Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
House Homeland Security Committee Mulls Response to Volt Typhoon, Future of CISA
The United States needs to respond more aggressively to nation-state hacking, members of Congress heard Wednesday against a backdrop of changes, actual and planned, at the primary federal civilian cyber defense agency.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
American cyber defenders should move against the infrastructure underpinning a wave of Beijing-led attacks against critical infrastructure that have penetrated telecom networks and prepositioned hacking tools, said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation. “We have to go on the offense,” he said.
“We may sacrifice a tool, we may sacrifice an access, but I think the Cyber Command and intelligence communities have lots of tools and lots of access,” the former Navy rear admiral told the House Homeland Security Committee. “We need to demonstrate publicly – and we should attribute it to yourselves, say ‘we did this because of what you did.’ Otherwise, the Chinese are going to keep doing what they’re doing.”
The Cybersecurity and Infrastructure Security Agency warned in February that the Beijing hacking group tracked as Volt Typhoon had spent at least five years embedded in U.S. IT systems. The group positioned itself within critical infrastructure networks to unleash destructive cyberattacks in the event of a Sino-U.S. conflict – a mounting possibility, given tensions over the status of Taiwan. The Biden administration unleashed a flurry of sanctions and federal prosecutions against Chinese hackers during its final weeks, but some critics have called for a more bellicose response.
“I totally agree,” said Rep. Michael McCaul, R-Texas, chairman emeritus of the Homeland Security Committee, in response to Montgomery. “We need to call them out for this,” he added, asserting that Chinese hackers could shut down electricity on the U.S. West Coast in the event of a Taiwan invasion.
When it comes to cyber defense, Montgomery said Congress should authorize cyber defense National Guard units in each state. “Governors have authorities at the state levels that the federal government doesn’t have,” he said. Committee Chairman Mark Green, R-Tenn., vowed to again push legislation that would require the Pentagon to assess the feasibility of creating such units.
The hearing took place just days after the Senate Homeland Security Committee heard testimony from Kristi Noem, the South Dakota Republican governor who’s the Trump administration’s choice to lead the Department of Homeland Security, of which CISA is a component.
Noem voiced criticism of the agency, a common Republican policy stance. “CISA needs to be much more effective, smaller, more nimble, to really fulfill their mission, which is to hunt and to help harden our nation’s critical infrastructure,” she told senators. The agency has more than doubled to 3,300 employees over the course of the Biden administration, leading some Republicans to question its size. Senate Homeland Security Chairman Rand Paul, R-Ky., has repeatedly criticized the agency for its efforts to tamp down disinformation, characterizing it as suppression of free speech.
“I’d look forward to working with you on legislation, should you wish to rein them in,” Noem told senators.
Acting Homeland Security Secretary Benjamine Huffman on Monday removed all members of departmental advisory committees, including participants of the Cyber Safety Review Board. The Biden administration established the board through a May 2021 executive order to study major cyber incidents and recommend improvements. The board recently began an investigation into Salt Typhoon hacking.
During the Wednesday House hearing, Ranking Member Bennie Thompson, D-Miss., attempted to rally support for CISA from witnesses, with mixed effect.
“We would happily work with any federal agency that is charged with securing the cybersecurity of the United States. As far which agency is appropriate, I defer to the federal government, on that one,” said Adam Meyers, a CrowdStrike senior vice president.
Montgomery responded that CISA should be focused on acting as the federal government leader for risk management, even when the risk lies in critical infrastructure sectors outside CISA’s current jurisdiction such as railways, ports and the aviation sector. “Yes, we do need a CISA. We probably need a CISA that’s envisioned differently than the last two presidential administrations have aligned it,” he said.