Intelligence leaders outline challenges associated with responding to foreign cyberthreats during Senate hearing
Michael Rogers, director of the National Security Agency (NSA), said he believes the OPM data breach underscores a reality that all officials for government agencies or enterprises should understand in the current technology environment.
“I think that OPM highlights that massive data concentrations have value all of their own,” Rogers said. “What do I mean by that? I can remember, 10 years ago—early in my time in cyber—thinking to myself, ‘Large databases like OPM are so large, that the ability for an intruder or external actor to fully extract and bore their way through millions upon millions of records would be difficult.’
“But with the power of Big Data analytics, large data concentrations now become increasingly attractive targets, because the ability to mine that data for insights—which we think drove this action in the first place—becomes more and more easily done.”
Cyberthreat tools continue to evolve at rapid rate, which is one reason why Clapper recommended that federal consider non-cyber responses as deterrent action from foreign entities.
“When something happens in cyberspace, our automatic default policy position should not be exclusively to counter cyber with cyber,” Clapper said. “We should consider all instruments of national power. In most cases to date, non-cyber tools have been more effective in changing our adversaries’ cyber behavior.
“When we do choose to act, we need to model the rules we want others to follow, since our actions set precedents. We also need to be prepared for retaliation, which may not be as surgical … That’s why using cyber to counter cyberattacks risks unintended consequences.”
Meanwhile, McCain said the current U.S. approach is to treat cyberthreats on a case-by-case basis, which is “not a strategy.” He also expressed concern about the state of readiness within the intelligence community when the U.S. is hit with a cyberattack from a foreign entity.
“I don’t think that any of our intelligence people know what to do, if there is an attack, besides report it,” McCain said. “I don’t think that any of our people know—if they see an attack coming—what specific action should be taken.
“Maybe I’m missing something, but I’ve asked time after time, ‘What do you do in the case of an attack?’ And there’s not been an answer. I believe that, unless we have specific instructions to these wonderful men and women who are doing all of this work, then we are going to be bystanders and observers.”