Homeland Security Secretary Kirstjen Nielsen painted a daunting picture of the global digital landscape in a speech Wednesday, describing “a worldwide outbreak of cyberattacks and cyber vulnerabilities” that had moved from the “epidemic” to the “pandemic” stage.
“Cyberattacks, in terms of their breadth and scope and possible consequences, now exceed the risk of physical attacks,” Nielsen said at George Washington University in Washington, D.C. “[C]yberspace is now the most active battlefield, and the attack surface extends into every single American home.”
The Department of Homeland Security “was founded 15 years ago to prevent another 9/11,” Nielsen added, “but I believe an attack of that magnitude is much more likely to reach us online than on an airplane.” The department “wasn’t built for a digital pandemic” at its founding, she said, urging Congress to pass legislation to turn DHS’s cyber and physical infrastructure agency into an “full-fledged operational agency.”
Nielsen also pointed to a growing hacking arsenal available to foreign governments. “Now more than 30 nation-states have cyberattack capabilities, and sophisticated digital toolkits are spreading like wildfire,” she said.
As evidence, Nielsen cited the “destructive code” that Russian and North Korean hackers released last year — an apparent reference to, respectively, the NotPetya and WannaCry attacks that U.S. officials have blamed on those two countries. The two attacks cost billions of dollars in combined damage.
Nielsen’s warnings about nation-state threats come as DHS continues to help state and local officials prepare for midterm elections that, according to U.S. intelligence officials, remain a target for Russian interference. Nielsen called the Kremlin-directed influence operation in the 2016 election “egregious” while vowing to not let it happen again.
While President Donald Trump has equivocated on whether Moscow meddled in the 2016 election, senior officials such as Nielsen and Vice President Mike Pence have asserted that the Trump administration has been tougher on foreign hackers than the Obama administration. (Both administrations have sought to rein in malicious cyber-activity through indictments and sanctions.) Trump last month rescinded a policy directive that had governed the approval process for U.S. offensive cyber-operations, opening the door to more digital strikes.
“The United States has a full spectrum of options — some seen, others unseen — and we are already using them to call out our cyber-adversaries, to punish them, and to deter future digital hostility,” Nielsen said Wednesday.
In a discussion after her speech, Nielsen said the United States needs to more quickly attribute hacking operations to foreign actors in order to respond effectively. Consequences, she said, “have to go hand-in-hand with that attribution.”