the administration has plans to sanction that activity. And I wondered whether I just missed it.
MCCAUL: No, you didn’t. (Laughter.)
BAKER: No, OK.
DANIEL: Oh, you’re asking me. (Laughter.)
BAKER: That’s all right. I’ll let the chairman address it first.
MCCAUL: Well, and this is—I think you’re seeing a new phenomenon of suppression of free speech. I mean, this—you go back to the Sony attack, based on a movie which was actually quite funny, but not funny to the North Koreans, if you saw the movie. And it was—that was a very—highly destructive attack that shut down all their computers in a very malicious way, not unlike what Iran did the Saudi Aramco 30,000 hard drives. And so now you’re seeing, in this case you point out, yet another cyberattack to suppress speech. So now, you know, political speech is being, you know, fair game for cyberattacks now. And this is a new—a newer phenomenon that’s quite disturbing because anytime somebody politically disagrees with one of these totalitarian regimes, you’re going to see a cyberattack following that.
BAKER: Yeah, so we’ve seen—we saw that in the case of Sony, for sure. We saw that in the case of GitHub. I think we saw that in the case of Las Vegas Sands, which was probably an Iranian attack for remarks that Sheldon Adelson had made. So I—now, Michael, your chance to announce sanctions for the GitHub attack. (Laughter.)
DANIEL: So I think that—you know, certainly that’s an issue that we take very seriously and have raised with the Chinese government, and I think we’ll continue to press them on. I agree with—I agree with the chairman on this point, that you’ve—that this emergence, again, of—it fits with what I was saying about the emergence of the use of cyber as a piece of—as a part of statecraft. And these nations are pursuing that as—and using this tool. And I think it’s one that we will have to figure out ways to push back on. But I think that what it points out is we need to continue to expand the toolset that we have, that’s available to us, so that we can actually address all of these kinds of issues that are arising with a much broader array of tools and set of options that any administration will have going down the road.
BAKER: So, Raj, what options, what tools would you recommend to the government for dealing with these kinds of attacks?
SHAH: Well, before I answer that, one thing I’d want to highlight—right, so the title of this talk is Cybersecurity in an Interconnected World. There are tons of second-order effects that you have to realize when things like this happen, right? So GitHub is attacked. That affects far more than just GitHub, right? The vast majority of Silicon Valley startups and companies use GitHub to house their source code repository. So if you bring down GitHub, there are thousands of companies that can no longer do their job. So—
BAKER: Well, and the irony was that it was the connectedness that forced the Chinese to attack it with a denial of service attack. They first tried to shut it down, and every open-source programmer in China said, wait a minute, I can’t do my job if I can’t get to GitHub. So this interconnectedness sometimes works in our favor, sometimes against us.
SHAH: Right, so to me this is, you know, very much an economic issue, right? If you basically shut down a thousand startups and they say you can’t write any code, which is what their lifeblood is, this is a—this is a step where the government—you know, whichever agency has the right authority and under the right title to come in and stop that type of activity. You know, this was a very sophisticated attack, part of the great firewall. Very hard for an individual company to react to that.
BAKER: So I’ve had a lot of fun asking these questions, but it’s time for our audience to have just as much fun. So we’ll invite audience members to join in the discussion. If you could wait for the microphone and then speak directly into it, that would be great. And we’ll ask you to state your name and your affiliation. So, in the back. And I’m going to ask everybody to keep their questions short, and to the point, and in the form of a question. Thank you.
Q: Sure. So my name’s Charles McLaughlin. I’m affiliated with Censeo Consulting.
And my question is this, from—in this discussion and others I’ve heard, people who speak from the standpoint of the government talk a lot about the need for public and private partnerships to take this on. When I talk to private sector people, there’s much more skepticism. Is the government trustworthy and competent? Should I join with it? What’s really in it for me? So you’ve talked a little bit about what’s in it for the private sector. Can you talk more about what you’re seeing? Has the sort of runaway from government, is that a short-term blip, or is there a longer-term trend line if greater cooperation, or is that just something we’re hoping for?
BAKER: Well, why don’t we ask both Michaels to address that?
MCCAUL: Yeah, I mean, there’s a lot of distrust of the government in general out there. And where you share this information with the federal government, you know, that’s where the issue of privacy comes into play. And I think the reason my bill was, you know, passed by more votes was because of the privacy protections that Department of Homeland Security Office of Privacy, very robust, the scrubbing of PII, personally identifying information. So the guarantees put in place that nothing private would be shared, it’s just the codes themselves, and that the information shared to you from the federal government also has that same kind of protection. And what I hear from the private sector also, they don’t want any optics that the NSA is in their networks. These are people that do international business. A lot of them high-tech companies—Dell, in my district, particularly. If there’s any hint that NSA is in their networks, it kills their international business. And they’re talking about billions of dollars.
And this is the debate we’re having with the Senate right now, is that you have to have the storefront, again, being a civilian portal and not the NSA. If you put NSA as the face of this information sharing bill, you not only kill it from a, you know, businessman standpoint and private sector standpoint, but politically and policy-wise it will not pass the House of Representatives. And that was the thing we tried to navigate so well in the House, because of this concern about the government being in your networks. And that’s why I think we crafted—and it’s a voluntary program. You know, it’s completely voluntary. But we give the assurances of privacy, that we’re not going to share any private information.
DANIEL: So I think that over the long term this is a relationship that we have to figure out how to have. And I think that, as Raj has pointed out, there are things that the government brings to the table that the private sector simply will not. There are things that the private sector brings to the table that the government doesn’t have. And we need each other in this space. And I think what we’ve been trying to do with the legislation, what we’ve been trying to do with a whole bunch of other efforts that we have been doing across the board from our relationships with the financial services industry and the level of partnership that we’ve been trying to build there.
I think that this is a partnership that we are—that we are just going to have to—have to build. And I think it’s figuring out how to navigate those questions about privacy, how the government can demonstrate over the long-term that it can, in fact, protect information that the private sector shares with it, that it will honor those requests. And I think this is going to be a degree of trust that’s going to have to be built up over time. I think that we have actually been demonstrating this. And I think if you actually talk to a number of the companies that have, for example, dealt with either DHS, or the FBI, or others over the last few years in particular, I think they would tell you that there’s been a real shift in the government mindset about how we approach these relationships.
Q: Hi. Sean Legis (sp) with SCW (sp). This is a question for Michael Daniel.
From the very beginning of this information sharing legislation endeavor, the White House has been very caveated in its support for the legislation, as long as it protects privacy. And I remember when you guys put out your proposal several months ago for legislation you explained in great detail what you’re looking for in terms of the threat indicators and what has to be stripped when it’s shared. And I see parallels between that language that you guys proposed and the amendments that failed in—recently in the Senate. So I’m wondering how, given that, given that amendment after amendment failed to protect privacy in the vote, how you can still support the bill as is?
DANIEL: Well, I think if you look at the Senate bill overall, I think it does actually contain a number of very key privacy provisions and use limitations on how that cybersecurity information can be used. And it does impose certain requirements on the private sector. If you actually read the administration’s statement on that, we said that that is clearly an area that we want to continue working on, that we want to bring in, for example, as we go to—as we go to conference and the House and Senate negotiators work on that.
The administration will be pushing to ensure that there are very robust privacy provisions, bringing in stuff from the House side and making sure that we have those as strong as possible, while still making it—still making it functional. And that’s the balance that we have to take. I think what you really saw the administration saying with that is that, you know, on balance we believe that the Senate bill was a—was a big step forward and we wanted the Senate to pass that bill so that the House and Senate could actually go to conference and we could finally get this information sharing bill all the way done.
BAKER: Let me ask Chairman McCaul, I think one of the amendments that came closest to passing would have made the obligations in the private sector in the Senate bill much closer to what the House bill provides. So do you expect that to be a significant issue in conference, the provision that determines exactly what the obligation to strip out private information is? I think the Senate bill says you have to strip it out if you know that it’s private information and unrelated to cybersecurity. And your bill, if I remember, says you have to strip it out if you reasonably believe it to be cybersecurity—not cybersecurity related and private information. Do you expect that to be an issue?
MCCAUL: I think that’s one of many that will be debated. And I think the privacy groups are going to weigh in very heavily in this conference committee. And I expect them to, and I hope they do. I will say, though, as Michael pointed out, where we started was—so is essentially CISPA that was written before my bill that passed last Congress, even before that time. It did come a long ways in terms of the privacy protections and the focus on DHS. But I think there’s more work to be done on it. And, you know, we’ll have—and this is—you know, we’re going to be talking a lot with the White House trying to get there.
The other thing that I think will be interesting is, you know, the Cotton amendment, which provided Secret Service and FBI, went down very decisively. And so that raises the issue—that’s going to be a big issue at conference, because it you look at the HPSCI bill—
BAKER: Since it lost, why would it—why would it continue to be an issue in conference?
MCCAUL: Well, that’s what’s interesting. Because the HPSCI bill actually—the one that—the House Intel had those provisions in it. And I think that will be an interesting discussion at conference when you had a resounding defeat in the Senate on that measure.
BAKER: Very good. Mitzi.
Q: I’m Mitizi Wertheim with the Navy Postgraduate School. And I was lucky enough to be brought—I have no skills, but I was brought into the cyber community when Art Cebrowski recognized the Navy had to start thinking about it back in ’91, I guess, or even earlier than that.
I have to tell you, my angst on all of this is when someone attacks our electricity. And that’s bigger than what you—but my question is, how soon are the countries going to come together and do something comparable to we’re not going to use gas anymore in warfare?
BAKER: OK, so that’s a—that’s the norms question. And Ted Koppel thanks you for your plug for his book. Let me start with the chairman. How worried are you about attacks on the grid? And do you think there’s a prospect for an international agreement in which the people who want to attack us will agree not to attack us where we’re most vulnerable?
MCCAUL: Yeah, and I think this is what keeps you up at night. And they say, you know, the cyber—you know, the intellectual property theft is awful, and the espionage. But the cyberwarfare piece can be—the consequence is far more damaging than a one to two man ISIS operation in the United States. This can literally bring down, you know, the energy grid, you know, the banking institutions, you know, the stock exchange, cause chaos and enormous damage. I would argue that they’ve infiltrated many of our SCADA systems already and can turn the switch off. That’s the power that they have. You know, they were in OPM for over a year before we even knew they were in there—the Chinese. How long have they been in some of these critical infrastructures? We don’t know, to some extent.
And so this—and it gets into international law. I’m on Foreign Affairs Committee as well. I do think treaties—you have to have treaties with other nations that I will not attack you. Does NATO apply? I think it should. I mean, if one nation is attacked in the act of cyberwarfare—you have to demonstrate it. It has to be attribution, intelligence to prove it’s a nation-state. At that point in time, I would define it an act of cyberwarfare with an appropriate response. And your allies by treaty in the cyberwarfare as well.
Again, the kickoff speech to this talk about proliferation of nuclear weaponry, well, this is not unlike that, because now we have a proliferation of cyberwarfare techniques and tactic that can be bought, as Raj pointed point, on the open market. So you have rogue elements, rogue nation-states that are increasingly getting the capability to do this. I think it’s—it can happen today. It’s not in the future. It’s not some science fiction thing. It’s real today. And the capability’s out there today. And I think we have to come to terms with it. And we’re way, you know, behind the curve. We need to engage the international community more in resolving this.
BAKER: Raj, how serious is that risk?
SHAH: I think it’s a very serious risk and, unfortunately, one that’s going to increase, right, given the cost efficiencies and the capabilities you get by taking your legacy SCADA systems, which are old, proprietary control systems, and moving them to TCIP, the Internet. You can then, you know, control and monitor your equipment everywhere, great advantages. But now, it’s a new threat vector. So again, as I kind of said earlier, I feel like we’re at this threshold now where we recognize it’s a problem—recognize the problem of cybersecurity. And we must act now before we’re trying to re-bring the grid back up.
BAKER: So, Michael, this is an arms control issue in a sense, but one in which we are basically signaling our greatest weaknesses and hoping that we can persuade our adversaries that they shouldn’t use that against us. Given that some of our adversaries are not exactly bound by the international order as it stands. What are the prospects for getting some kind of norm on this point?
DANIEL: I actually think that if you—a couple points on that, one of which is that, you know, yes, we are sort of the most dependent in this area. But the economics that Raj points out works just as well for everybody else as it does for us. And so the rest of the world is headed in the same technology trends that we are, and that they can see the threat emerging for them as well. So if you actually look at, for example, there was a U.N.-sponsored effort, the group of—they call it the Group of Governmental Experts—that came out with a report this past summer that we strongly endorse. That one of the norms that they talk about in there is agreeing that you should not disrupt another country’s critical infrastructure during peacetime. That same report also affirmed that the law of armed conflict applies to cyberspace, just like it does in the real world.
All of these are the pieces that you need to start building and the foundation you need in the international environment to start building towards the agreement that nations won’t carry out those kinds of activities, particularly during peacetime. Now, that still doesn’t solve the question of some of the rogue states and other actors that want to cause mayhem. And that’s why you have to continue working on raising both your level of cyber defenses, but also your resiliency and ability to recover from incidents when they happen. And we need to be thinking about—you know, that’s why when you take a look at the NIST cybersecurity framework it doesn’t just talk about the defenses, the moats and walls and other things. It talks about the full spectrum, all the way from knowing what your network actually looks like and what it’s supposed to do when it’s in good shape, to being able to recover rapidly from it. You’re going to need all of those tools in order to deal with this environment that we see—that we see emerging.
And then finally I would say that, looking towards the future, and because I know that there are people like Craig Mundie in the office—in the audience, we’ve also got to think about how to fundamentally make cyberspace and the Internet more secure than it is now. And there’s been some thinking that has gone into that and some of the ways that we can actually build in that from the ground up. And as we—as we go forward, those are the kinds of investments that we’re going to have to make in order to continue to operate in this world.
Q: Charlie Stevenson, SAIS.
Chairman McCaul said that we’re better at cyber offense than defense. There have been reports that the federal government spends three or four times as much on cyber offense as defense. What’s the right ratio?
MCCAUL: Well, you know, that’s a—our offensive capability is vitally important to the defense of the nation. We have used it in the past and it’s very effective. It’s a very dangerous world. Russia’s in Syria now, and it’s very complicated. So we need those tools. I wouldn’t say I’d take away from that, but I think we need to—it’s not a ratio, but we need to bring up our defensive capability to our offensive capability. And right now, it’s not there.
One thing we haven’t talked about is—you know, we can pass a lot of laws, but some of the technologies I see coming out are very encouraging. That early warning detection—I just got a demonstration yesterday—that can see the threat coming before it even hits you so that you can protect yourself. Other ones can see a Snowden-like actor or somebody, like in the OPM breach, was getting old credentials and getting inside the system, and then those insider credentials were in there for about 14 months fishing around in the network before it was discovered. Now we have technologies that can identify aberrant behavior in the network so you know that that’s not tied to—that’s not the activity of this one user. And also we can compartmentalize, and so they can only get so far within a particular network. That would go a long ways at places like NSA and other intelligence community—well, all within the federal government to better protect not only from a breach on the outside, but if you have an insider threat to be able to immediately identify an actor that just it’s not making sense, it’s very—it’s aberrant behavior on the network and it immediately shuts them down.
BAKER: So that is the—that is the next step, it seems to me, in cybersecurity, is watching for this anomalous behavior. It’s already happening in the private sector. And every unusual act by someone with lower credentials or somebody going places he’s never been before to collect information is going to get flagged, which means that, it seems to me, government workers who are subject to that are going to be watched in ways they’ve never been watched before. It’s a kind of “1984” scenario, but it’s hard to avoid. And worse from a bureaucratic point of view, they’re going to be watched by some other agency. It’ll probably be DHS that would end up running that system. Michael, is that really what the future holds for cybersecurity and federal workers?
DANIEL: Well, I don’t think that it’s “1984.”
BAKER: It’s worse. (Laughs, laughter.)
DANIEL: I think—no, I don’t actually think so. I think that a lot of this is—I think it’s actually—I think the way you have to think about it is is a different—come at it from a different standpoint. And it’s not sort of the—this idea of actively monitoring, that you’re going to have security professionals sitting there just, you know, kind of trolling through the logs, seeing, you know, ooh, look at that, what did Frank do today. You know, that’s just not how this kind of system works.
It’s much more of the idea of using automated tools to identify behavior that—in most cases, when you actually look at the insiders that we’ve dealt with, very rarely do you get the there was absolutely nothing in this person’s background or behavior that gave any indication of this and it just totally came out of the blue. Usually what has happened is that people have noticed things and they just haven’t quite said something.
DANIEL: And so that, in my view, this is—this kind of technology will help our ability to actually get to those individuals earlier and will actually, I think, be able for us to focus our capabilities on—where we really need to, and actually increase the level of privacy and other things for the vast majority of the federal workforce while we’re doing it.
BAKER: Raj, how close did I get to your business model? (Laughs.)
SHAH: Look, there’s a dearth of cybersecurity professionals in this country and the world. Some would say, you know, close to—almost close to a million. And so automation, as Michael said, is absolutely key, and it’s sifting through vast amounts of data to do behavioral analytics, right? So by doing that, you can identify is an individual an insider and actually turning, is it an individual’s account that was compromised and is being hijacked by the bad guys, right? And this could be as simple as, you know, sending files at midnight to North Korea. That’s a very simplistic example, but you know, this is the type of things that you have to do in an automated fashion. So I don’t, again, think it’s “1984” and spying on folks. It’s, with this data-rich environment that we have, that’s how we’re going to find those needles.
BAKER: Yes, on the—on the aisle. I actually meant closer. Sorry. Sorry, Emily.
Q: Hi. I’m Alex Toma. I am the executive director of the Peace and Security Funders Group and a proud newbie CFR term member.
My question is, are there any existing knowledge gaps that we still have in this field? And if so, what are they?
DANIEL: Well, I can certainly take that. I mean, there are actually really huge knowledge gaps we have.
I will start with the fact that we know that the vast majority of intrusions rely on known fixable vulnerabilities. So the bad guys are getting into our networks through holes that we know about and we know how to fix. So then why the heck aren’t we fixing them? That’s a very interesting question, and it gets at issues of, I think, both human behavior and economics, and the incentive structure that underlies that. And we don’t understand that. We don’t really understand how people interact with the technology and why they fully make the choices that they do.
Raj mentioned the question of the shortage of cybersecurity professionals, right? That’s been true for, arguably, at least 10 years now. Why isn’t the market responding? It’s not like cybersecurity professionals are underpaid. It’s an incredibly lucrative business to be in. So why aren’t—why isn’t the pipeline expanding? Again, you have to start thinking about what are the structural barriers and impediments to that pipeline expanding. We don’t really understand that very well.
Another area that we don’t understand is we really don’t understand how all of these networks actually interconnect. We don’t really understand and have the ability to model or simulate yet what would happen if you actually took certain actions. What are the second- and third-order effects of an attack like on GitHub? And then you play that out over—and how soon do those second- and third-order effects show up? All of those are examples of things where we have a lack of information in there.
Then there are some others, particularly in the international space, about how you—questions about how we’re going to resolve some of these interesting issues of data jurisdiction. You know, now we’re in a situation, because of the way that information is stored and moved globally, that if a local French citizen commits a crime against another French citizen and a French magistrate wants to investigate that crime, he now has to come through the U.S. Justice Department because the data is stored somewhere here in the United States. Suddenly a purely local crime now has an international aspect. How the heck do we deal with that in this? None of our legal systems and international structures are built to deal with that kind of situation.
So I will stop there. But there’s clearly quite a great deal of work that could be done in a whole variety of areas.
BAKER: Oh, I saw a lot of hands now. I’m going to ask you to direct—to ask short questions and direct them to one person so that we can—we can get more questions in. And since I cut off Emily the last time, I’ll let her have the next question.
Q: Emily Frye, Mitre Corporation.
Narrow it down and one person—it’s you, Mike Daniel. Has there been thought given to this new, odd space? It’s a gray space that does not fit our existing categories, where it’s nation-state against private actor for a political end. What is our policy going forward as we face the next Sony?
DANIEL: So that’s a very good question and I think it’s one that we’ve been talking about a lot. I actually think you’re correct, that we will see more of that. And there’s been a great deal of discussion about how we actually construct an idea of how would you push back against that. How do you actually—you know, the president actually clearly came out after Sony and said that that kind of behavior is unacceptable, and that was part of the reason why we imposed sanctions on North Korea. But I think that this is an area, again, that we’re going to have to continue sort of working and developing, and working with our partners and allies to develop the rules of the road, and to put that kind of behavior beyond the pale.
BAKER: Yes, here.
Q: Thanks. Larry Clinton, Internet Security Alliance.
So two banks I’m familiar with have a combined budget for cybersecurity for next year of 1.25 billion (dollars). DHS’s budget is about 900 million (dollars). So those two banks are spending about 30 percent more than DHS, which is responsible for the entire non-defense sector of our government plus critical infrastructure, et cetera. So my question is, aren’t we—isn’t our government vastly underinvesting in cybersecurity? And if I could have a question, how do we fix that?
BAKER: OK. And you’re addressing that to, let’s say, Chairman McCaul?
Q: I’m addressing it to Chairman—
MCCAUL: Well, I guess we have the power of purse, so, you know. (Laughter.)
BAKER: Exactly. (Laughs.)
MCCAUL: This gets into—I mean, you don’t want me to get into the fact that we’ve been operating under a CR for how many years? I mean, we did plus-up the cyber in the appropriations—Homeland Security appropriations bill, cyber. We’ll have an omnibus coming down in December that I hope those—and I will work very hard to make sure those numbers are plussed-up because, you’re right, I think we’re—this is such a hot area right now, cutting edge, and we have to invest in our defenses. And to the gentleman’s point about, you know, putting all this stuff in our military offensive and not enough in the defensive, and I think—I think—I’d like to see it plussed-up.
You know, the knowledge gap, I mean, that’s—the bill is really designed to bridge that knowledge gap because, you know, the criminals share the malicious codes. The nation-states—the bad ones—share the malicious codes. But we don’t have the—we have no ability to do that because of these restrictions, because of the lack of liability protections. And we’re hopeful—it’s an experiment, but if we can fully harness this safe harbor and make it full participation, that by sharing it in real time—it has to be—the more we get machine-to-machine in real time, the better we’re going to be able to, you know, protect not only federal but the private sector that has most of this information.
But I’m sorry—
DANIEL: If I could just also, I think it’s also a matter of making sure that we are spending what resources we have in the federal government more effectively. One of the, what, two things that Congress did last year, both with the passing of an act called FITARA and as well as the FISMA modernization statutes that Chairman McCaul worked very hard on, we are hoping to actually—that will help the federal government stop spending money on what I refer to, the three-ring binders, the compliance exercise of generating lots and lots of paperwork that nobody actually reads, and, you know, redirect that to much more effective security activities. So it’s also a matter of making sure that we’re allocating the resources that we do have and spending the resources that are already there—making sure that we’re spending them on the highest-priority activities.
MCCAUL: And the Federal Defense Networks Act that’s in the Senate version—I introduced it in the House, but that should come together in the conference committee—that allows DHS to respond without getting permission, you know, slips from all the other agencies. And I think that’s going to, to Michael’s point, make it more effective and efficient as well.
SHAH: Speed of light rather than the speed of lawyers. (Laughter.) Yeah, I mean, that’s one thing—that’s the one thing I’d add, right—(laughter)—is that cybersecurity is something that’s evolving so quickly that, you know, a five-year refresh cycle or procurement cycle is insufficient to keep up with the—with the adversary, right? And so what we see from the private sector, too, is just how do you buy these technologies, right? In the private sector, with these banks, they’ll take the five best vendors and do an operational test on real data and evaluate the one that’s most suitable and have a quick acquisition. Whereas, you know, with our FARs in the acquisition process, it’s much more of a checklist exercise. And so I think that could, again make the spend that we do have as a government more efficient.
BAKER: All right. But if we have to fix all of federal procurement to solve this problem, we’ve got a long haul ahead of us. (Laughter.)
SHAH: Whatever it takes, right? (Laughs.)
BAKER: OK. In the white.
Q: Amy Nelson, Council on Foreign Relations.
If we could look back just for a moment, I’ve heard—I’ve heard the panelists say this morning things like we’re behind, we’re not winning, we need to expand, we’re behind the curve. And to some extent, we take these as a given. But what, if anything, went wrong? What was unforeseen about the rate at which these technologies are evolving? Thanks.
BAKER: Well, let’s start with Raj on that.
SHAH: Why did we get to the place that we are in terms of winning? You know, I think it’s—so this, I don’t think, is a government or private sector issue. It’s just the level of rapid change in technology and how quickly it became infused in everything we do and everything that a company needs to function, you know, I just don’t think people thought or were creative enough to think like the bad guys did, right? Like, for example, you look at the Target case. No one thought a group of hackers would attack a 20-person company in New Jersey to then take over and steal credit-card data from every Target store in America, right? And so I think it’s—the ingenuity of the adversary is forcing us to wake up. This is—this is a new realm.
DANIEL: And I would also say, you know, if you go back and you talk to some of the folks that helped design the original protocols that underlie the Internet—you know, like Vint Cerf and folks like that—they’ll tell you, you know, they never meant for this to happen; they just wanted to share some papers with each other, right? I mean, we’ve taken this thing that was designed for some professors to share papers and we’ve decided to run the world on it.
And I think that there was a failure of—to understand the risk that we were importing into our systems. There was a failure of imagination of understand that cyberspace operates by different rules than the physical world, and so that when we digitize certain kinds of information we radically change its threat profile. And nobody—and its vulnerability. And nobody has really—nobody really thought through all the steps behind that.
And then this happened so fast that, you know, it was difficult even for the private sector to respond. And so it’s not really surprising that this issue sort of got away from us in that—in that sense.
But I do think that, you know, it’s becoming much more of a clear—cybersecurity as a topic, certainly one of the things that I’ve noticed even just in the—in the time that I’ve been working this issue, and particularly that I’ve been in this position, I don’t have to convince anyone anymore that this is an important issue to talk about. That’s no longer the problem that we face, and that is actually progress.
MCCAUL: And I would argue the threat environment has grown faster than the awareness of the reality. And, you know, to Michael’s point, when you say cybersecurity, people don’t get glazed over anymore. They’re waking up to this. But, you know, a couple years back, how many companies would invest money in a CIO and how many companies would invest, you know, dollars in cybersecurity? How many companies would buy cybersecurity insurance? I think the insurance market is a market-driven force, if they apply NIST standards to get the insurance, that can go a long ways in protecting the private networks. And I think that’s a positive trend, but I think it’s awakening to what the threat is.
BAKER: In the back. Midway. Yes, right there. No, just in front.
Q: Hi. Kevin Sheehan, Multiplier Capital.
The director of the FBI and the head of the NSA are very concerned about the development of systems that allow for no breaking of encryption by the bad guys, even with a warrant. I know there’s been some movement in the White House on this issue, and I wonder if the panelists could speak to that.
BAKER: Sure. Let’s ask Michael Daniel to address that. (Laughs.)
DANIEL: Sure. So that was an hour in before we got to the encryption question. (Laughter.)
I think that, you know, what you’ve—clearly, you know, this is a—is a highly contentious, very charged issue. I think that, you know, the president has been very clear about the fact that there’s not a world in which we don’t support the development of strong encryption. It’s absolutely fundamental to all the things we’ve been talking about, about ensuring that we have the ability to operate in cyberspace and ensure the integrity and availability of systems.
At the same time, we are clearly facing the bad guys using this tool in a way to mask what they’re doing that is making law enforcement and our intelligence community’s job harder, and it has definitely changed the risk that we face. And so I think that the administration has clearly said that we are not pursuing legislation at this point because we don’t think that that’s an appropriate tool for addressing this problem, but we are going to continue engaging with our private sector and trying to look for solutions that can address particular cases when they emerge, and to enable us to address these issues in a way that allows us to deal with all the different equities that we have—both the public safety equities but also the commercial and economic issues, as well as the privacy and civil liberties issues, and our cybersecurity issues.
This is probably one of the thorniest issues that we face. And I think that it’s not just the United States that is facing this; it is one that most countries around the world will be facing. And I think that we are going to have to really spend some time thinking through how you continue to pursue all of those different equities that I mentioned, given the way that the technology is developing.
MCCAUL: If I could add, this is a very thorny and hot topic. Director Comey testified before my committee just last week, and I’ve been talking to FBI and Homeland about this issue.
Here’s the threat, and then what is the solution? Well, the threat is you have guys out of Raqqa, Syria on the Internet radicalizing individuals in the United States over Twitter accounts that they hop around on. And then, once they get the hook, they go into the dark platform—you know, Tor, Surespot, Kik, Ask.fm, all these—there are about 20 of them. Half of them are international. And so they go into what’s called dark space and they communicate in dark space. And even with the court orders you mentioned, we can’t see the communications. And so, if you can’t see what they’re saying even if you have a Title III or a FISA, you can’t stop the threat.
We’ve had several of these: the 4th of July plot, the Garland case, Chattanooga is one we’re studying right now. But it has become a very serious—the foreign fighter was a big issue, and now it’s this terrorism gone viral over the Internet that’s hard to get a handle on when you have thousands of people in the United States with these communications going on and we can’t see what they’re saying. We have over 900 investigations now active in the United States, 70 ISIS followers arrested last year. We’re doing a pretty good job stopping this stuff, but if you can’t see what they’re saying it’s very difficult to stop that.
So what’s the solution to this? Well, criminals are going to start using this too. So this is going to make wiretaps antiquated because they’ll go into dark platforms and
XXX END 80 XXX
XXX 80-89 XXX
Well, criminals are going to start using this too. So this is going to make wiretaps antiquated because they’ll go on the dark platforms and whether it’s a terrorist or just a garden-variety criminal, and you can’t get the evidence or stop bad things from happening.
We could amend this particular statute to include smartphones. I think the problem with that is you create what’s called a sort of backdoor to that device that the hacktivists could get into as well, not to mention the political dynamics of everybody in the country thinking the government is going to get into their iPhone. That causes a serious political issue. So we’ve been—I’ve been working with the administration and Silicon to try to come up with a technology solution to this. And I can tell you, it’s not easy.
And right now, there’s no real clear solution to it other than that we are really pressuring—there’s a court case right now with Apple, can they turn over the communications? They’re saying they don’t have the ability to do it. And these platforms are also designed end-to-end where they—even the companies that make they can’t get into these platforms and see the communications. And so we think there is a technology solution out there, but we’re working hard to try to find it.
BAKER: So, Raj Shah, this is an issue for people who care about security on corporate networks as well. If you create a TLS tunnel out of a particular computer all the way to Dropbox or Google Docs, it can get a mechanism for exfiltrating all the data that you’ve stolen. How’s the private sector dealing with that issue?
SHAH: Well, I think you have to separate it between a corporate enterprise whereby use of email and access to those computers you give up certain privacy expectation versus the consumer side, right? So in an enterprise company, there are, you know, decryption boxes in line that you can use to monitor those traffic to find malware, right? That’s not for surveillance, but for monitoring of malware. You know, on the consumer side, you know, kind of my personal opinion is that this ship may have already sailed on this, and that these large multinational companies have already put these technologies, you know, the chairman identified Apple, into their systems, and they’ve done so in response to the international needs.
BAKER: Marc Rotenberg.
Q: Thank you Stewart Baker. I’m Marc Rotenberg with the Electronic Privacy Information Center.
I wanted to thank you, Chairman McCaul, for your work on the privacy issue in CISA. It is a contentious issue, but I think it’s an important one because when we’re talking about data sharing, we’re ultimately talking about the customer and client information of a company that’s disclosed to the government. And certainly, there are a lot of people in the privacy community who still have doubts that this is the right way to go on the cybersecurity front. But I think what you have tried to do, which is to mandate a scrubbing of personally identifiable information may be the best way to do it if we’re going down this road.
But here’s my question: What mechanisms are in place to check the adequacy of those techniques? And I ask this question because in the technical community there’s a big debate about whether de-identification can be made to work. And we’ve had our own experience and complaints to the Federal Trade Commission involving companies such as Snapchat and Ask Eraser, who said that they could make text vanish or search history go away, and on close inspection in fact those techniques didn’t work at all.
BAKER: So the question, if I understand it, is how well will the extraction of private information actually work and how will we be able to make sure that it does?
MCCAUL: Well, in the bill—and thank you for your, you know, kind comments. We really worked closely with the privacy groups to make sure we were protecting those interests. But in the bill we provide a redundancy in the system. So we have an initial scrubbing, and then a second scrubbing that’s over—basically overseen by the Office of Privacy within the Department of Homeland Security. What you don’t have in any of these other agencies, you don’t have this Office of Privacy looking at the scrubbing of information. So we put a redundant system in there.
And I think finally—I mean, Michael can probably answer this better than I can, but you know, the automated scrubbing that we can get to, where it’s not—there’s no human error involved in it. But we want to get to the automated piece and then a secondary review by a person within the Office of Privacy to make sure that no private information is shared. Typically when we get the information, the PII’s already been scrubbed. And we have that requirement before it’s even sent, to have the PII stripped. So we just get the ones and the zeros and the codes. But—
DANIEL: Yes. And I would say that, you know, part of the idea here is that the automated system would actually only flag those issues where we have some question about it for, you know, secondary review. And then there’s actually a third—there’s actually a third layer in there, which is the use limitations that are included in the bills, which is—the purpose is—so even if you—even if some information ended up there inadvertently, it can only—the information is only being able to be used for cybersecurity purposes, so that the—what the government can then do with that information is also constrained. So the way that we’re trying to layer in the protections is to make sure that there’s sort of that multiple layers—multiple layers in there. And in I think at least a couple of the versions—and I can’t remember where it showed up—there’s also a requirement for a periodic review on the part of DHS and the privacy office there.
BAKER: So we are coming to the end of our time. We got time for just one short question. So on the—on the aisle, let’s have our last question.
Q: Hi. Dave Perera from Politico.
Michael, the phrase that the administration uses when it comes to encryption is: Not seeking legislation at this time. Why at this time? Why not just rule it out?
DANIEL: Well, I mean, first of all, obviously we can’t rule it out for all of time, right? There will be subsequent administrations, so—
Q: (Off mic)—this administration.
DANIEL: I think that the question for us is, you know, we don’t see much value in pursuing that course right now. And I don’t think that that’s going to change anytime soon. And I think we are focused on working and partnering with the private sector to actually discuss this issue further and really focus in on both the questions that we talked about before, about how we’re protecting both the equities of what’s happening in the private sector with commercial data, with cybersecurity, but also to the very real threats that we face and how do we actually deal with those in this world.
I very much want us to explore this and work on these issues now, rather than in the aftermath of something really horrible, because that’s not when we typically do our best legislating.
MCCAUL: Unfortunately, that’s when we do it.
DANIEL: Yeah, do it. And to make sure that it’s as thoughtful as possible as we work on this—as we work on this issue.
The other piece, from my perspective, is that you cannot escape the international dimensions of this—of this issue. This is not an issue that is solely confined to the United States. And the ramifications of what we do domestically have a huge impact around the world and have a huge impact on what our companies will be able to do around the world. And that’s something that we’re very mindful of.
BAKER: Well, that is the last word. Please join me in thanking an excellent panel. (Applause.)
This is an uncorrected transcript.