“The administration will not name names” when it comes to serious breaches of cybersecurity in the government’s own data files and the silence raises “a significant concern” that Sen. Cory Gardner wants to change by requiring the State Department — at least — to come up with a publicly known cyber strategy.
Gardner, a Colorado Republican and chairman of the East Asia and Pacific Foreign Relations subcommittee, included language in the department’s authorization bill that would make that information “very public [of] who is doing what when it comes to national security.”
Speaking Wednesday at the American Enterprise Institute, a Washington, D.C., think-tank, he referred to that morning’s front-page story in The Washington Post that said the administration would not blame China for the attack that may have compromised the records 21.5 million people kept by the Office of Personnel Management.
China “has to understand we’re not going to accept that behavior,” he said.
He contrasted the silence over who did the OPM breach with the issuing of an executive order when Sony was hacked. He noted that in the recently completed strategic and economic talks between the United States and China, not one of the 127 agreed-on points addressed cyber.
Gardner said that the sanctions that followed that Sony hacking, levied against North Korea, and the 2014 indictment of five members of China’s People’s Liberation Army for hacking and economic espionage involving six U.S. companies (involved with metals and energy) did have an effect.
“What’s to stop them?” he asked, referring to the Chinese and other governments hacking commercial and public databases in the United States now. “Codify it.” Gardner said what is needed are agreed-to “rules of the road” covering cyber, which could be developed through the United Nations or other avenues.
Without an agreement, the “commercial sector reacting” to a serious breach “could set off a cyber arms race” by retaliating against the presumed attacker.
“We [in the federal government] don’t seem to have the same level of seriousness” as the Chinese, or even large American corporations, do about cyber security. President Xi Jinping chairs China’s cyber security committee and in the American private sector a number of companies established “trustworthy committees” with representatives from each department included.
Speaking after Gardner, Paul Tiao, of Hunton and Williams, a large law firm that does cyber investigation and advises businesses on cyber security, said there is a significant difference between criminal hacking aiming for “the low-hanging fruit” and government-sponsored hacking. “If they really want to get in, they will persist.” Although large private U.S. companies have strengthened their cyber defenses when another government is trying to breach their security, “the [United States] government needs to step in.”
“There is no wall high enough to keep these guys out,” Richard Bejtlich, of Fireye, a cyber security firm, said. What needs to be done is maintain persistence surveillance “to keep an intrusion before it comes a breach.” Breaches do not happen instantly, he added. “More realistically it takes a week.”
Gardner said a good start in the public sector “would be to identify what ought to be protected, what should not.”
Congress, he said, needs to examine how it is structured in dealing with cyber. In the Senate many committee and subcommittees have oversight responsibilities in areas as different as armed services and commerce.
Gardner suggested that creating a select committee dealing with cyber might be an answer. The members would be drawn from the chairs of committees already having oversight responsibility in cyber such as intelligence, foreign affairs, and so forth.
“Cyber is not the flavor of the day.”