WASHINGTON – At a House hearing on cybersecurity Thursday, Republicans criticized the White House’s response to cyber threats, saying that federal officials have failed to specify the consequences any attackers would suffer if they launched a cyberattack against the United States.
Several experts testified about the threat these types of attacks pose to U.S. national security during the hearing hosted by the House’s Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats.
The subcommittee’s chairman, Rep. Dana Rohrabacher (R-Calif.), said the U.S. could no longer depend on technology to prevent future cyberattacks.
“We cannot just rely on technology to defend against these types of attacks, we must use diplomacy to deter them by telling Beijing and others, in clear terms, that we will not allow their hacking without retaliation,” he said.
Reps. Tom Marino (R-Pa.) and Jeff Duncan (R-S.C.) made similar comments.
“If the NATO members get together and implement severe sanctions, do you really think that China and Russia will listen to us? I was in China and Russia not too long ago and brought up the issue with them and they didn’t like it. Actually, China acted like it wasn’t happening and Russia simply said ‘so what?’” said Marino.
Marino asked Christopher Painter, coordinator for cyber issues at the Department of State and the only government official testifying, if he could provide some examples of what the Obama administration is doing to make the issue of cyber threats a top priority.
Painter said that the administration conducted last year a National Level Exercise, the first one to focus on cyber threats, to explore how it would act in the aftermath of a catastrophic cyberattack on its infrastructure. In addition, Painter said that the U.S. is actively working with its close allies to increase collaboration on the issue.
“The U.S. government has challenged and persuaded other states to focus on cybersecurity as a critical policy issue. My office was the first of its kind in a foreign affairs agency, and since its creation, many countries have created similar positions and offices in their own foreign ministries as they recognize cyber as a new foreign policy imperative,” Painter said.
Painter said the U.S. has raised their concern to Chinese officials, most recently by President Obama during a call with the Chinese president last week. Painter added that even though the country has some talks with China on the issue, it is not yet a sustained dialogue.
“I’m sure that a sustained dialogue is going to really deter these fellows along with the proclamations of great concern. I asked a specific question about specific actions, and all I got was a list of words. I’m sure that words coming out of the mouths of [American officials] are terribly frightening to the Chinese,” Rohrabacher retorted sarcastically.
Richard Bejtlich, chief security officer at Mandiant Corporation, a computer security firm, said that the details they have analyzed during hundreds of investigations convinced them that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them.
Mandiant has tracked dozens of computer hacking groups around the world for nearly a decade. In particular, the security organization has followed the most prolific of these groups (named Advanced Persistent Threat 1, or APT 1), saying that the group has stolen hundreds of terabytes of data from at least 141 organizations.
“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” Bejtlich said.
In February, Mandiant released a 60-page study tracking the individual members of the most sophisticated of the Chinese hacking groups. The study identified a secretive Chinese military unit as the likely source of hacking attacks on hundreds of companies around the world.
“Our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate,” Mandiant stated in its report.
The People’s Liberation Army General Staff Department’s Third Department – commonly known as Unit 61398 – is staffed by people specially trained in network security, covert communications, and English linguistics. The unit, located in a suburb of Shanghai, has a well-defined attack methodology. Once the unit has established access to a company’s network, they may steal intellectual property, business plans, partnership agreements, and other important confidential information from the organization over a period that could last for months or years.
Rohrabacher mentioned that the “commercial warfare” being conducted against the U.S. far exceeds traditional espionage, which, he said, the chief of the U.S. Cyber Command estimated to cost the U.S. economy $250 billion a year.
“The transfer of wealth by the theft of technology and other information vital to the development of industry is then used to gain a competitive advantage in world trade which brings even more wealth to China,” said Rohrabacher.
Greg Autry, a senior economist at the Coalition for a Prosperous America, said evidence suggests that a full accounting of the costs of Chinese cyber warfare is hard to compile because many of these crimes go either unnoticed or unreported.
Nevertheless, he said, a modest estimate of the costs would be in the hundreds of millions.
Last month, Obama signed an executive order establishing a security framework for critical infrastructure owned by the private sector. The order would make the National Institute of Standards and Technology work with companies to develop a framework of “cybersecurity best practices.”
At a Senate hearing earlier this month, Homeland Security Secretary Janet Napolitano urged Congress to enact legislation that would assist agencies to establish a public-private partnership and grant the regulatory authority to protect critical infrastructure.
At the House hearing on Thursday, Painter also said that though the executive order is very important, the country still needs legislation that will encourage voluntary cooperation between public and private sector on this issue.
The hearing comes in the wake of cyberattacks on Wednesday that damaged over 30,000 computers and servers at six South Korean banks and media companies. Investigators said on Friday that they determined that the IP address, initially thought to be from China, had originated from an internal IP address at one of the banks that was affected by the malicious code.
Hackers can easily manipulate IP addresses anywhere in the world, so the investigation’s findings about the origin of the attack are not conclusive. Officials said the investigation into the sources of the attacks could take weeks, as reported by the BBC.