When companies become aware they have been targeted by criminal or nation-state hackers, they need to fess up and come to the U.S. government with information to help feds get a better handle on foreign nation-state hacking, FBI Director Chris Wray emphasized during testimony on Capitol Hill Wednesday.
Wray noted that companies coming forward when they are impacted in cyberattacks is a crucial part of developing a sort of early-warning system for foreign hackers working to conduct sweeping cyber-operations against multiple American companies and government entities.
“We need that first company [impacted]. Someday you’re going to be the first company, if you’re the CEO, and someday you’re going to be the second, third or fourth company,” Wray told the Senate Intelligence Committee during the intelligence community’s global threats briefing. “We need in every instance those companies to be stepping forward promptly and reaching out to government so that we can prevent the threat from metastasizing.”
That kind of warning from the private sector has already helped the federal government become aware of foreign nation-state hacking. When Russian government hackers booby-trapped a federal contractor’s software update with malicious code to run a widespread espionage operation that impacted both private sector entities and federal government agencies last year, security firm FireEye was the first affected organization to note and disclose the incident.
Its disclosure kicked off a process that helped the federal government and other companies identify their own breaches.
“The SolarWinds hack offered a stark reminder that there is no requirement to report breaches of critical infrastructure,” said Warner, a Virginia Democrat. “If FireEye had not come forward, we might still be in the dark today.”
Many of the leaders from the U.S. intelligence community testifying Wednesday — including Director of National Intelligence Avril Haines and National Security Agency Director Gen. Paul Nakasone — echoed Wray’s insistence that the U.S. government work to enhance public-private partnerships when it comes to ferreting out these kinds of hacks.
Particularly when foreign nation-state or cybercriminals rely on U.S. infrastructure for their hacking operations — which spy agencies are generally not authorized to monitor in a quick manner — U.S. intelligence can lag behind what the private sector might see, Nakasone noted. Nakasone heads both NSA and Cyber Command, the offensive cyber branch of the Defense Department.
Warner has long been a proponent of developing more fleshed out cyber incident disclosure processes, so his emphasis on the issue should come as no surprise. But many other lawmakers on the committee dug in harder on the intelligence chiefs to account for why the U.S. intelligence apparatus has so many gaps in its visibility into foreign hacking.
”I think it’s an excellent question and it’s one we’re struggling with in a series of areas in our discussion of [domestic violent extremism], in our discussion of cyber, in areas like malign influence and so on,” Haines said.
Nakasone and Wray kept routing the conversation back to boosting public-private partnerships and information-sharing, even as lawmakers continued asking about giving new powers to the intelligence chiefs.
“I’m not seeking legal authorities either for NSA or U.S. Cyber Command,” Nakasone said, echoing testimony he gave on the question of new authorities last month.
Nakasone did not explicitly answer a question on whether he thinks other agencies should be considered for additional authorities to help fill in the visibility gap.
“My intent in my discussions has always been, though, to state that with an adversary that has increased its scope, scale, sophistication, we have to understand that there are blind spots in our nation today,” Nakasone added. “One of the blind spots that our adversaries are using is that they are utilizing U.S. infrastructure and it means that we cannot surveil that, whether within the intelligence community or law enforcement to react quick enough to what they’re doing.”
Nakasone reasserted his perspective that much more must be done to get the private sector to share more information with the intelligence community about the cyberthreats they are seeing.
“We are troubled in terms of being able to understand the depth and breadth of an intrusion based upon the fact that, for a number of good reasons … that much of the private sector does not share this information readily,” Nakasone said.
Sen. Kirsten Gillibrand, D-N.Y., however, was not satisfied.
“I don’t like hearing that we have blind spots, so I’d like a little more analysis about if there are other authorities that are needed — and I’ve heard you all say you don’t need other authorities,” Gillibrand said. “I guess I’m not willing to accept we will have blind spots.”
While it’s not a silver bullet, Wray said one concrete step the U.S. government could take is to enact a breach notification law that would compel companies to more quickly and fully disclose cyber incidents to alert the U.S. government — and other private sector entities — to potentially crippling attacks.
Some lawmakers urged the intelligence community to think through whether the government and its responses to hacking have had any deterrent effect on adversaries seeking to target U.S. companies or government entities. Haines noted there are still questions about whether U.S. responses to hacking are resulting in any sort of deterrent.
“Whether it’s effective, I think it’s fair to say that it’s not as effective as we’d like to be,” Haines said. ”I think you’re right to indicate that we have, as a country … struggle[d] with how to effectively deter these types of attacks.”
Nakasone, whose Cyber Command often leads efforts to impose costs on foreign hackers for their campaigns against the U.S., added he isn’t sure if they fear U.S. responses to their hacking campaigns.
”I’m not sure in terms of whether or not our adversaries, you know, feel that,” Nakasone said. “Here’s what I know our adversaries understand … that we are not going to be standing by the sidelines.”