Washington is scrambling for solutions in light of two major recent hacks in which attackers used U.S. internet infrastructure. In a sweeping Russian hack of at least nine government agencies and 100 companies, hackers used Amazon cloud services and GoDaddy domains to launch malicious software used in the attack. Those hackers went unnoticed by the government for almost nine months. Chinese hackers that compromised thousands of Microsoft Exchange servers also used U.S. based servers.
“It’s not the fact that we can’t connect the dots. We can’t see all of the dots,” Nakasone told lawmakers.
The NSA only has authorization to monitor foreign Internet traffic. And although the FBI and the Department of Homeland Security have some authority over Internet traffic within the United States, the authorities require a warrant.
It’s against this backdrop that some experts want to expand NSA authorities to monitor domestic Internet traffic under limited circumstances.
The idea is a controversial one that has already sparked concerns due to its privacy implications. The NSA’s authorities are limited largely because of the Fourth Amendment, which protects Americans from unreasonable search.
Former NSA general counsel Glenn Gerstell, says privacy and civil liberties advocates would need to be involved in coming up with any solution – but more power for the agency is the answer.
“The alternative is to throw up our hands and say, well, it’s a tough Fourth Amendment problem and we’re going to have to pay the price of being online and let the Chinese, Russians, North Koreans and Iranians do whatever they want on American soil in cyberspace,” said Gerstell, now a senior adviser at the Center for Strategic and International Studies. “That cannot possibly be the right answer for our country.”
Nakasone has not asked for any expanded powers along those lines. He told lawmakers that while the intelligence gap exists, it is “not necessarily” the role of U.S. Cyber Command or the NSA to step in to address it.
Other cybersecurity experts have pushed back against the idea of expanding NSA powers.
Robert Knake, a senior fellow at the Council on Foreign Relations, said such a move could result in a bigger and worrisome government surveillance dragnet of Americans’ data – and there’s no indication that NSA tools would have actually detected the Russian hack of SolarWinds, a software company providing services for government agencies.
Instead, the government needs to focus on the issue of combining existing intelligence, including from the private sector, for a better response.
“There were many, many dots that weren’t connected that pointed to the plot,” said Knake, a former director for cybersecurity policy at the National Security Council.
One floated solution gaining traction: Making it easier for private sector to share cyber threats with the federal government.
Private companies, lawmakers, intelligence officials and the White House have all called for greater information sharing between the private and public sectors – potentially through a clearinghouse model where private and public sector intelligence is funneled into one central repository, likely overseen by the Department of Homeland Security. That solution comes with its own obstacles, however. Internet infrastructure and software companies aren’t required to share breaches with the federal government.
Lawmakers have for weeks said that legislation requiring companies to share cybersecurity incidents and breaches is on the horizon.
The keys
A hacking group is leaking data from a U.S. military contractor.
The group, which publishes hacked data if its ransom demands aren’t met, posted purchase orders used by the PDI Group’s hundreds of clients, the Record’s Catalin Cimpanu reports. It’s the latest in high-profile hacks of military contractors in recent months, including Electronic Warfare Associates, which said it supplied electronics to the Defense Department and other U.S. government agencies.
Spokespeople for the Defense Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency deferred to the company, which manufactures ground support equipment, for comment. A PDI spokesperson hung up when the Record asked for comment about the attack.
A judge rejected a request by an ex-CIA employee to dismiss charges of leaking hacking tools.
A judge denied former CIA employee Joshua Schulte’s bid to dismiss espionage charges on the grounds that the grand jury that indicted him did not have enough Hispanic or Black individuals, Larry Neumeister of the Associated Press reports.
A trial for Schulte, who is accused of leaking CIA hacking tools to WikiLeaks and has pleaded not guilty to all charges, is expected to begin in October after a jury deadlocked last year. WikiLeaks’ 2017 release of the hacking tools was one of the most significant leaks in the CIA’s decades-long history and laid bare the agency’s hacking and surveillance methods.
The Biden administration is readying an executive order to require companies to disclose breaches to U.S. government clients.
A draft version of the order would also require companies to keep more records for investigations of the breaches and work with federal agencies as they respond, according to Reuters’s Christopher Bing, Nandita Bose and Joseph Menn. The order could be made public as early as next week, they write.
The executive order comes as the Biden administration plans its responses to the devastating SolarWinds and Microsoft Exchange hacks.
A National Security Council spokeswoman told Reuters no decision has been made on the final content of the executive order.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, previewed the executive order earlier this month, when the government was still primarily grappling with SolarWinds. Neuberger said at the time that the executive order would “focus on building in standards for software, particularly software that’s used in critical areas.”
Chat room
Some who read about the executive order had questions. Red Canary intelligence analyst Tony Lambert:
The Economist’s Hal Hodson:
Hill happenings
Eleven senators asked the Energy Department to support its cybersecurity office.
The bipartisan group of senators asked Energy Secretary Jennifer Granholm to preserve the department’s Office of Cybersecurity, Energy Security, and Emergency Response. The letter comes amid increased scrutiny on cybersecurity in the critical infrastructure sector.
Industry report
Trade groups are calling for the Biden administration to prioritize open data.
The nine groups want President Biden to appoint a chief data officer to coordinate open data efforts across the government. The groups include the Software Alliance, the Information Technology Industry Council and the Internet Association. The groups also take issue with the implementation of the 2019 OPEN Government Data Act, which required government agencies to provide machine-readable data by default and have chief data officers to oversee the process.
Cyber insecurity
The FBI paid a nonprofit organization that tracks child predators $250,000 for hacking tools.
A U.S. government procurement record said the FBI’s Child Exploitation Operational Unit bought “a set of NITs,” or network investigative techniques, from the Innocent Lives Foundation, Motherboard’s Joseph Cox reports. The FBI’s purchase of the tools from the nonprofit organization, whose mission is to “unmask anonymous child predators,” shows an often invisible relationship between the government and the private sector in the trade of high-value hacking tools. The FBI declined to comment. Chris Hadnagy, the founder of the Innocent Lives Foundation, declined to comment on the hacking tools or their origin.