How should the U.S. respond to cyber attacks? That’s been a major question at this year’s RSA security conference, following Russia’s suspected attempt to influence last year’s election.
Clearly, the government should be doing more on cybersecurity, said U.S. lawmakers and officials at the show, but they admit that politics and policy conflicts have hampered the government's approach.
“I wish the federal government could do this, but it’s very hard, unfortunately, due to partisan politics,” said Virginia State Governor Terry McAuliffe, during a speech at the show. “They haven’t been able to take the lead on this issue as they should have.”
Instead, it might be up to the states to assume a larger role in promoting cybersecurity, given that divisive U.S. politics at the federal level have been stalling government action, McAuliffe said on Tuesday.
Collectively, state governments store more data than the federal government, including residents' tax returns, healthcare records and drivers’ licenses, he said. That can make them targets of hackers, so McAuliffe has been urging other states to make cybersecurity a priority.
“It’s up to the governors of this country to lean in and take the lead,” he said.
At the RSA show, U.S. Representative Michael McCaul also spoke and said the U.S. is falling behind on cybersecurity, pointing to the numerous hacks from state-sponsored hackers. “We are in the fight of our digital lives and we are not winning,” he said.
McCaul, who also chairs the House committee on Homeland Security, said Russia’s suspected involvement in influencing last year’s election was a “wake up call.” But he was disappointed with the responses from the administration of President Barack Obama and Donald Trump, then a presidential candidate, to the Kremlin’s alleged meddling.
“If there are no consequences for bad behavior, the bad behavior will continue,” he said. “Unfortunately, we still do not have a clear proportionate response, policies for striking back.”
However, actually coming up with a U.S. doctrine on stopping serious cyber attacks is easier said than done.
“One of the big questions out there is what is an act of war in cyberspace?” said Daniel Lerner, a staff member at the U.S. Senate committee on Armed Services, who also spoke at the show.
Currently, the U.S. treats every serious cyberattack on a case-by-case basis, which does little to dissuade the state-sponsored hackers from attacking in the first place, he said.
“That’s no way to project deterrence. And it really undermines our overall security posture, if every instance is a crisis,” Lerner said.
It doesn’t help that trying to accurately prove a foreign country was behind a cyberattack can be incredibly hard and might involve sensitive intelligence.
For instance, U.S. intelligence agencies have declined to share publicly classified evidence showing why they suspect Russia was behind last year’s election-related hacks. In addition, the Kremlin has denied any involvement.
Nevertheless, more officials in the U.S. government want to see the country take action in the event of another cyberattack, said Brendan Shields, staff director at the House committee of Homeland Security.
“The fuse is getting shorter and shorter,” he said at a panel discussion at RSA. “I think there is a growing desire for making sure deterrence is real.”
However, going after state-sponsored hackers is only one aspect of the problem. Much more of it has to do with defense, and protecting users from hacking threats that are coming over consumer-made products or websites.
It’s an area where the private sector also needs to play a crucial role, given that IT vendors have most of the cybersecurity talent, said the Virginia governor.
“We need your ideas. We need the private sector,” McAuliffe said. “We at the state government cannot drive this. The federal government cannot drive this.”