The big attacks that have been disclosed so far in 2015 involved the theft of data, and a lot of it. Some 21 million personnel records were taken from the Office of Personnel Management, likely by China, while 4,000 records, some with “sensitive” information, were stolen from the Joint Chiefs civilian email system, a theft blamed on Russia.
But America’s top spies say the attacks that worry them don’t involve the theft of data, but the direct manipulation of it, changing perceptions of what is real and what is not.
Director of National Intelligence James Clapper spelled out his concerns in written testimony presented to the House Subcommittee on Intelligence today.
“Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial of service operations and data deletion attacks undermine availability,” he wrote. “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it.”
The bottom line, Clapper says: “Decision making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”
NSA Director Admiral Michael Rogers also testified, singling out “the use of cyber for manipulative, destructive purposes” as a rising and unacceptable threat.
What sort of information might hackers manipulate for some sort of tactical or strategic effect? Data that affects critical infrastructure is a good bet. Between 2010 and 2015, hackers penetrated Energy Department networks 159 times, according to records obtained by USA Today through a Freedom of Information Act Request.
And what is Congress doing about it? The long-debated Cybersecurity Information Sharing Act of 2015, currently in the Senate Intelligence Committee, is supposed to help by encouraging companies to send the government information related to network attacks, data theft, loss, manipulation, etc. The Department of Homeland Security, or DHS, would be in charge of coordinating that information and then sending it to the FBI, the NSA, or other agencies or parties as appropriate.
But Committee Chairman David Nunes, R-Calif., wondered whether DHS could do that effectively. He noted that the department’s Protected Critical Infrastructure Information Program had not been audited since 2006. “This raises serious questions about an Agency that many government representatives believe should be at the heart of our cybersecurity strategy.” Nunes said.
Last year, DHS accidently released more than 800 pages related to critical infrastructure when it bungled an open records request.
Clapper also said Russia’s Ministry of Defense is establishing its own cyber command, “which according to senior Russian military officials will be responsible for conducting offensive cyber activities.”
At one point, Jeff Miller, R-Fla., asked Clapper whether Russia might give cyber capabilities to Iran, which staged a successful cyber-physical attack on Saudi Arabian oil company Aramco in 2012. Clapper said that the question was “best left to closed discussion.”
Said Rogers: “We have not seen Iran step back from the use of cyber as a tool…to achieve a broader set of national objectives.”