The United States is losing the war in the cyber world, the Chairman of the House Committee on Homeland Security told journalists gathered for a one-day UMUC-sponsored cybersecurity seminar for reporters on Jan. 11.
“It’s going to get worse before it gets better,” said Rep. Michael McCaul, R-Texas. “If anything comes out of the [Russian] election system attack, it will be to make people aware of this issue and how we should make this a priority.”
McCaul’s remarks were part of a luncheon keynote interview conducted by Sarah Sorcher, deputy editor of Passcode, a section of the Christian Science Monitor, the co-sponsor of the event held at the National Press Club in Washington, D.C. More than 35 journalists attended, seeking to learn more about cybersecurity issues that are frequently being covered in the news.
McCaul’s interview capped a series of sessions for reporters featuring UMUC cybersecurity professors, including Emma Garrison-Alexander, vice dean of UMUC’s cybersecurity graduate programs and the former Chief Information Office of the Department of Homeland Security’s Transportation Safety Administration.
Presenters explained the fundamentals of how American computer systems are subject to attack, the threat to national security, the state of defense against hackers, and the hidden black market economy of cyber commerce and innovation.
Many journalists were startled at how easily an attack could be accomplished after they watched Jesse Varsalone, an associate professor of Computer Networks and Cybersecurity, show them exactly how it can be done.
Varsalone said his nine-year-old son won more than 30 prizes from an arcade videogame just by watching a YouTube video about how the game could be hacked.
More importantly, he said, many computer systems that control critical infrastructure and corporate sites have passwords set to the default password, which anyone can find. He showed a website that listed many IP numbers, opening the devices that correspond to those numbers up to attack.
“You click on the IP and you are into their device,” he said. “It’s unethical that all of that information is on the Internet, but it is there and you need to know about it.”
Journalists can play a crucial role by finding and reporting on unclassified cybersecurity documents, said Merritt Baer, a senior cybersecurity official in the Department of Homeland Security and a UMUC adjunct professor.
“If you read open-source intel reports,” she said, “you can say or speculate on things that government employees or people who have to account to their boss can’t explicitly say.”
Not too long ago, “cybersecurity used to be a game,” said Bruce deGrazia, a UMUC program chair and collegiate professor.
Hackers saw it as a challenge to see if they could break into a system, he said. But now, people with a lot of money and talent are exploiting cyber to get into systems that are critical to national security.
So many computer systems have been compromised that credit card numbers can be purchased on the “dark web” for less than 50 cents, he said, and one investigator bought Kim Kardashian’s credit history for $5.00.
But the real danger is in national security, deGrazia said.
“Just as we have military forces that protect our physical assets, we need a strong cybersecurity presence to protect our virtual assets. Cyber is being seen more as a weapon of war to be considered the equivalent to physical types of weapons.”
McCaul said the Obama administration has not responded adequately to cyber attacks by the Chinese and Russian governments. After federal investigators discovered that the Chinese-backed infiltration of the federal Office of Personnel Management computer system resulted in the theft of millions of federal employee documents, including security clearance information, the administration responded by meeting with Chinese leaders.
The response to the Russian hacking of the presidential election should be met with a greater response than what President Obama has done so far, McCaul said. While he said the Russian attacks did not change the outcome of the election, he urged President Obama and President-elect Trump to do more to make the Russians pay for the intrusion.
“It was the Russians, and there should be consequences,” McCaul said. “I think they need to know that if there is evidence that a nation state is either undermining our political process or trying to damage our critical infrastructure that there will be a response,” he added. “It will be equal to the attack on the United States.”
Calling the theft by hackers on private industry, “the greatest transfer of wealth in human history,” McCaul said he will propose a new cybersecurity agency within the Department of Homeland Security (DHS).
“Right now, they [DHS] don't have the priority and focus to defend the nation,” he said. “By creating this primary cyber agency, DHS will have a greater capability to do that.”
Making the Department of Homeland Security the lead agency in working with the private sector makes more sense than using the FBI, NSA or the Department of Defense (DOD), McCaul said.
“The role of DOD is to defend the nation in times of war,” he said. “The NSA is to advise our intelligence community. The FBI is to prosecute. So, when it comes to information sharing, we thought the best sector to do that would be a civilian agency that can be a true partner to assist the private sector to defend from these attacks rather than an entity that can prosecute or spy on you.”
The private sector needs to take more responsibility in defending itself, McCaul said. As CEOs see that they are being held responsible for the theft of their customers’ private information, their interest in this is shifting.
But the United States does not have enough qualified people to fill the positions necessary to provide for cyber defense, McCaul said. And government offices are competing with higher paying private positions for the available talent.
“We should focus on retraining, but the fact is we are not producing enough in our schools and universities,” he said. “There has to be more of a discussion about this being a national priority.”
Even the NSA, the premier organization in cyber, is having trouble finding qualified people to work for it, McCaul said. More scholarships should be available for people willing to work in the federal government, he said, and perhaps even a National Guard of cybersecurity experts should be created to be called up for service when needed.