2021 Hack the Capitol presenters discussed deterrence, partnership, leadership, ICS security, regulation, critical infrastructure security, hygiene, education, and the future of national cybersecurity strategy.
(Key)Notes from Hack the Capitol 2021: cybersecurity and critical infrastructure security.
How do US officials hope to steer the nation’s cyber ship in the near term? Hack the Capitol 4.0, held virtually on May 4, offered some insight. A collaboration among the ICS Village, the R Street Institute, the Cyber Bytes Foundation, and the National Security Institute, the event, in the hosts’ words, was “designed to educate congressional staffers, scholars, and press on some of the most critical cybersecurity challenges facing our nation today.” The CyberWire attended “Track One,” the policy track. Track Two featured technical talks, and Track Three, an exhibition hall.
A multi-pronged approach to national cybersecurity.
Representative Robert Wittman (Republican, Virginia 1st) kicked off the day with a keynote that hit all the bases, from workforce development to defense, offense, and deterrence. Cyber operations threaten our economic, military, and strategic interests, he said, and the SolarWinds hack revealed just how far our adversaries are willing to take things. Data is becoming the new currency, and China is thrashing us on the big data, AI, and quantum computing fronts, with “orders of magnitude” greater investments in R&D, and strategic operators like Huawei poised to “vacuum up” data.
Wittman recommended several courses of action to allay further escalation in the cyber realm: “aggressive defense,” “active offense,” and “effective deterrence.” While we’ll always lose at incident whack-a-mole, we can find ways to distract threat actors and force them to spend resources on defense. Wittman advocated for an integration of information and cyber warfare capacities, equal prioritization of the kinetic and cyber realms, and greater investments in cyber research. If we punch back harder for every offense, he argued, our opponents will learn to steer clear.
Explaining that each individual has a role to play in the nation’s security, Wittman stressed the overlapping responsibilities of diverse actors like consumers, mathematicians, programmers, engineers, managers, and military personnel. The ubiquitous smartphone attack vector, for instance, affects civilians and military units alike. Recruits need cybersecurity training the same as everyone else. Better still, emphasizing STEM subjects from elementary school onwards will position the workforce of tomorrow to build a safer future. To this end, the Freedom to Invest in Tomorrow’s Workforce Act would permit the use of 529 savings accounts for credentialing programs in addition to two and four-year institutions.
If Wittman had a magic wand, he’d raise awareness of the urgency of cybersecurity across every sector, to the same level with which people approach Covid-19. As technological innovations proliferate, he said, there’s the potential to use them for good or evil, and we all need to encourage the former. Wittman welcomed Hack the Capitol participants to get in touch with their creative ideas.
Cyber is a team sport, with a team captain.
Representative John Katko (Republican, New York 24th) seconded the notion that our safety and ideals are under attack in hitherto unseen ways. The 20th anniversary of September 11th serves as a grave marker of the value of resilience and partnership in the face of such challenges, he said. More recent attacks on our nation's infrastructure remind us that we exist in a hyperconnected lattice of hardware, software, and services, where “cybersecurity is national security.” This existence demands both preparation and reactivity, ideally headed by a centralized, well-resourced authority with wide visibility. Katko praised President Biden’s recent cyber nominations, in light of the significance of clear leadership in the space. Cross-party and cross-sector collaboration, he concluded, will further advance the ball.
ICS security via SRMAs, CISA, and risk management.
Representative James Langevin (Democrat, Rhode Island 2nd) underscored the pervasiveness of software in society—throughout schools, hospitals, water utilities, and other critical resources—and explained the interplay between the digital and physical realms. Industrial control systems (ICS) nearly always manage physical processes using digital “brains” that run software. The OT environment is the stuff of his nightmares, since it undergirds half of our critical infrastructure (CI) sectors, and is increasingly networked. Because we can never exterminate all design and software bugs, which our indefatigable adversaries will continue to hunt and exploit, we must adopt a risk-based approach centered on Sector Risk Management Agencies (SRMAs) and the Cybersecurity and Infrastructure Security Agency.
There’s room for improvement in the CI taxonomy, Langevin said: we could use a space sector, for example. Once that’s all settled, we need to look at each sector’s risks, where risk is defined as vulnerability multiplied by threat multiplied by consequence. The potential consequences of CI attacks are monumental, the attackers, motivated and skilled, and the vulnerabilities, too widespread, given the current “rush to market.” The role of SRMAs’ is to liaison with CI sectors, and provide expertise on the “consequence” variable. Right now many sectors face severe visibility problems and are unable to flag anomalies, having not baselined their operations. Throwing money at the issue won’t be enough: good strategy is also important—specifically, a good national risk management cycle.
CISA received useful new authorities in the last National Defense Authorization Act (NDAA), Langevin continued, but needs even more resources and powers to effectively support CIs. In an ideal world, the Agency would have resident sector-specific security experts as well as hunt and incident response teams assigned full-time to CI. CISA would lock arms with SMRAs, and the country would sleep peacefully.
Nevertheless, Langevin is thrilled with how far the US has come. The last NDAA made great strides, like establishing a national cyber czar. Legislation moves slowly, by design, but he’s happy to finally discuss what’s been accomplished, rather than what could be. Give a magic wand, he’d materialize real-time public-private information sharing.
Organizational, legislative, and personal proposals.
“Recovering” computer science major Representative Ted Lieu (Democrat, California 33rd) observed that Washington is underperforming on cybersecurity. Whereas there’s abundant private interest in assisting the Government with policy solutions, outreach from the Government has been insufficient, mirroring officials’ deficient cyber expertise.
The Government’s approach to cybersecurity is “basically all messed up,” he explained, riddled with too many agencies and authorities across the Pentagon, White House, Department of Homeland Security, and so on. The problem of many hands manifests in a confusion of responsibilities. Lieu would like to unite cyber authority within one Federal agency and one Congressional committee. (Currently, he said, about six committees share jurisdiction over cyber.) Though it’s “pulling teeth” to convince officials to relinquish control, the nation’s cyber health would benefit.
Lieu’s cyber legislative priorities include workforce development, with the New Collar Jobs Act, foreign cyber diplomacy, and consumer protection, featured in the Cyber Shield Act. At present, consumers don’t have the same guarantees when they purchase IoT devices as they do when picking up traditional electronics like ‘dumb’ fans. While you can expect the fan not to work against your interests, the uncertified security camera may well send your data to the bad guys.
Lieu is also concerned about improving cyber education across the board. Both the public and private sectors struggle with hygiene, a sad state of affairs when many hacks rely on unsophisticated social engineering. General adoption of multi-factor authentication would be a good start, closely followed by safeguarding personal devices like smartphones. (Lieu recounted his battle with getting the Government to secure representatives’ cell phones.) His final word of advice for listeners, however, was never to connect to public wifi.
The future of cybersecurity is now.
While Representative Yvette Clarke (Democrat, New York 9th) is awed by the marvels of modern technology, she’s disappointed by the “unacceptably” slow progress on cybersecurity. A decade ago, she said, Congress held eerily familiar discussions on grid protection, network defense, and role clarification. Cybersecurity hasn’t kept pace with adversarial skill and intent, thanks to failures in leadership, resourcing, and collaboration. Nevertheless, the moment is ripe for “ambitious ideas,” and she’s eager to put her dreams into action.
Clarke’s top five objectives are the following: augmenting CISA’s resources and authorities, renovating Federal network security, enhancing public-private coordination, bolstering neglected sectors’ security posture, and combatting disinformation. CISA’s recent budget boost is not adequate given the Agency’s vast obligations. Since SolarWinds revealed shortcomings that should have been uncovered through regular reviews, she encouraged CISA to undertake periodic assessments of initiatives like the Continuous Diagnostics and Mitigation Program and National Cybersecurity Protection System.
Clarke would also like to see Homeland Security work its hiring authorities to quench the talent drought, and would appreciate basic improvements to local, state, and CI practices. Too often regional partners couple outdated systems with poor cyber hygiene, appending security as an afterthought, but the State and Local Cybersecurity Improvement Act could turn things around. Polished by robust policy, cooperation, and resourcing, she said, the future is bright.
Better (at cyber) together.
National Cyber Director nominee Chris Inglis closed out the day with comments on the direction of national cybersecurity. Currently organizations are watching each other get picked off by APTs and praying they’re not next, he said, but the bright side is growing awareness of the persistent, pervasive nature of the problem. The right solution will take a whole-of-nation approach, looping in civilians and technologists alike, and pursue a unified strategy rather than a cacophony of discrete tactics.
Such a strategy would pursue resilience from hardware, software, and human angles, and divide roles and responsibilities intelligently with an eye to collaboration rather than subordination. We’ll need to avoid reverting to bad habits surrounding turf segregation, he said, holding up as an example the physical domain, where the military, militia, police, and Government serve diverse goals in a coordinated fashion.
Software and hardware security will likely require both the carrot of market incentives and the stick of regulation, but carrots should be deployed when possible. Incentives and disincentives have a broader part to play in rewarding good cyber behavior and imposing swift, meaningful consequences for offenses, in a way that shapes agents’ cost-benefit analyses.
As for the human capital challenge, Inglis said digital literacy is an ongoing issue for everyone— not just those in cyber roles—marked by pervasive ignorance of the consequences of digital choices. The average layperson who tosses something into the cloud has little knowledge of the relevant risks, terms of service, or security protocols, for example. Cyber education ought to begin in grade school, perhaps through camps and extracurriculars, and extend through graduate and professional programs. Cyber hiring managers should in many cases look for skills, not just degrees. While firms can address talent gaps individually, a national drive to prioritize cyber, similar to what occurred around science in the 1960’s, will ensure a healthy pipeline.
At the leadership level, Inglis sees more "sins of omission" than "sins of commission." Leaders don’t deliberately disregard problems, but misunderstand their solutions. Since cyber involves both technology and people, you can’t achieve security by decree. Effective managers see cyber as the “lifeblood” of their organization, on par with the human component. They also connect the risk takers and risk mitigators in the boardroom, and seamlessly align development and security. (When for instance the people wanting to build in Ukraine aren’t talking to the people familiar with Russia’s influence in Ukraine, he explained, that’s a mistake.)
He closed with two metaphors from magic to express his hopes. If he had a magic wand, Inglis would unite public and private cyber professionals in a physical location where they could swap intuitions and ideas and problem solve together. This would look something like the UK’s National Cyber Security Centre, and serve to develop both capacities and relationships. Although all 330 million Americans may not be able to “collaborate richly,” decision-making power can be distributed among diverse leaders.
If he had a crystal ball, Inglis thinks he’d see threat actors persisting at undermining US interests as the country sorts its next steps, as well as notable progress towards Federal solutions—as long as we continue to arise each dawn and “run towards new daylight.”