Stewart Baker Testimony on DHS and Cybersecurity

I’ll be testifying tomorrow, September 11, about DHS’s progress in over a decade of existence.  A copy of the full testimony is here: Baker testimony to Senate Homeland Sep 2013. But I suspect that  the most interesting section concerns cybersecurity, which I’ve excerpted below.

Sometimes it’s easier to persuade the team to give you the ball than to actually run with it after you get it.  That is DHS’s problem right now.

“DHS seems to have successfully fended off the many agencies and committees that wanted to seize parts of its cybersecurity mission.  Recent presidential orders have given DHS a large role in civilian cybersecurity.  This is consistent with the Homeland Security Act, which clearly gave DHS authority over those issues, but that Act does not provide specific or explicit authorization for many of the cybersecurity activities that the Department is now carrying out, especially with respect to protecting critical infrastructure.  It is reasonable, then, to codify authority for DHS’s existing activities, thereby cementing the Department’s role for the future.  This basic step may seem obvious, but this is Washington, and doing the obvious is not easy.DHS

“That’s particularly true when the technology is changing as fast as our attackers change tactics.  When I left the Department, it was just getting started on Einstein – an effort to detect malware and other intrusion signatures aimed at the federal civilian agencies.  Deployment of Einstein is now widespread, covering perhaps 60% of the federal workforce.  Of course, detecting intrusions is not the same as stopping them.  Einstein 3A is meant to automate intrusion prevention, and it is just rolling out now.  What’s more, as security researchers have realized how hard it is to stop attacks at the edge of the network, watching inside networks has become a higher priority, and DHS has taken responsibility for deploying Continuous Diagnostics and Mitigation (“CDM”) technology to scan civilian networks for flaws and signs of compromise.  These are all necessary and very large programs that pose implementation and turf challenges.  Not surprisingly, some agencies have questioned whether DHS has the authority to do what is necessary, and providing a statutory basis for DHS’s programs would be a valuable contribution that this committee could make to cybersecurity.

“One problem that should be of particular interest to the committee is the risk of conflict between the Federal Information Security Management Act (“FISMA”) and CDM.  In essence, CDM performs many of the functions that FISMA requires.  However, FISMA envisions a paper-centered audit process that is far too slow for the current threat, while CDM performs its audits electronically, on a 72-hour cycle.  Everyone recognizes that CDM is better than a paper process, and FISMA should be modified to reflect changes in both the threat and the solution, as well as to make clear that DHS has responsibility for implementing the operationally demanding solution.

“These are all complex systems that DHS is essentially running for most of the civilian government.  That would be a challenge for an established agency with a veteran workforce, but DHS does not have nearly the number of trained personnel it needs.  Finding talented cyberwarriors is a challenge even for private sector firms.  Attracting them to the Department has been doubly difficult, especially with a hiring process that in my experience was largely dysfunctional.  The Department’s biggest challenge is hiring and maintaining a cybersecurity staff that can earn the respect of private cybersecurity experts.  There are bright spots.  Doug Maughan, in the S&T Directorate, has the respect of his counterparts at NSA and Goldman Sachs.  Phyllis Schneck, recently named as the Department’s deputy undersecretary for cybersecurity, has great technical and private sector credibility in the field.  DHS is on the right track, but the way is steep.  It must keep expanding its technically competent cybersecurity staff, because that is the foundation of all the other things it must do.  That likely means that it must have authority to hire workers in ways that do not fit the standard federal process.

“The other challenges for DHS in cybersecurity are many.  They include:

Building a clear relationship with NSA.

 “I am one of the few officials who has worked at a policy level for both the National Security Agency (“NSA”) and DHS.  There are certainly days and even weeks when I feel like the child of a troubled marriage.  But the fact remains that the outlines of a working relationship between DHS and NSA are obvious.  As a concerted campaign of leaks has left NSA reeling and mistrusted by the public, it must be clear that on cybersecurity matters affecting the civilian sector, DHS is calling the policy shots.  At the same time, DHS must rely heavily on NSA’s technical and operational expertise to succeed. This fundamental truth has been obscured by personalities, mistrust, and impatience on both sides.  It’s got to end, especially in the face of adversaries who must find the squabbling email messages especially amusing because they are reading them in real time.

Gaining authority to insist on serious private sector security measures.  

“DHS has plenty of authority to cajole and convene in the name of cybersecurity.  It’s been doing that for ten years. The private sector has paid only limited attention.  In part that’s because DHS had only modest technical expertise to offer, but it’s largely because few industries felt a need to demonstrate to DHS that they were taking its concerns seriously.  I fully recognize that cybersecurity measures do not lend themselves to traditional command-and-control regulation, and that information technology is a major driver for economic growth.  But the same could have been said about the financial derivatives trade in 2007.  We cannot allow the private sector to cut costs by vastly increasing risk, whether in cybersecurity or in financial markets.

“Sometimes the businessmen arguing against regulation are wrong – so wrong that they end up hurting their own industries.  I believe that this is true of those who oppose even the lightest form of cybersecurity standards.  Even on their own terms, the businesses lobbying against a substantive cybersecurity bill are likely to fail.  Most of the soft quasi-regulatory provisions business groups rejected last year in talks with the Senate were incorporated into an executive order that they had little ability to influence.  Those provisions will in turn become the basis for future, harder regulations, particularly if Congress delays action until we have a cybersecurity meltdown.

“For now, however, it will be up to DHS to use the soft authorities and the mandate conferred by an executive order with energy and wisdom.  And, to be candid, that is a big enough job for the near future.

Action beyond the legislative and executive order.

“The legislative stalemate does not mean that DHS can only improve cybersecurity by pushing the private sector to do things it doesn’t want to do.  There are many other steps that DHS could take to improve cybersecurity without touching the regulatory third rail. Here are some:

Information-sharing.  Everyone understands why the targets of cyberattacks need to share information.  We can greatly reduce the effectiveness of attacks if we use the experience of others to bolster our own defenses.  As soon as one victim discovers a new command-and-control server, or a new piece of malware, or a new email address sending poisoned files, that information can be used by other companies and agencies to block similar attacks on their networks.  This is not information-sharing of the “let’s sit around a table and talk” variety.  In a world of zero-day attacks and polymorphic malware, it must be automated and must occur at the speed of light, not at the speed of lawyers or bureaucrats.

“I supported the Cyber Intelligence Sharing and Protection Act (“CISPA”), which would have set aside two poorly-conceived and aging privacy laws that made it hard to implement such sharing.  I still do.  But if CISPA is blocked by privacy groups, as seems likely, we need to ask whether the automated system we need can be built without falling foul of those aging privacy laws.  A more creative and determined approach to the law is needed.

“To take one example, many of the privacy rules that restrict sharing can be waived if a service’s customers consent to the sharing.  Since the purpose of the sharing is to protect the cybersecurity of those same customers, they are highly likely to consent in large numbers.  Working with government, service providers could find ways to obtain consent to a data-sharing regime designed to protect both privacy and cybersecurity – all without amending existing law.

“This committee can move information-sharing forward by calling on DHS to lead an interagency effort that would work within existing law to improve information sharing by considering the adoption of statutory interpretations, standard customer terms, and other techniques that serve everyone’s interest in better cybersecurity.

Emphasize attribution.  We will never defend our way out of the cybersecurity crisis.  I know of no other crime where the risk of apprehension is so low, and where we simply try to build more and thicker defenses to protect ourselves.  We started on this Maginot Line exercise because attribution of cyberattacks seemed too difficult; attackers could hop from country to country and server to server to protect their identities.

“But that view is out of date.  Intelligence agencies have stopped trying to trace each hop the hackers take.  Instead, they’ve found other ways to compromise the attackers, penetrating their networks directly, observing their behavior on compromised systems and finding behavioral patterns that disclose much.  In short, we can know who are our attackers are.  We can know where they live and what their girlfriends look like.  That’s because it’s harder and harder for hackers to function in cyberspace without dropping bits of identifying data here and there.  The massive amount of data available online makes the job of attackers easier, but it can also help the defenders if we use it to find and punish our attackers.

“Sometimes the best defense really is a good offense; we need to put more emphasis on breaking into hacker networks and gathering information about what they’re stealing and who they’re giving it to.  That kind of information will help us prosecute criminals and embarrass state-sponsored attackers.  It will also allow us to tell the victim of an intrusion with some precision who is in his network, what they want, and how to stop them.

“Again, this committee can put DHS at the center of a new emphasis on attribution.  Its Computer Emergency Readiness Team and intelligence analysis arms should be issuing more detailed information about the tactics and tools being used by individual attack units and fewer bland generalities for local law enforcement agencies.

Move from attribution to deterrence. The committee could also perform a service by calling on DHS to take the lead in identifying ways to use attribution more effectively to deter cyberattacks.  There are many ways to improve deterrence.  While the administration has become more open about identifying Chinese cyberattacks as a particular problem, the Snowden affair has made “naming and shaming” less effective in this context.  Instead, we should be looking for other ways to identify individual attackers and their enablers and then bring U.S. legal pressure to bear on them.  This is a target-rich environment:

  • The Magnitsky Act, passed in 2012, imposes trade sanctions on Russian officials for human rights violations they committed in Russia.  Yet government-sponsored hackers have been violating the human rights of Americans in the United States, spying on and sabotaging Tibetan rights groups, for example.  How can it be that we are doing more to punish human rights violations in Russia than right here at home?  Sanctions of this sort can be imposed on the basis of intelligence that remains classified, and it does not require legislation.  It requires only that the Administration consider cyberattacks to constitute an economic emergency.
  • Some of the hackers identified publicly by private security researchers do business in the West.  Others  may have jobs with Chinese multinationals.  Some got their start as hackers at Chinese universities.  This creates an opportunity.  Foreign multinationals and universities need visas to come to the United States.  Before we issue visas to entities that have hired or enabled the hacking of American companies, we should require them to cooperate in our efforts to identify and penalize hackers.

“Use DHS law enforcement authorities more effectively. The law enforcement agency most associated in the public mind with cybercrimes is the Federal Bureau of Investigation (“FBI”).  This is a little odd because two DHS law enforcement agencies, the Secret Service and ICE, both have strong cybercrime units and may between them handle as many cases as the FBI.

“My concern is not who gets the credit for these investigations.  But we cannot let law enforcement determine our cybersecurity posture.  Agencies like the FBI and Secret Service only occasionally solve hacking cases, and even more rarely are they able to actually arrest the hackers.  If they are allowed to hoard evidence of cyberintrusions, we may lose valuable intelligence about the intruders’ tactics and targets.  This committee should consider legislation calling for a coordinated approach to all computer intrusions to ensure that detailed information sharing occurs across agency lines.  At the same time, it is often law enforcement that tells businesses they have been compromised.  This is a “teachable moment,” when all of DHS’s cyberdefense and industry-outreach capabilities should be engaged, talking to the compromised company about the nature of the intruder, his likely goals and tactics, and how to defeat them.  But that happens less than it should, judging by the experience of my clients.  A deeper, Congressionally mandated coordination would make these encounters far more useful to the private sector.

“Finally, I fear that letting law enforcement take the lead on a case-by-case basis means that investigations are not being prioritized in ways that would maximize their intelligence value.  (Since these investigations rarely lead to prosecutions, using criminal authorities to gather information about attackers should be a particularly high priority – even when there is no prospect of criminally prosecuting the attackers.)  While interagency coordination with the FBI can be a challenge, coordination between DHS’s cybersecurity offices and the ICE and Secret Service investigators also seems to be equally ad hoc at best.  This committee should consider requiring DHS’s law enforcement agencies to work computer crime cases under the coordinating and deconflicting authority of the National Protection and Programs Directorate (“NPPD”) to ensure strategic use of law enforcement authorities and proper sharing of information.

Recruit private sector resources to the fight.  In my private practice, I advise a fair number of companies who are fighting ongoing intrusions at a cost of $50,000 or $100,000 a week.  The money they are spending is almost entirely defensive.  At the end of the process, they may succeed in getting the intruder out of their system.  But the next week, the same intruder may get another employee to click on a poisoned link and the whole process will begin again.  It is a treadmill.   Like me, these companies see only one way off the treadmill:  to track the attackers, to figure out who they are and where they’re selling the information, and then sanction both the attackers and their customers.  But under federal law, there are grave doubts about how far a company can go in tracking their attackers.  I think some of those doubts are exaggerated, but only a very brave company would ignore them.

“Now, there’s no doubt that U.S. intelligence and law enforcement agencies have the authority to conduct such an operation, but by and large they don’t.  Complaining to them about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle.  You might get a visit from the police; you might get their sympathy; you might even get advice on how to protect your next bicycle.  What you won’t get is a serious investigation.  There are just too many higher priority attacks.

“In my view, that’s a mistake.  The United States should do some full-bore criminal and intelligence investigations of private sector intrusions, especially those that appear to be state-sponsored.

“But if we want a solution that will scale, we have to let the victims participate in, and pay for, the investigation. Too many government officials have viewed private countermeasures as a kind of vigilante lynch mob justice.  That just shows a lack of imagination.  In the real world, if someone stops making payments on a car loan but keeps the car, the lender doesn’t call the police; he hires a repo man.  In the real world, if your child is kidnapped, and the police aren’t making it a priority, you hire a private investigator.  And, if I remember correctly the westerns I watched growing up, if a gang robs the town bank and the sheriff is outnumbered, he deputizes a posse of citizens to help him track the robbers down.  Not one of those solutions is the equivalent of a lynch mob. Every one allows the victim to supplement law enforcement while preserving social control and oversight.

“DHS very likely has sufficient authority to try that solution tomorrow , as does the FBI.  DHS’s law enforcement agencies often have probable cause for a search warrant or even a wiretap order aimed at cyberintruders.  But they rarely have the resources to use that authority fully and strategically against the intruders.  I know of no legal barrier to relying on private resources to conduct a deeper investigation under government supervision. (The Antideficiency Act, which prohibits acceptance of free services, has more holes than my last pair of hiking socks, including exceptions for protection of property in emergencies and for gifts that also benefit the donor.)  If systematic looting of America’s commercial secrets truly is a crisis, and I believe that it is, why have we not already done this?

“I understand the concern expressed by some that we cannot turn cyberspace into a free-fire zone, with vigilantes wreaking vengeance at will.  No one wants that.  Government should set limits and provide oversight for a true public-private partnership, in which the private sector provides many of the resources and the public sector provides guidance and authorities.  The best way to determine how much oversight is appropriate is to move cautiously but quickly to find alternatives to the current failed cybersecurity strategy.  Again, this committee can move the ball forward by authorizing DHS and its law enforcement agencies to develop a pilot project — working with hacking victims and their security firms to use government authorities in a cooperative fashion.

Use existing funds to improve state and local cybersecurity preparedness.  There may still be low-hanging fruit in the Department’s budget to improve cybersecurity.  For example, we can make it easier for state and local governments to use existing grant funding to beef up their cybersecurity.  Over the last decade DHS has provided billions of dollars to state and local governments to fund the purchase of a wide range of security capabilities.  Cybersecurity tools – from installing basic firewalls to deploying advanced defenses that rely on virtual “detonation chambers”  – are allowable purchases, along with hazmat suits and interoperable communications tools.  However, DHS can do more to encourage state and local governments to spend grant funds on cybersecurity, and Congress should support those efforts.”