To protect critical U.S. infrastructure from cyberattack, we have to first define a cyberattack and a strategy to deter it, Texas Republican Rep. Will Hurd said Thursday.
“It starts with, what actually is a digital act of war?” Hurd said on a panel discussing the threat to the U.S. power grid hosted by The Christian Science Monitor Thursday. “What is our countermeasure?”
Hurd, one of only a handful of lawmakers with a degree in computer science, said while there have been conversations across government about what constitutes an attack and what could be interpreted as intelligence gathering in cyberspace, there’s been no agreement.
The former CIA operative said if North Korea executed a missile attack against San Francisco, the U.S. would retaliate appropriately with a strike of its own — a fact North Korea would take into account before launching such a strike.
“Is stealing 23 million records from the Office of Personnel Management, is that an act of war?” Hurd said. “Is turning our lights on or trying to attack our grid, is that a digital act of war? Is tweaking some bid when it comes to the financial services industry, is that an act of war? And what then would be our response?”
Hurd and other lawmakers have been vocal in pressing intelligence officials, including Director of National Intelligence James Clapper and U.S. Cyber Command/National Security Agency Director Mike Rogers, for a set of clear guidelines to gauge and respond to cyber aggression in the wake of OPM, Sony and other headline hacks.
“One of the frustrations that I have in some of these high-profile attacks is we don’t even have general attribution,” Hurd said.
The Obama administration has been reluctant in the past to call out state actors like China for cyber intrusions like the one discovered at OPM last year, or Russia for deploying malware that shut down a Ukrainian power grid last year, all attributed by unofficial sources.
“Attribution is a form of deterrence,” he continued, “and when you actually attribute some of these attacks, it helps.”
Hurd said he was “shocked” about the lack of response and recognition in the defense and cyber communities to last December’s cyberattack on the Ukraine power grid, which left 225,000 customers without power.
The Texas representative said the Ukraine incident brought cyberattacks capable of damaging and decommissioning critical infrastructure out of the theoretical realm and into the possible.
Robert Lee, CEO of Dragos Security — a cybersecurity firm specializing in critical infrastructure — said the government is sending mixed messages when it comes to U.S. cyber preparedness.
“At the same time you have [Department of Homeland Security] reports coming out and saying, ‘we are good to go, we have a low chance of having an impactful attack,’ then we have Adm. Rogers coming out two months later saying, ‘it’s not a matter of if, but it’s a matter of when this is going to happen,'” Lee said.
Last July Rogers said he fully expects during his tenure as the head of the U.S. digital warfront he “will be directed to deploy capability from U.S. Cyber Command to defend critical U.S. infrastructure, either in anticipation of, or in the aftermath of a significant cyber event.”
Lee, a former U.S. Air Force Cyberspace Operations officer, said there’s a “national message mixup” causing confusion among energy companies, and that the timing of government’s response (DHS didn’t dub the Ukraine power outage a cyberattack until two months after) needs to be improved.
“I am completely empathetic to the fact that we want to get the facts right,” Lee said, “But to say, ‘Hey, we’re exploring this, we don’t have the facts, but just to let the community know, the possible first cyberattack against a power grid that had outages did occur.’ It might be interesting to know that.”
“It’s hard to have a national discussion around automated threat information sharing, and then not share things,” he said.
Southern Company CEO Tom Fanning, on hand to represent the industry itself, said while nation states are a concern, he perceives the current threat landscape as more of a “cyber cold war,” in which no nation state wants to make the first move for fear of retaliation.
“The people that I worry about are the people that don’t have anything to lose,” Fanning said.
Hurd said more cooperation is needed between the private and public sectors, with companies anticipating threats to their infrastructure and sharing those with the intelligence community, who can then watch for those threats more effectively.
“That would go a long way in making sure we’re working together to be resilient from these attacks,” Hurd said.