Cheryl Pellerin at DoD News offers the below piece:
WASHINGTON, Nov. 21, 2014 - Cyber threats are real, hurting the nation and
its allies and partners, costing hundreds of billions, and potentially leading
to a catastrophic failure if not addressed, Navy Adm. Michael S. Rogers told a
House panel yesterday.
Rogers, the commander of U.S. Cyber Command, director of the National
Security Agency and chief of the Central Security Service, testified before
members of the House Permanent Select Committee on Intelligence on advanced
cybersecurity threats facing the United States.
Cyber Challenges 'Not
Theoretical'
"There should be [no] doubt in anybody's mind that the cyber challenges we're
talking about are not theoretical. This is something real that is impacting our
nation and those of our allies and friends every day," Rogers said.
Such incidents are costing hundreds of billions of dollars, leading to a
reduced sense of security and potentially to "some truly significant, almost
catastrophic failures if we don't take action," the admiral added.
In recent weeks, cyber-related incidents have struck the White House, the
State Department, the U.S. Postal Service and the National Oceanic and
Atmospheric Administration.
The Defense Department, the U.S. Sentencing Commission and the U.S. Treasury
also have had cyber intrusions.
Sophisticated malware has been found on industrial control systems used to
operate U.S. critical infrastructure, and other major intrusions have been
reported by J.P. Morgan Chase, Target, Neiman Marcus, Michaels, Yahoo! Mail,
AT&T, Google, Apple and many more companies.
Intrusions Seek to Acquire
Capability
"We have ... observed intrusions into industrial control systems," Rogers
said. "What concerns us is that ... capability can be used by nation-states,
groups or individuals to take down" the capability of the control systems.
And "we clearly are seeing instances where nation-states, groups and
individuals are aggressively looking to acquire that capability," he added.
Rogers said his team thinks they're seeing reconnaissance by many actors to
ensure they understand U.S. systems in advance of exploiting vulnerabilities in
the control systems.
"We see them attempting to steal information on how our systems are
configured, the specific schematics of most of our control systems down to the
engineering level of detail so they [see] ... the vulnerabilities, how they are
constructed [and] how [to] get in and defeat them," the admiral said.
"Those control systems are fundamental to how we work most of our
infrastructure across this nation," Rogers added, "and it's not just the United
States -- it's on a global basis."
Growth Areas of
Vulnerability
When he's asked about coming trends, Rogers said, industry control systems
and supervisory control and data acquisition systems, called SCADA systems, come
to mind as "big growth areas of vulnerability and action that we're going to see
in the coming 12 months."
"It's among the things that concern me the most," he added, "because this
will be truly destructive if someone decides that's what they want to do."
What it means, he said, is that malware is on some of those systems and
attackers may already have the capability to flip a switch and disrupt the
activity the switch controls.
"Once you're into the system ... it enables you to do things like, if I want
to tell power turbines to go offline and stop generating power, you can do
that," he explained. "If I want to segment the transmission system so you
couldn't distribute the power coming out of power stations, this would enable
you to do that."
Criminals as Surrogates for
Nation-states
The next trend Rogers sees near-term is for some criminal actors now stealing
information designed to generate revenue to begin acting as surrogates for other
groups or nations.
"I'm watching nation-states attempt to obscure, if you will, their
fingerprints," he said. "And one way to do that is to use surrogate groups to
attempt to execute these things for you."
That's one reason criminal actors are starting to use tools that only
nation-states historically have used, the admiral said.
"Now you're starting to see criminal gangs in some instances using those
tools," he added, "which suggests to us that increasingly in some scenarios
we're going to see more linkages between the nation-state and some of these
groups. That's a troubling development for us."
Such activities across the cyberscape, he said, make it difficult for
private-sector companies to try to defend themselves against rapidly changing
threats.
A Legal Framework for Cyber
Sharing
But before Cybercom can help commercial companies deal with cyber criminals
and adversarial nation-states, Rogers said the command needs a legal framework
"that enables us to rapidly share information, machine-to-machine and at machine
speed, between the private sector and the government."
The framework, he added, must be fashioned in a way that provides liability
protection for the corporate sector and addresses valid concerns about privacy
and civil liberties.
Such legislation has passed in the House but not in the Senate, and the
Senate has created its own similar legislation that has not yet passed the full
Senate.
Rogers says there are several ways Cybercom can share what it knows about
malicious source code with the private sector so companies can protect their own
networks, and assure Americans that NSA isn't collecting or using their personal
information while sharing information with private companies.
What the Private Sector
Needs
With private-sector companies, Cybercom and NSA must publicly "sit down and
define just what elements of information we want to pass to each other," he
said, specifying what the private sector needs and what the government needs,
and also areas that neither wants to talk about.
"I'm not in that private-sector network, therefore I am counting on the
private sector to share with us," the admiral said.
What he thinks the government owes the private sector is this -- Here are the
specifics of the threats we think are coming at you. Here's what it's going to
look like. Here's the precursor kinds of activities we think you're going to see
before the actual attack. Here's the composition of the malware we think you're
going to see. Here's how we think you can defeat it.
What Rogers says he's interested in learning from the private sector is this
-- Tell me what you actually saw. Was the malware you detected written along the
lines that we anticipated? Was it different and how was it different? When you
responded to this, what worked for you and what didn't? How did you configure
your networks? What was effective? What can we share with others so the insights
of one come to the aid of many?
"That's the kind of back-and-forth we need with each other," Rogers said, and
legislation is the only thing that will make it happen.
Helping Defend Critical
Infrastructure
Rogers says he tells his organization that he fully expects during his time
as Cybercom commander to be tasked to help defend critical infrastructure in the
United States because it is under attack by some foreign nation or some
individual or group.
"I say that because we see multiple nation-states and in some cases
individuals in groups that have the capability to engage in this behavior," the
admiral said, adding that the United States has seen this destructive behavior
acted on and observed physical destruction within the corporate sector, although
largely outside the nation's borders.
"We have seen individuals, groups inside critical U.S. infrastructure. That
suggests to us that this vulnerability is an area others want to exploit," the
admiral said. "All of that leads me to believe it is only a matter of time when,
not if, we are going to see something traumatic."
Rogers says he's "pretty comfortable" that there is broad agreement and good
delineation within the federal government as to who has what responsibilities if
Cybercom is called on during a major cyberattack in the United States.
"The challenge to me is we've got to ... get down to the execution level of
detail," he said. "I come from a military culture [which] teaches us to take
those broad concepts and agreements and then you train and you exercise. And you
do it over and over. That's what we've got to do next."
Note: The above U.S. Navy photo shows sailors assigned to the Navy Cyber Defense Operations Command. The photo was taken by Petty Officer 2nd Class Joshua J. Wahl.
