A cyberattack on U.S. critical infrastructure should trigger an even more forceful response, according to Homeland Security Secretary Kirstjen Nielsen.
"By the time that country is attacking civilian networks, civilian assets, it’s not a fair fight," Nielsen said at an event hosted by George Washington University’s Center for Cyber & Homeland Security yesterday. "That’s not how the international world has created norms and standards, and I don’t think [the response] should be commensurate. I think it should be more."
Nielsen pointed out that the Trump administration is "working on" deterring malicious behavior in cyberspace by quickly identifying the nation-states or hackers behind attacks.
"We’ve got to attribute faster," she said. "We’ve got to bring everything to bear, especially with our allies, so we can name names as soon as possible, not many months later."
Nielsen laid out a menu of potential consequences, from economic sanctions to "unseen" actions.
"We will no longer stand idly by as our networks are penetrated, exploited or held hostage. Instead, we will respond, and we will respond decisively," she said.
The Department of Homeland Security is charged with defending some of America’s most sensitive computer networks, including civilian U.S. government websites and data. The agency also offers cybersecurity support to private companies, such as power utilities, that come into the crosshairs of hackers backed by foreign intelligence services.
DHS and the FBI warned of one such cyber espionage campaign earlier this year in a rare alert, claiming that Russian hackers targeted U.S. energy, nuclear and chemical companies for years.
The attackers never managed to turn off the lights, but they reached the control system of at least one small power generation asset, officials say.
Grid leaders have expressed confidence in the U.S. readiness to strike back in the wake of a major cyberattack on civilian infrastructure. Tom Fanning, CEO of utility giant Southern Co., said earlier this summer that "if somebody tries to take us down, they will have a bad day," hinting at a cyber escalation that would draw in the Defense Department (Energywire, June 27).
Nevertheless, U.S. officials have been cagey about drawing clear "red lines" for acceptable behavior in cyberspace. Last May, President Trump called for a review of cyber deterrence policy in an executive order on critical infrastructure cybersecurity. The results of that effort pointed to "significant challenges" in deterring state-sponsored cyberattacks that fall short of meeting the definition for "use of force."
The House yesterday passed legislation that would direct the president to take specific actions to deter foreign hackers, such as identifying "critical cyber threat actors" that could harm critical infrastructure sectors and publicly posting lists of transgressors.
"In effect, this would codify America’s longstanding unofficial policy of naming and shaming bad actors in cyberspace," Rep. Ed Royce (R-Calif.), chairman of the House Foreign Affairs Committee, said in prepared remarks. "This legislation will put countries like Iran, North Korea and Russia on notice that the United States is prepared to impose tough consequences for cyber attacks."
Nielsen said that DHS would release a strategic plan for countering new dangers to the U.S., including cyberthreats to election systems and critical energy infrastructure.
"Cyberattacks, in terms of their breadth and scope and possible consequences, now exceed the risks of physical attacks," she said yesterday, pointing to U.S. intelligence estimates that more than 30 nations have developed sophisticated offensive capabilities online.
She cited the WannaCry and NotPetya cyberattacks last year, in which fast-spreading malware caused hundreds of thousands of computers to seize up. The U.S. later attributed those attacks to North Korea and Russia, respectively.
"They think they can get away with it — too often, they have," Nielsen said.