The report from security firm Mandiant this week revealing that a twelve-story building in Shanghai, occupied by China’s military, was the source of cyber attacks on more than 140 companies, raised questions about America’s ability to defend itself against a nationally-sanctioned cyber threat.
“There are two companies left in America,” Congressman Mike Rogers, R-Mich., told Andrea Mitchell on Wednesday. “One is those companies that have been hacked and know it and two, the companies that have been hacked and don’t know it.” In fact, the Washington Post reported that nearly all government agencies, think tanks, and news organizations in the nation’s capital have been infiltrated by Chinese cyberspies.
The Mandiant report marks publicly what former Director of the National Counterterrorism Center Michael Leiter called “an absolute explosion of theft of U.S. corporate secrets and intellectual property by the Chinese” over the past couple of years in “what some in the U.S. intelligence community have termed the largest transfer of wealth in history.” Leiter spoke with MSNBC’s Andrea Mitchell on Thursday. But beyond the corporate espionage and intellectual property theft lies what may be a more critical target: the nation’s infrastructure.
The prospect of an attack on America’s power grid, water supply, or gas pipelines is devastating enough to be considered “a cyber Pearl Harbor,” as outgoing Defense Secretary Leon Panetta warned just last fall. With businesses failing to invest in adequate cybersecurity measures, Panetta laid the onus on Congress in the same October speech. “To fully provide the necessary protection, in our democracy, cybersecurity legislation must be passed by Congress,” he said. “Without it, we are vulnerable.”
Yet despite attempts in both the House and Senate, passing cybersecurity legislation remains elusive. The House managed to pass the Cyber Intelligence Sharing and Protection Act, introduced by Rogers, in 2012, but the legislation was struck down in the Senate amid privacy concerns. Rogers along with Rep. Dutch Ruppersberger, D-Md., the chair and ranking member of the House Intelligence Committee, reintroduced the legislation last week.
A more robust effort, the Cybersecurity Act of 2012, was batted down by Senate Republicans, chief among them Sen. John McCain. By allowing the Department of Homeland Security to oversee government information security operations, and by setting security requirements for companies presiding over critical infrastructure systems, the legislation sought to streamline and heighten security measures. But Republicans argued that it placed too much of a burden on the private sector to meet the new requirements, and allowed for too much government regulation.
Critics say that, while stronger than the proposed House legislation, the Cybersecurity Act was “watered down” in reaction to the heated debate over SOPA and PIPA legislation on internet piracy a year earlier. Web giants Google, Wikipedia, and Reddit organized protests and petitions, and even a service blackout. In response to the online protests, the House postponed a scheduled hearing and vote. The legislation has since languished.
With legislation stalled on the Hill, President Obama took unilateral action by issuing an executive order, signed on the day of his State of the Union Address earlier this month. Before members of the House and Senate that evening, the president warned of a “rapidly growing threat from cyber-attacks.”
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” Obama said.
The executive order allows for the federal government to share information about cyber threats with private sector industries that handle critical infrastructure, and calls on the Department of Homeland Security to establish cybersecurity standards over the next year. But adoption of these standards will be voluntary.
“I think what the administration has proposed will be a good step forward,” former Homeland Security Secretary Michael Chertoff said on Andrea Mitchell Reports Friday. “It will promote information sharing from the government to the private sector. It will help the development of voluntary standards. What it can’t do is open up the door to better sharing from the private sector back to the government and among the various parts of the private sector.”
“The problem,” Chertoff said, “is most of the assets are in private hands, and we have to operate collectively in order to defend ourselves. Otherwise, it’s like predators going after a herd. They look for the weakest member of the herd, and they pounce on that member, and then that puts everybody in jeopardy.”
“The info-sharing piece [of the executive order] didn’t go far enough,” said Paul Rosenzweig, a former Deputy Assistant Secretary for Policy at the Department of Homeland Security, in an intervew with MSNBC. (Rosenzweig is a senior adviser to Chertoff’s consulting group and author of ”Cyberwarfare: How conflicts in cyberspace are challenging America and changing the world.”) ”What was needed wasn’t in the president’s capacity to do without Congress. Telling the NSA and DHS to share more information with the private sector– that’s good. But if we weren’t doing it already, we’re dimwits. We really are. I suspect that was a lot of ‘keep doing what you’re doing, just better, stronger, faster, quicker.’ The game changer would be–and will be–if and when the private sector shares more information with the government and with itself.”
Rosenzweig also addressed the regulatory aspect of the executive order. “I think by the time this ends up setting cybersecurity standards, they’ll be out of date.”
“If I set standards at level one, they’re going to go to level two,” Rosenzweig said. “If I move to two, that just tells the bad guys to go to level three.”
In recommendations issued Wednesday, the Obama administration laid out a “Strategy on Mitigating the Theft of U.S. Trade Secrets” focused on addressing the cyber threat from other nations through diplomacy, bolstering defense capabilities by working closely with the private sector, and tougher prosecution of cyber criminals.
Leiter cited issues straining diplomatic relations between the U.S. and China on Andrea Mitchell Reports Thursday, including mounting tensions over North Korea’s nuclear ambitions, the civil war in Syria, and Iran. “These are all issues where the U.S. and China –and Russia for that matter–have to find common ground and cooperate. Now, cybersecurity absolutely is in the president’s top talking points, but whether or not he confronts them and says nothing else can work before we solve this cyber-security problem, I don’t actually think the administration is yet there,” Leiter said.