The U.S. government is trying to more effectively deter cyberattacks by imposing clear consequences on nation-state-linked hackers, Homeland Security Secretary Kirstjen Nielsen said Thursday, casting the Trump administration as tougher on the issue than the Obama administration.
“This is one of those areas where deterrence has to be clear,” Nielsen said at a Capitol Hill national security event. “We will no longer stand by while nation-states attack the government or our private sector entities.”
“For so long, we’ve had these attacks, it’s taken us over a year to attribute it in some cases,” she said. “Then you attribute it, nothing happens.”
Under both presidential administrations, the U.S. has clamped down on hackers linked with the Chinese, Russian, and Iranian governments through indictments and sanctions. In 2014, Obama’s Department of Justice brought the first U.S. charges of cyber-espionage against a nation-state with the indictment of five Chinese military officers. In March, Trump’s DOJ indicted nine Iranian hackers for stealing several terabytes’ worth of data from U.S. government agencies, companies, and universities.
Nonetheless, nation-state-linked hackers have continued to target U.S. infrastructure, and lawmakers have called for a clearer deterrence policy. Last month, the State Department advised the White House to develop a broader set of consequences to impose on hackers to deter attacks.
Some Democrats have called for Nielsen’s resignation over the Trump administration’s separation and detention of immigrant children. While the DHS chief covered immigration in her remarks, she appeared to welcome the chance to discuss cybersecurity, a topic she focused on during her private-sector career.
Other nation-states have honed their cyberattack capabilities in an effort to disrupt U.S. critical infrastructure and steal intellectual property and classified information, she said.
As a society, “we’re way past the ability to prevent all [cyber]attacks,” Nielsen said. “It’s no longer a question of if or when, but how long and how often can you withstand an attack.” One example of that resiliency, she said, could be taking control systems that support the electric grid offline in the event of a threat.
In addition to monitoring nation-state threats, DHS has been central to the Trump administration’s efforts to crack down on supply-chain risk. Last year, the department directed all federal agencies to remove products made by Kaspersky Lab, a Moscow-based antivirus vendor, from their networks. And this year, DHS set up a supply chain program to provide risk assessments to critical infrastructure firms and federal agencies on products they may acquire or deploy.
Nielsen touted that program, which is still getting off the ground through pilot testing. Through the program, she said, “we either know that [vendors are] in fact acting on behalf of nation-states that seek to do us harm,” or if vendors’ products are simply too laden with vulnerabilities to let into the supply chain.