A report detailing large-scale cyberespionage operations against several international targets should serve as a wake-up call for the U.S. government to realize its current defense strategy is failing to protect the nation from cyberattacks, experts told POLITICO on Wednesday.
For cybersecurity experts, the report from Internet security firm McAfee is just another piece of evidence highlighting how the government’s cyber strategy is lagging behind the times and fails to address the scope of current cyberthreats.
“The motto for our policy has been fat, dumb and happy,” said James Lewis, a cybersecurity specialist at the Center for Strategy and International Studies. “This has been going on for a long time and we’re way behind the curve as a country… the old sort of laissez faire approach doesn’t work anymore.”
The agencies have done “a completely unacceptable job of protecting their systems,” said Alan Paller, director of cybersecurity research at the SANS Institute.
The McAfee report released Wednesday detailed how more than 70 networks of government agencies, international organizations and media – including the International Olympic Committee and the United Nations – were infiltrated in a widespread cyberattack operation conducted by another country.
The 14-page report did not name the nation that led the series of attacks but security experts speculated that China was the most likely culprit based on the targets.
Previous high-profile cyberattacks on major U.S. companies, such as Google and EMC, have been said to stem from up-and-coming economic superpower China. In the McAfee report, 49 of the victims of the hacking operation are based in the U.S.
To combat this behavior, the State Department needs to take a tougher stand against the Chinese government and bring its cyberprobing activity to the attention of international bodies, such as the World Trade Organization, one security expert argues.
“We continue to wear kid gloves with the Chinese when it comes to the attempts of espionage,” said Tom Kellermann, chief technology officer at AirPatrol Corp. and former cybersecurity official at the World Bank. “State needs to take the gloves off and State needs to shame China for their activities.”
The State Department did not return several calls seeking comment. Congress has played a role in spurring the federal government to change its behavior on cybersecurity and lawmakers can keep acting as a catalyst by speaking out on the issue, according to Paller.
“The immediate opportunity for Congress is active oversight,” Paller said. “Congress can have a profound effect that way.”
Updating the nation’s cybersecurity laws has been identified as a top legislative priority for both chambers of Congress. The Senate is currently at work on a comprehensive cybersecurity bill that Senate Majority Leader Harry Reid has slated for a fall introduction. The House is working in a piecemeal fashion and aiming to bring several smaller, standalone bills to the floor.
In a statement to POLITICO, Rep. Mac Thornberry (R-Texas) said the House Cybersecurity Task Force, which is comprised of Republican members, will continue to work on its legislative recommendations to GOP leadership throughout the August recess.
Rep. Jim Langevin, a top Democrat on cybersecurity, stressed that it’s time for Congress to act with a “greater sense of urgency to pursue the relatively small investments in cybersecurity that would mitigate threats capable of impacting our economic stability.”