National security experts have said cyber probes and attacks by nations such as Iran are a “certainty.” But what’s less clear is how companies or the government should protect themselves, especially with current funding levels.
“We would not tell any organization in the private sector, if a missile was inbound, on their target ... good luck, you’re on your own. That’s basically what we told them in terms of cyberspace, ‘good luck you’re on your own,’” Vincent Stewart told the House Homeland Security Committee Jan. 15. Stewart was most recently the deputy commander of U.S. Cyber Command until his retirement in April.
Experts explained to the committee that government IT leaders, and specifically the Department of Homeland Security, need more resources and need to do more to protect agencies from attack. In addition, they said, companies must take the basic steps to protect themselves.
In light of rising tensions with Iran, experts warned that Iran or the country’s designees are likely to continue to use cyber operations to probes U.S. networks and to employ disinformation and influence campaigns.
While warnings about Iran from the government have been a welcome step, Tom Warrick, nonresident senior fellow at the Atlantic Council, said in his written testimony that those suggestions will likely go unnoticed by large swaths of the American public and small businesses. In its place, those entities should practice good hygiene by not clicking phishing emails and keeping systems up to date, he said.
“This is going to take an entirely different and stronger approach that I would hope would be led by the White House in a way that makes improving our cyber defenses a national goal, much like civil defense was a bipartisan national goal in the 1950s,” Warrick said. He previously served as deputy assistant secretary for counterterrorism policy at the Department of Homeland Security until June. “This needs to be done exactly in the way we did the civil defense campaign in the 1950s, the difference then being that at nuclear attack was a horrifying possibility but a cyberattack these days from our adversaries like Iran is an absolute certainty.”
Warrick added that the U.S. government’s newest cyber entity, Cybersecurity and Infrastructure Security Agency (CISA), is wholly mismatched versus the threat.
“The mismatch between what CISA has in the way of resources and what the threat is, is a strategic vulnerability to the United States homeland,” he said. “The staffing disparity of what’s needed to protect the country is very different. This is one of the things that I would hope this committee and your colleagues on the appropriations committee would work together to address. We have totally mismatched the idea of offense and defense because in the military realm it means one thing. It’s totally different in homeland security and cyberspace.”
Congress gave CISA a funding boost this year with $2 billion for fiscal 2020, a $334 million increase from the previous year.
Stewart noted that the government and private sector must do better sharing intelligence. This is an area the National Security Agency is undertaking with its Cybersecurity Directorate, which was created in October.
That organization wants to break down barriers in sharing unclassified intelligence to the private sector in a more timely manner so businesses are better prepared against cyberthreats.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.