Government Needs To Do More to Squelch Cyber Threat, Says Sen. Whitehouse
The government must do more to defeat the “massive and worsening” cyber threat to parts of the U.S. infrastructure, Sen. Sheldon Whitehouse, D-R.I., said Tuesday at a Senate Crime and Terrorism Subcommittee hearing he chaired. Cyber crimes hurt companies’ bottom lines, he said. Crucial pieces of the nation’s infrastructure “have been probed by malicious actors” and “in some cases compromised,” Whitehouse said. “Even in times of budget cutting the cyberthreat is simply too dangerous to leave under-resourced."
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Skilled hackers work every day “to steal large volumes of information” and leave Americans at risk of identity theft, said Jason Weinstein, deputy assistant attorney general of the Justice Department Criminal Division. Cybersecurity has to be a national priority, he said. DOJ works closely with partners in government, provides legal support and helps with national security investigations, Weinstein said. “Due to the transnational nature of most cybersecurity incidents, close cooperation with foreign agencies is critical,” he added.
Botnets are often used to make money and disrupt access to critical national infrastructure, said Gordon Snow, assistant director of the FBI’s Cyber Division. “The FBI cannot combat the threat alone.” The bureau coordinates with the Department of Defense and the Secret Service, he said. The FBI also has staff members embedded in five foreign police agencies, Snow added.
Congress must do more to encourage security standards that bolster the progression of “secure by design” technologies, said John Savage, a professor at Brown University. Specifically, the U.S. government should require all large software vendors to adhere to new cybersecurity guidelines, he told the subcommittee. “Since it is better to build in security rather than try to add it after the fact, hardware and software vendors and network providers should be required to conform to reasonable cybersecurity guidelines.” Lawmakers should also support research that secures existing systems, improves intrusion surveillance, and encrypts data in such a way that computations can be done without ever decrypting the data, he said.
High security standards for the software and hardware industry are essential to reducing America’s cyberthreats, said Stewart Baker of Steptoe and Johnson, the first assistant secretary for policy at the Department of Homeland Security. “Right now there are very few barriers to a substantial increase in cyberattacks and cybercrimes,” Baker said. Baker advocated for better identification of users online and less reliance on technologies that increase vulnerability. He also asked lawmakers to increase the capabilities of law enforcement agencies to fight cybercrimes: “We will not solve this problem if we cannot realistically threaten to punish the people who carry out these crimes."
Lawmakers should push information sharing policies that increase data collaboration among companies and governments, said Phyllis Schneck, McAfee chief technology officer. “Our overall key challenge is that the profit model favors the cybercriminal,” Schneck said. A policy framework that supports better collaboration would help “reduce the profit model for cybercriminals by making punishment more likely,” she said. Schneck also said lawmakers should increase funding to law enforcement agencies and adopt whitelist technologies to filter out malware. Whitehouse commended McAfee’s recent reports on the Aurora cyberattack, which targeted Google and 30 other companies, and the Night Dragon attack, which targeted oil and gas industry interests.
The witnesses agreed that incentives such as cyberinsurance could encourage companies to adopt stronger cybersecurity measures. Savage said that, much like workers’ compensation insurance, companies would voluntarily implement safeguards to reduce their risk and lower their rates. Schneck said cyberinsurance was a good idea but it hinges on the proper collection and analysis of actual data on cyberthreats.