Cyber thieves and hackers are targeting the nation’s critical infrastructure, which means that the federal government should be collecting intelligence on these potential threats based on requirements generated by the private sector, a freshman lawmaker said on April 12.
This type of national intelligence collection would leverage the expertise of the private sector and the information would then have to get back to these critical infrastructure organizations, Rep. Will Hurd (R-Texas) said at cyber security company FireEye’s [FEYE] annual government forum.
Hurd, a former CIA agent who followed up his 10-year spy career with a four-year stint in the private sector with the cyber security firm Fusion X before his election to Congress in 2014, praised the bi-partisan Cybersecurity Information Sharing Act that was approved late in 2015 for providing liability protections to companies to get them to voluntarily share cyber threat data with the federal government. Hurd chairs the Information Technology panel on the House Oversight and Government Reform Committee and is also a member of the House Homeland Security Committee.
But, Hurd said, more can be done to help the sharing of information between the public and private sectors. He asked if the information the federal government is sharing with the private sector is actionable and timely and is it helping companies protect themselves.
“One of the things I’ve learned in the private sector is the federal government should be doing national collection based on some requirements generated by the private sector,” Hurd said. “We know right now today there are a bunch of dudes in a building in Russia developing the next kind of malware that can be used to attack the financial services industry. Is that a national collection priority? Have the requirements been sophisticated enough that the agencies, NSA, CIA primarily, could go out…and do as I did and gather intelligence on that threat?”
Hurd said he’s been asking this question but hasn’t received affirmative answers.
Getting this type of information flow, private sector requirements leading to national collection efforts with threat information flowing back to the private sector, “is going to be one of the more difficult challenges,” Hurd said. “These are some of the things that we are looking at.”
The conversation around cyber security also has to move beyond information sharing to deterrence, Hurd said, which include talking about “what actually is a digital act of war.” This is a “really hard” challenge, he said, adding that once these thresholds are set, then what are the appropriate countermeasures.
Hurd added that there are government agencies that don’t have a good handle on who is in their networks and can they be stopped. Attribution at a detailed level is difficult, he said, but asked if it can be done at a “general basis that could ultimately serve as a deterrent.” By calling out a specific country or organization within a country, that can serve as a deterrent, Hurd said, adding that the federal government needs to do a better job and apply more resources to attributing the sources of cyber attacks.
Attribution also helps the victim of the attacks, Hurd said.
Dave DeWalt, chairman and CEO of FireEye, said at the outset of the forum that diplomacy has served the United States in helping to stem cyber attacks. He cited an agreement in 2015 between the U.S. and China that called for both countries to not support the cyber theft of intellectual property as helping to decrease the number of cyber attacks originating in China.