U.S. military cyber experts play on American fears of Chinese hackers shutting down U.S. power plants and financial systems to justify massive investments in cyber improvements for the Defense Department.
That’s why it comes as a surprise that a cyber defense report ranked China well below two Scandinavian countries and Israel for its cyber defenses. For that matter, the U.S. even fell behind Sweden, Finland and the Israelis when it comes to protecting against cyber attacks, according to a report issued by Security & Defense Agenda, a Brussels-based think tank.
Most cyber attacks still emanate from computers based in the U.S. and China with the U.S. being the worst offender, said Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. Yet those two countries lag behind others when responding to attacks, according to the report.
A panel of experts hosted by McAfee, a cyber security company that partnered with Security & Defence Agenda to publish the report, agreed the U.S. military and other federal agencies have a lot of ground to make up to protect against evolving cyber threats.
The Pentagon’s acquisition system is woefully slow in keeping up with new cyber technology that hackers use to penetrate the Defense Department’s network, said Robert Lentz, former U.S. deputy assistant secretary of defense for cyber.
Phyllis Schneck, McAfee’s chief technology officer, urged the military to consider buying commercial-off-the-shelf technology to protect its networks rather than constantly trying to innovate its own.
Defense officials have identified a recent computer virus coming from China that targets service members’ common access cards and steals the pins to hack into defense computer networks.
The cyber panel that met in Washington D.C. on Monday said the government must increase the amount of information they share with private firms about how they protect against attacks.
“The government only inhales, it never exhales,” Healey said.
Government officials protect too much of their cyber defense strategy behind classified barriers making it tough for private firms such as Microsoft or Google to help the government in case of a cyber attack.
“A cyber war is going to be won or lost in the private sector. If you’re under attack who do you really want on your side, [Department of Homeland Security] or McAfee and Microsoft?” Healey asked.
The Senate is working on a cybersecurity bill that will reach the floor within the next month, said Jeff Greene, a counsel for the Senate Homeland Security and Governmental Affairs Committee. While the bill will contain an information sharing provision he warned that it doesn’t serve as a “silver bullet” and more work needs to be done.
“I think it’s important to recognize that it is just a piece of what needs to be done, and probably isn’t going to reach some of the industries and some of the individual entities that need help the most,” Greene said.
Northrop Gumman’s Chief Information Security Officer Tim McKnight said the number of attacks on his company has increased. Northrop has identified about 26 “gangs” of which 12 McKnight would describe as “sophisticated” that target the defense industrial giant.
Cyber security agencies within the military must start training service members to attack those that attack the government, McKnight said. In other words, government officials need to learn the old adage that a good offense is the best defense.
“There must be consequences for launching an attack,” said Stewart Baker, the Department of Homeland Security’s former assistant secretary for policy.
Holding countries accountable for attacks that come from within their borders is especially difficult, Baker said. Countries have a hard enough time negotiating treaties on weapons such as nuclear warheads. A cyber treaty is a non-starter within diplomatic circles.
“It’s foolish to enter into an agreement and stand down your ability to react,” Baker said.