On Thursday morning, the House Permanent Select Committee on Intelligence held a hearing on “Cybersecurity Threats: The Way Forward,” featuring testimony by Adm. Michael Rogers, the Commander of U.S. Cyber Command and Director of the National Security Agency. The hearing hit hard on the need for a way forward–but revealed little about what that way might be.
Retiring Committee Chairman Mike Rogers (R-Mich.), Ranking Member Dutch Ruppersberger (D-Md.), and Adm. Rogers all highlighted cybersecurity threats to the United States, citing breaches of industrial control systems and attacks on financial institutions. In particular, Adm. Rogers repeatedly emphasized that the threats are “not theoretical.” He noted that there are “multiple nation-states” that have the capacity to attack U.S. critical infrastructure and “it is only a matter of the when, not the if, that we are going to see something dramatic.”
The committee members and Adm. Rogers suggested that two things are needed to address these threats: cyber threat information sharing legislation and international norms of behavior for cyberspace. But how to achieve either one is not clear.
On information sharing, Representatives Rogers and Ruppersberger pushed for passage in the lame-duck session of a bill to permit sharing of cyber threat information between the private sector and the government. Rogers and Ruppersberger’s bill on the issue, the Cyber Threat Information Sharing & Protection Act (“CISPA”), passed the House in April 2013, but drew a veto threat from the White House and generated broad public opposition due to privacy concerns about the businesses providing Internet users’ information to the government. A Senate information sharing bill, the Cybersecurity Information Sharing Act, has prompted similar concerns. Proponents of cyber threat information sharing see it as crucial to facilitating increased security for U.S. systems and networks, but such information sharing has been pulled into the broader debate about surveillance reform and the flow of information to the intelligence community. The failure of the USA FREEDOM Act earlier this week substantially dims the chances for information sharing legislation until the new Congress.
On international norms, Rep. Jim Himes (D-Conn.) sparked discussion by asking what the “key principles” should be for such norms and how agreement on such norms could be catalyzed. Adm. Rogers “strongly concur[red]” with the need for international norms, but was less definitive on what the norms should be. He identified one possible norm of treating countries’ Computer Emergency Readiness Teams (“CERTs”) “as hospitals” (that is, prohibiting attacks on CERTs), but then simply identified the need to define “what’s an act of war” without proposing a definition. In response to further questions from Himes, Adm. Rogers suggested that the U.S. government is also discussing whether, for example, to push for norms against attacking critical infrastructure and stealing intellectual property. Both are top concerns of the United States. As Adm. Rogers highlighted, the NSA has observed intrusions into industrial control systems that now appear to be reconnaissance but could be used to “take down” such systems in the future.
But Adm. Rogers provided little information about how the U.S. plans to achieve agreement on whatever norms it supports, as evidenced by this exchange (beginning around 25:30 on the C-SPAN video):
Rep. Himes: As you … look at the discussion internationally happening here, do you have any have confidence that this debate … is going to advance? And in particular, are we going to be able to draw in bad actors like China and Iran? Or is it going to in fact take some demonstration of capability against them to get them to the table?
Admiral Rogers: I don’t know is the short answer. I’m hoping it’s not the latter. Clearly there’s ongoing dialogue.
The uncertainty about even the process for developing norms of behavior is a troubling indication of how far the U.S. government and its international counterparts are from achieving agreement on the content of those norms.
Although the hearing shed useful light on the nature of cybersecurity threats, it might have been better titled: “Cybersecurity Threats: Is There a Way Forward?”