Underfunded Cybersecurity Can’t Outpace Hackers, Experts Say
The U.S. is shortchanging cybersecurity, not even doing as researchers and companies want, which is to spend enough to keep pace with hackers, experts told a Wed. House Homeland Cybersecurity Subcommittee hearing. They painted grim scenarios of what hostile states and organized terrorists like al Qaeda could do -- not merely steal data or briefly hobble networks, but cripple key infrastructure for months. The gloom wasn’t uniform, though, with one expert dismissing the worst-case scenarios as unlikely thanks to diplomacy.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Chmn. Langevin (D-R.I.) blamed the Bush Administration for underfunding. The DHS Science & Technology Directorate told him it got only $13 million of $22.7 million budgeted in FY07 for its cybersecurity research, and the President’s FY08 budget cut funding to $14 million. Other programs have been cut in the FY07 budget, Langevin said -- $670,000 from the DNS security program, $1.6 million from the cyberattack defense and recovery program and the Secure Protocols for the Routing Infrastructure program “zeroed out” of a $2.4 million budget. “I don’t know who’s responsible for these cuts… but reducing this funding is a serious strategic error,” Langevin said. The Homeland Security Committee included $50 million for DHS cybersecurity R&D in its recent reauthorization bill, Langevin added.
Langevin scored DHS for delivering testimony “around 7:30 this morning,” badly blowing the committee’s 48-hour deadline. Agency witnesses at last week’s cybersecurity hearing did likewise (WID April 20 p1). “This is happening regularly from DHS and I know [Committee] Chairman Thompson is doing an internal investigation” on the holdups, he said: “We just can’t do business like this if we don’t have testimony in a timely fashion.”
Overall govt. cybersecurity is better but some agencies are doing worse, said Jim Lewis, Center for Strategy & International Studies technology & public policy dir. Military and intelligence networks are probably secure, as are a few civil agency networks, but “you can meet all the formal requirements [in agency security regulations] and still be vulnerable” to hacking, he said, adding that some legacy systems “for all practical purposes cannot be secured.”
Espionage is the greatest cybersecurity risk, and it’s cheap, Lewis said. Network disruption from such attacks is largely “hypothetical but I wouldn’t take too much comfort from this.” A 2003 govt. cybersecurity strategy should be updated to focus on streamlining -- making agencies follow best practices and centralized authority -- instead of just spending more, he said.
Better metrics are needed for analyzing cyber risk, Geer Risk Services principal Daniel Geer said. He recommended a “clearinghouse review” of metrics in use to find which aren’t helpful for making decisions. The govt. hasn’t built “from scratch” its own institutional expertise on cybersecurity, he said: “We have to steal them from other fields” such as civil engineering and the law. Agencies won’t share material until rules are prescribed for “technical de-identification,” to shield sensitive data, he said.
Networks grow more complex from business pressure to add new features, Geer said. About 30% of computers run unwanted software, according to his research -- and a figure he called low compare with other estimates. “It’s not like we're trying to preserve innocence,” he said. Rep. Etheridge (D- N.C.) said: “You've scared me to death -- thank you.”
A simulated attack on infrastructure by the Cyber Defense Agency, a consulting company, showed the U.S. could be turned into a “Third World country overnight,” said Pres. Sami Saydjari, who also heads Professionals for Cyber Defense. The govt. should spend multiple billions on cyberdefense, which will spur more private sector involvement, he said. It would take $500 million and 3 years to start the program Saydjari envisions, and a special projects office to coordinate. He asked the committee to push for more than Langevin’s stated $50 million, to lean on agency chiefs for more discretionary funding and to create blue ribbon panels on cybersecurity.
“The good news is we're making progress,” said Douglas Maughan, DHS S&T Directorate program mgr.-Cyber Security R&D. His div.’s work with small business and universities has spawned 10 commercial products in 3 years. It’s working on more secure Internet protocols, detecting and mitigating attacks and insider threats and reducing vulnerabilities in “process control systems,” he said.
Lewis called himself “the skunk at the party” owing to his skepticism of the attack scenarios. Charlotte, N.C., basically went offline for a week a few years ago due to a snowstorm but the outage’s effects didn’t reverberate, he said: If the U.S. was a “feeble” European country “maybe we would collapse… but I think Americans are a little tougher.” Critical networks as a rule aren’t widely interconnected, Lewis said: “If you knock out one city or state or water company, you're not going to have a national effect,” especially in any military sense. But Saydjari said every network is in some sense “connected” to all others, and networks governing critical infrastructure are the least “sensored” -- that is, capable of detecting attacks or intrusions.
The U.S. has been “lucky” to not see cyberattacks in a “grander form,” Geer said. The NIMDA virus followed 9/11 by about a week, spreading faster than anything to date, he said: “No clown had the bright idea to chase” that virus with the E911 virus, which saturates a 911 console with calls and could have taken down 911 systems in “a couple hours,” he said. Lewis’s definition of “collapse” may only include system resilience, but the collapse of public confidence is a bigger threat, Geer said.
Cyberattacks can cause damage worse than simply taking down networks or stealing data, Saydjari said. “Rolling attacks” can wreck generators and blow up transformers, some made in Europe and taking months to replace. “You want to take the Internet down this afternoon?” Geer said. Cisco IOS software, widely used in its routers, can be attacked in such a way that a soldering iron would be required to fix the hardware, he said.
Saydjari told Langevin “rogue individuals” probably couldn’t bring off such attacks, which could cost $500 million and take 3 years to develop, but “a transnational terrorist group like al Qaeda certainly could.” In 2005, his group briefed DHS on the potential but heard no followup. Maughan clarified that the briefing occurred before the National Cyber Security Div., not his own directorate, but admitted that the directorate should expand beyond its physical assessments of critical infrastructure to more cyber analysis.
Why would a hostile state like China launch such attacks? Lewis said. Interrupting the Internet for a week in the U.S. would be a “weapon of mass annoyance” at best, he said. China would feel a sharp backlash and decide “I'm not going to get any military benefit out of this,” he said.
Rep. Green (D-Tex.) asked about penalties for convicted attackers. “You're not going to be caught. It’s almost a risk-free crime,” especially if launched from abroad, Lewis said. So the U.S. can never be completely secure online? Green asked. The point is not perfect security but staying a step ahead of attackers, Lewis said. “All we can do is make it such that the people who want stuff… have to go somewhere else” to get it easily, Geer said. “This is not a one-shot investment,” but must be funded and improved over the years, Saydjari said.