Chairman McCaul Remarks at CSIS on Cybersecurity

March 17, 2015 4:37 PM

Safeguarding the Digital Frontier: The Way Ahead for American Cybersecurity and Civilian Network

The Honorable Michael McCaul, chairman of the U.S. House Committee on Homeland Security

Remarks as Delivered at the Center for Strategic & International Studies (CSIS)

March 17, 2015

As a Nation, we are finally beginning to grasp the magnitude of the cyber challenges we face, particularly as they start to hit home for millions of Americans. 

Just last month, our country’s second-largest health insurance provider, Anthem, announced it was the victim of an unprecedented cyber intrusion. The attackers gained access to a database holding the sensitive records of 80 million individuals, including the names, birth dates, and social security numbers. In total, the personal information of one in four Americans may have been compromised by that cyber attack.

Attacks like this are a wake-up call that our cyber adversaries have the upper hand and that the consequences will get worse if we fail to reverse the tide.

Today I want to discuss three issues with you, including:

  • The scope of the cyber threat our Nation faces;
  • The government’s cyber defense role, particularly at the Department of Homeland Security, and how we’ve been enhancing it;
  • And finally, some of my legislative goals this year to defend American cyberspace against destructive attacks and costly intrusions.

First, we must recognize that a silent war is being waged against us in cyber space—and that we are losing ground to our adversaries.

The cyber landscape has shifted quickly. At the dawn of the digital age, our nation saw endless opportunities to generate prosperity by expanding our networks and connecting to the world. But today, American prosperity depends as much on defending those networks as it does on expanding them.

We cannot tolerate acts of cyber vandalism, cyber theft, and cyber warfare especially when they put our Nation’s critical infrastructure and secrets at risk—and when they compromise American innovation. Yet our cyber defenses have proven weak in the face of agile enemies.

As I speak, government computer systems are being hacked, proprietary data is being stolen from American companies, and the computers of private citizens are being compromised. And most of it is being done with impunity.

Criminals, hacktivists, terrorists, and nation-states have managed to exploit our networks by staying at the cutting edge of technology.  In the meantime, our defenses have lagged behind.

These faceless intruders regularly change their tactics and escape justice by masking their identities.  And usually they are operating beyond the reach of U.S. authorities. China, North Korea, Iran, and Russia are among the most advanced of our cyber adversaries, but even terrorist groups like ISIS are working to develop or acquire disruptive cyber-attack capabilities.

It is obvious that these threats are escalating in sophistication and destructive potential. We are confronting almost daily with frightening new precedents, including nation-states launching cyber attacks on our own soil. This happened at least twice in the past year.

Director of National Intelligence James Clapper recently revealed that Iran was behind a devastating 2014 cyber attack on Las Vegas Sands Corporation, the world’s largest gambling company.

And nine months later, North Korea used a digital bomb to destroy computer systems at Sony Pictures, an attack that was not only destructive but was a cowardly attempt to intimidate Americans and stifle freedom of speech.

The impact of cyber intrusions are felt across America—from kitchen tables to corporate boardrooms. The recent breach at Anthem illustrates how easy it is for ordinary Americans to become attack victims. This attack followed intrusions at Target, Neiman Marcus, Home Depot, and JP Morgan—all of which were designed to steal the personal information of private citizens.

But our cyber adversaries are not just seeking to steal Americans’ identities. They want our security secrets and our innovative ideas.  We were reminded of this over the weekend, when the State Department was forced to shut down large portions of its computer systems in an attempt to expel hackers who invaded our diplomatic networks.  They are believed to be tied to a foreign country.

Digital espionage extends into the business world.  We know that Chinese hackers, for instance, continue to breach corporate networks to give their own companies a competitive advantage in the global economy. And states like Iran have targeted major U.S. banks to shut down websites and restrict Americans’ ability to access their bank accounts.

Make no mistake:  such attacks are costing Americans their time, money, and jobs. In fact, General Keith Alexander, former director of the National Security Agency, has described cyber espionage and the loss of American intellectual property as “the greatest transfer of wealth in history.”

But the threat extends beyond the industrial engines that drive our economy to the critical infrastructure that supports our way of life.

Our adversaries are hard at work refining cyber attack capabilities that can shut down critical infrastructure, and they want to use these tools to threaten our leaders and intimidate our people—in both times of peace and times of conflict.

A major cyber attack on our gas pipelines or our power grid, for instance, could cripple our economy and weaken our ability to defend the United States.  These scenarios sometimes sound alarmist, but we must take them seriously because they grow more realistic every day.

In fact, we saw a preview of this in 2012 when Iranian-backed hackers hit Saudi Arabia’s national oil company, Aramco, destroying 30,000 hard drives and simultaneously hitting our financial sector in the same year. In fact, Iran is attempting to infiltrate our financial sector every day.

To combat these threats and live up to our obligations to “provide for the common defense,” our government must take a leading role in securing cyberspace. We cannot leave the American people and our companies to fend for themselves.

The digital frontier is still very much like the Wild West.  At this moment, there are far more cyber outlaws than convicted cyber-criminals—a clear sign that we have a lot of catching up to do. We are really in uncharted territory. Not since the dawn of the nuclear era have we witnessed such a leap in technology without a clear strategy for managing it.

To establish order and defend America’s interests in the digital domain, we must map out the rules of the road and clarify responsibilities inside and outside of government.

We are not quite there yet.  In fact, I would argue that we are in a pre-9/11 moment when it comes to cybersecurity. In the same way legal barriers and turf wars kept us from connecting the dots before the 9/11 attacks, the lack of cyber-threat information sharing is leaving us vulnerable to our enemies.

Between the government and the private sector, we have the information needed to limit cyber threats and stop fresh attacks. But we are not sharing that information. Critical information is not disclosed efficiently enough to stop cyber intrusions before they start or to shut them down once they have.

The danger of poor information-sharing is really not a hypothetical, it’s real. This month, the head of U.S. Cyber Command Admiral Mike Rogers warned Congress that our adversaries may be leaving “cyber fingerprints” on our critical infrastructure to signal their ability to attack our homeland. He believes that before he retires we are likely to see a destructive cyber attack against critical infrastructure.

If we are not swapping information about these threats, their impact is guaranteed to be more widespread and more severe. But the reality is that 85 percent of critical infrastructure is in the hands of the private sector. Because of this, collaboration between the government and industry is vital to homeland security.

Admiral Rogers had it right when he said that cybersecurity is the ultimate team sport. No single entity—in government or the private sector—can tackle these threats independently.  Each stakeholder must have skin in the game to prevail against attackers.

This is where the unique mission of the Department of Homeland Security comes into play. DHS serves as the primary civilian interface for sharing cyber threat information—and for good reason. DHS was created to stop terrorist attacks after 9/11 by connecting-the-dots, and it is well-positioned to do the same to stop cyber attacks.

The Department’s key tool is the National Cybersecurity and Communications Integration Center, or NCCIC, which is quickly becoming the tip of the spear for cyber threat information sharing between the government and the private industry.

Last year alone, DHS estimated that it received nearly 100,000 cyber incident reports, detected 64,000 major vulnerabilities, issued nearly 12,000 alerts or warnings, and responded to 115 major cyber incidents.

But we cannot measure its effectiveness in numbers alone. The NCCIC must actually improve and increase information-sharing, and to do that it needs to be a trusted partner to the private sector.

Its job in doing this is made easier by virtue of the fact that the NCCIC is not a cyber regulator, it cannot prosecute you, and it is not a spy agency. It’s a civilian interface. Accordingly, the NCCIC has no authority to do anything more with the information it receives other than use it to prevent and respond to cyber attacks and enhance our cyber posture.

During the last Congress, I led the efforts to strengthen our cybersecurity foundations, including landmark legislation authorizing information sharing at the NCCIC. And we managed to get five key cybersecurity bills passed into law, for the first time in the history of the Congress. This is now a starting point for our efforts in this Congress.

Importantly, we passed legislation supported by both industry and advocates for privacy and civil liberties. It was called a pro-security and pro-privacy bill, there are very few bills in Congress that can say that.

First, we established a federal civilian interface at the NCCIC to facilitate information sharing across 16 critical infrastructure sectors and with the private sector.

Second, we laid down the rules of the road regarding how information is shared.

Third, we assured that Americans’ rights and personal information will remain protected.

Fourth, recognizing that human capital will ultimately determine our ability to succeed, we positioned DHS to improve its cyber workforce.

And fifth, we enhanced the Department’s ability to prevent, respond to, and recover from cyber incidents on federal networks.

This brings me to my cyber agenda for this year. We made a lot of progress in 2014, but we still need to remove obstacles to information sharing while simultaneously protecting the privacy interests of Americans.

Right now, the lack of liability protection for the private sector is a problem. Companies are hesitant to share information about cyber threats and intrusions that take place in their networks. They fear that doing so could put their customers’ privacy at risk, expose sensitive business information, or even violate federal law and the duty they have to their shareholders.

As a result, the vast majority of cyber attacks go unreported, leaving others vulnerable to the same intrusions.  This is an urgent problem that needs to be solved now. The bottom line is clear:  if no one shares, everyone is at risk.

Distributing threat information should not be punished.  It should be encouraged, which is why we need to create legal “safe harbors” for companies to be able to exchange this threat information without fear of being sued.

Moreover, better information-sharing actually improves industry’s ability to safeguard our personal data by allowing entities to keep the prying eyes of hackers outside of our digital health records and bank accounts.

I am pleased to announce that we are aiming to resolve this dilemma and strengthen our cybersecurity foundations further.

This week, I am releasing the draft of a new bill that would further enhance the NCCIC’s role as the primary Federal civilian interface for the sharing of cyber threat information to enable timely, actionable, and operational efforts between the Federal Government and the private sector.

The draft bill would give protections for the voluntary exchange of cyber threat information, including “government-to-private” and “private-to-private” sharing.

For instance, if a major bank falls victim to a cyber intrusion, it would not be held back from sharing details of the attack with either the government or other banks and businesses—as long as the sharing is done through the appropriate channels and does not compromise the private information of customers and citizens.

Moreover, the draft bill would give liability protections for companies to monitor their own information systems, and importantly, to use defensive measures to prevent intrusions.

In the current environment, companies do not feel they have the adequate legal protection to take these measures. We’re not incentivizing them to be a full participant in the safe harbor and in the NCCIC.

Right now, we are working with the House Judiciary Committee on crafting a liability exemption standard that addresses these issues and will be used in other cyber information-sharing legislation in the House.

With this legislation, I also plan to continue our laser-like focus on privacy protections so that information-sharing can be done without risking exposure of personal data.

My draft bill would ensure when information about a breach changes hands—whether it is provided to the government or exchanged between companies—that it is thoroughly scrubbed for personal information so Americans do not have their sensitive data exposed.

It also would require the NCCIC to destroy any personal information that is unrelated to the cybersecurity risk or incident. I take that issue very seriously.

Fortunately, DHS has some of the strongest privacy protection mechanisms in the Federal government and has the first statutorily established privacy office.  Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges. In fact, privacy advocates already have endorsed the NCCIC’s role as an information-sharing portal.

The changes made by this draft bill will increase what we know about digital threats and, in doing so, will enhance American security.

Today we have a dangerous incomplete picture of the cyber weapons being used against us. More rapid and frequent information-sharing about these threats will give us the ability to head off cyber adversaries before they can do more damage—both to the public and to private networks.

The President has also proposed steps to enhance liability protection, and I was pleased that he did so because it moves the debate and the discussion forward on both sides of the aisle. I would submit though, that it does not go far enough on liability protection, which is why our bill aims to create more robust liability protections.

The Committee on Homeland Security will mark up this bill in the next few weeks. In the meantime, we will continue meeting with industry and private groups, as we always have, to ensure we are getting this right and crafting the best solution to tackle the surge in cyber threats we are all witnessing.

Our plan is to take this legislation to the House Floor next month, and when we do, we will be forward-leaning and eager to reach across the aisle to get it passed. 

This will be landmark. This will create how we deal with cybersecurity for the next decade. Now is the moment to take action.

These threats are not just looming on the horizon. They are not hypothetical, they’re real. They are already inside our networks, and they are putting our security and prosperity in peril. Safeguarding the digital frontier is one of the leading national security challenges of our time, and our generation will not back down from that challenge.

It is clear that we have been losing ground against our adversaries in cyberspace.  But better cyber threat information sharing will help us turn the tide and defend our networks against destructive intrusions.