Cyber Command chief Gen. Paul Nakasone told Congress today that America’s adversaries are brazenly “exploit[ing] a gap” in the structure of US cyber civilian and military authorities to attack the nation from within.
“US adversaries are demonstrating a changed risk calculus,” Nakasone said. “They are undertaking malign activities in cyberspace of greater scale, scope, and sophistication.”
This includes increasingly instigating cyber campaigns against US entities from the US’s own backyard, conducting domestic hacks partly from infrastructure that is geographically within the country, he testified. Operating inside the US puts threat actors beyond the purview and reach of CYBERCOM and the National Security Agency.
“We should understand what our adversaries are doing,” Nakasone told Congress. “They are no longer launching attacks from different parts in the world. They understand that they can come into the US, use our infrastructure, and there’s a blind spot for us not being able to see them.”
Nakasone said he sees two “critical areas” the US needs to address. Both contribute to the government’s lack of visibility into what’s happening across domestic networks.
“It’s not that we can’t connect the dots. We can’t see all the dots,” Nakasone said, referring in part to US laws and policies that prevent CYBERCOM and the NSA from monitoring or carrying out cyber operations directly on domestic networks. “We have to be able to see what’s happening in terms of the broad depth of our nation,” he added.
The second critical area is the lack of cyber information sharing, particularly between the US public and private sectors. To this point, Nakasone said, “[The SolarWinds and Exchange] attacks took place within the US, and there are right now legal barriers and disincentives for the private sector to share information with the government. We have a difficulty, as a government, understanding the totality of the intrusion.”
To this point, Nakasone observed, “In terms of my authorities, as both the commander of CYBERCOM and director of NSA, I operate outside the US. It’s not just a matter of policy. It’s also law, in terms of we as a nation, rightly so, have a very, very determined balance between privacy and security.”
He added, “In terms of this changing risk calculus for our adversaries, their intent we, of course, continue to monitor. But I think [the SolarWinds and Exchange hacks are] the clarion call for us to look at this differently.”
For one hour and 29 minutes Nakasone gave highly nuanced testimony that, at times, seemingly hinted at a greater role for CYBERCOM and NSA on domestic networks, before he stated his view point blank: “It’s not necessarily that it’s CYBERCOM or NSA that needs to be [monitoring US networks]. I’m saying the nation needs an ability to be able to see what’s going on within the US.”
Some of Nakasone’s testimony on the lack of visibility and information sharing alludes to why the SolarWinds threat actor and hack were so difficult to detect. According to Feb. 23 congressional testimony by FireEye CEO Kevin Mandia, part of the SolarWinds threat actor’s attack infrastructure consisted of leased virtual private servers hosted within US data centers. Microsoft said the original Chinese threat actor behind ProxyLogon also used leased virtual private servers located in US data centers to attack US entities.
Because US law and policy forbid CYBERCOM and NSA from operating on US networks, “We, as CYBERCOM or NSA, may see what is occurring outside the US, but when it comes into the US, our adversaries… understand the laws and policies we have within our nation, and so they are utilizing our own infrastructure, our own internet service providers to create these intrusions.”
Nakasone noted that the FBI and other law enforcement entities can monitor US networks, within the proper legal framework. The issue is that adversaries are increasing their “scale, scope, level of sophistication” paired with the ability to move “very quickly.”
“What I’m identifying right now,” Nakasone said, “is that our adversaries understand that they can come into the US and rapidly utilize an ISP, come up and do their activities, and then come down before a warrant can be issued, before we can actually have surveillance by a civilian authority here within the US. That’s the challenge that we have right now.”
In the case of the SolarWinds threat actor, security investigators tracked some of its activities to virtual private servers leased from Amazon Web Services, as well as other cloud providers. AWS has publicly confirmed this. AWS declined to send a company official to testify in the Feb. 23 Senate Intelligence Committee hearing on the SolarWinds hack, which drew the ire of several lawmakers.
In today’s hearing — without offering any specific policy proposal to Congress — Nakasone said one consideration following the hacks might be whether or not to explore laws “in terms of the private sector understanding who their customers are.”
The issues Nakasone highlighted today — lack of total domestic network visibility and inadequate information sharing — are not new, but Nakasone’s pointed statements on US legal and policy hindrances to potential solutions appear to be a change from past public testimony and speeches.
The US, in fact, has long faced multiple conundrums in how to effectively prevent nation-state cyber campaigns against domestic entities. One issue is that the vast majority of US IT infrastructure is owned and operated by the private sector, which is not keen to allow domestic government entities with the legal authority to monitor their networks over concerns of customer privacy, legal liability, and a handful of other considerations.
Another issue is the lack of information sharing, which was highlighted today by Nakasone, in the Feb. 23 Senate hearing, and in countless past congressional hearings on the matter. Companies are usually loathe to share cyber threat intelligence about hacks or data breaches with the government for fear of legal liability, future regulations, brand reputation damage, and the potential loss of revenue, among other issues.
Nonetheless, Nakasone highlighted the need for action in this area. “How do we drive better partnerships between what the public sector needs and what the private sector can offer?” he asked. “Information sharing is critical for us to have success in the future.”
A third issue is the lingering fallout eight years later from the 2013 Edward Snowden revelations about illegal NSA activities on US networks, which raised issues of public trust in government security services. It also sparked a nationwide debate on the proper balance and inherent trade-offs between national security and personal privacy.
Nakasone said, “This is at the heart of our Fourth Amendment, being able to look at [domestic cybersecurity] in terms of why it’s so important that we have the right balance between privacy and security that is maintained. And so being able to address that is the challenge we have going forward.”
However, until these and other thorny issues are adequately addressed through congressional legislation, the US will likely continue to fumble these challenges.
At the core of these matters is the nation’s cyber resiliency, which Nakasone characterized by analogy: “We can have all the capabilities that we want, all the teams that we want,” Nakasone said, “but if there’s a hole in the bucket we’re filling with water, and the water’s coming out faster than we can fill it in, then there’s a problem.”
The hearing also touched on a variety of other issues, including CYBERCOM and NSA’s role in 2020 election. Nakasone said CYBERCOM conducted “11 hunt-forward operations in nine different countries for the security of the 2020 election.”
“Hunt forward” is the CYBERCOM concept that entails offensive operations to preemptively disrupt and disable cyberattacks against the US. Of course, hunt-forward operations are conducted only outside of the US.