A cyber security analyst works in the "watch and warning center" during a tour of the government's cyber defense lab in Idaho Falls, Idaho.

A cyber security analyst works in the "watch and warning center" during a tour of the government's cyber defense lab in Idaho Falls, Idaho. Mark J. Terrill/AP

Every Part of the US Government Has Probably Already Been Hacked

A Homeland Security official says 600,000 cyber incidents have occurred so far this fiscal year. By Frank Konkel

Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists.

Consider the testimony today from some of the nation’s top cybersecurity experts before the Senate Committee on Homeland Security and Governmental Affairs.

Suzanne Spaulding, undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate, told lawmakers DHS’ National Cybersecurity and Communications Integration Center – or NCCIC – has already responded to more than 600,000 cyber incidents this fiscal year.

In response to many of those incidents, NCCIC issued more than 10,000 actionable alerts to recipients to help protect their systems and in 78 instances deployed on-site teams to provide technical assistance.

High-profile cyber breaches – such as those affecting Target, Home Depot and even celebrities’ private photos – trickle out on a near daily basis. But it’s clear the vulnerabilities aren’t relegated to the commercial sector.

When committee members asked Robert Anderson, the executive assistant director for the Federal Bureau of Investigation’s Criminal, Cyber, Response and Services branch, how much of government hasn’t been hacked yet, he offered a stark reply.

Despite demurring that he probably couldn’t answer the question exactly “off the top of his head,” Anderson said any part of government that hasn’t been hacked yet probably has been hacked – and hasn’t realized it yet.

“The bottom line is, we’re losing a lot of data, money and innovation” to adversaries in cyberspace, he said.

Feds Cite ‘Unprecedented’ Collaboration with Industry

The only way to stay ahead of the evolving threats is to collaborate and share information with the private sector, officials testified.

“We’re engaging in an unprecedented level of collaboration” with industry, international law organizations and other bodies, Anderson said, and those partnerships will continue to expand. 

For example, the FBI released 40 near real-time alerts on “current and emerging threat trends and technical indicators,” to the private sector – with 21 of those alerts sent to the financial industry.

The agency is now engaging in a more back-and-forth dialogue as opposed to the FBI listening and rarely sharing – which used to be the case.

Anderson also vowed harsher deterrents for malicious actors, referencing the recent indictments of Chinese citizens who were caught hacking the networks of American companies.

Sen. Tom Coburn, R-Okla., said he was pleased with FBI’s get-tough approach.

“I’m happy to see the FBI being aggressive on deterrence,” said Coburn, the committee’s ranking Republican.  “For so long, we thought building a higher wall was [the way to protect], but people are going to climb over any war we have. We need prosecutorial deterrence. I’m thankful of that attitude from FBI both domestically and internationally.”

DHS: We Need More Than Information Sharing

Yet, given that adversaries are gearing up with the same evolving, emerging technologies that government and private sector leaders are using – cloud computing, for example – a reactionary approach alone is no longer a viable approach to handling cybersecurity, experts testified.

“Information sharing is only one element of what is needed," Spaulding, the DHS official said. "We also need to update laws guiding federal agency network security; give law enforcement the tools needed to fight crime in the digital age; create a national data breach reporting requirement; and promote the adoption of cybersecurity best practices within critical infrastructure.”

Meanwhile, Spaulding’s boss – DHS Secretary Jeh Johnson – has an idea of his own to add to the list: passing comprehensive cybersecurity legislation.

“All the bipartisan progress and hard work invested in cybersecurity legislation in this Congress should not go to waste,” Johnson wrote in anop-ed published Tuesday in The Hill.