The lines between cybercrime and espionage are blurring, and unless the United States takes the lead in establishing international norms of online behavior, the frequency and sophistication of cyber hacking attacks will increase, according to leaders of the U.S. intelligence community.
The directors of the FBI, CIA, NSA and other intelligence agencies, speaking before the House Intelligence Committee in Washington, addressed the “cyber challenges” facing the United States and the international community.
“Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication and severity of impact,” said James Clapper, Director of National Intelligence, in his opening statement.
“We foresee an ongoing series of low-to-moderate level cyber-attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
The committee opened the hearing to the public, in part as a response to the rapidly growing number of high-profile corporate and governmental computer hacks.
“These high profile assaults are eroding confidence in our government’s ability to counter the threat, and I share the public’s concern,” said committee chairman Representative Devin Nunes (R-CA).
He added that his committee is putting the government’s cyber community “on notice” to do better at preventing computer attacks.
Committee members and witnesses admitted fundamental issues, such as what constitutes an act of cyber war or what the appropriate response should be remain unclear.
“We don’t know where the line is drawn between crime and warfare,” said the committee’s top Democrat, Representative Jim Himes (D-CT).
“Is stealing classified information from us an act of war or just an act of espionage that we do to each other, and maybe even grudgingly admire those who can pull off that espionage? At what point is it an act of war responded to in the cyber-realm, and at what point is it an act of war that is responded to outside the cyber-realm?”
Focus on Russia, China
Clapper singled out Russia and China as posing the greatest threat, given their highly sophisticated cyber programs and demonstrated willingness to target and steal sensitive data from U.S. corporate and government computer systems. But he also warned Iran and North Korea are risks because of their aggressive and unpredictable regimes.
Non-state actors and terrorist groups also pose significant security risks because “they see the Web itself as a weapons system,” said National Security Agency director Admiral Michael Rogers.
“The long term end state we need to get [to] here is this idea of acceptable norms of behavior,” Rogers added. “We clearly understand nation states using the spectrum of capabilities they have to attempt to generate insights in the world around them. But that does not mean that the use of cyber for destructive, manipulative purposes is acceptable.”
FBI Director James Comey cautioned the spread of social media also presents new security risks. He cited extremist groups and the “considerable success” they have using social media to recruit, raise funds and spread online propaganda.
“Social media works, whether you’re selling sneakers or selling the poison of the so-called Islamic State,” said Comey. “Social media companies have been highly responsive in trying to take down media that is offensive and related to a terrorist group. But the challenge of social media is it’s the most complicated spiderweb in the world.”
Comey faced skepticism from some committee members over his public campaign to limit, or at least partially control, the spread of digital encryption technologies.
Asked by Rep. Eric Swalwell (D-CA) whether he could propose a way to give law enforcement limited access to encrypted data while protecting Americans' First Amendment rights, Comey demurred.
“I don’t think that we’ve really tried, and I don’t think there’s an ‘it’ to the solution,” he said. “I would imagine there might be many, many solutions. I just don’t think we’ve given it the shot it deserves.”
All five witnesses agreed more needs to be done internationally to define and create clear lines between what constitutes espionage, crime, [hacking] and other cyberattacks. And second, until that happens, the hacking firestorm is likely to get worse.
“In the future, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity instead of deleting it or disrupting access to it,” said Clapper.
“Decision making by senior government officials, corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”