#RSAC: Congressional Oversight in the Wake of Russian Hacking

At the RSA Conference in San Francisco, on February 14, 2017, a panel of representatives from US Congressional committees concerned with security discussed the state of cyber affairs in DC, with Russia being the dominating force. Their remarks reflected many open questions on policy in general and uncertainty around the direction the Trump Administration may take.

The panel:

  • Michael Brown, VP and GM RSA Global Public Sector, RSA, Moderator
  • Michael Bahar, Minority Staff Director and General Counsel, House Permanent Select Committee on Intelligence
  • Daniel Lerner, Professional Staff Member, US Senate Committee on Armed Services
  • Kirk McConnell, Professional Staff Member, U.S. Senate Committee on Armed Services
  • Brendan Shields, Staff Director, House of Representatives Committee on Homeland Security

Brown: What is your committee considering around cyber?

Lerner: The Senate Armed Services Committee has broad jurisdiction. We’ve been very active on cyber, particularly in coordination with the Department of Defense. We pass cyber legislation every year, with forty provisions just in the last year.  

Bahar: In 2015 we passed surveillance reform (the Freedom Act), and the Cyber Information Sharing Act of 2015, working with DHS. There are many open issues. Should there be legislation? If we’re going to partner with private sector, what’s the best way to do that? How much will be shaped by the courts? The Internet of Things will probably find its way there. Liability will get litigated.

Brown: What cyber priorities do you see in this session of Congress?

Bahar: Russia. What just happened? How? How do we make sure it doesn’t happen again? The House and Senate Intelligence committees are having separate inquiries into the hacking and influence campaign to affect our elections. Also, FISA section 702 is up for re-authorization in September. That’s where the intelligence community can find out what is being done against US interest and safety.

Lerner: How are we able to deter against cyber adversaries? By denying, or by imposing consequences. So far they’ve been pretty inconsequential. It starts from Executive Branch – what authorities do they give to government executive entities? The status quo is insufficient. Russia gives us the opportunity to look introspectively and prepare for future warfare.

Shields: The softer side also matters – the ability to lead, to get people to talk to each other and work together. Cyber is international – are we sharing with other countries? Privacy issues are also important. How does this impact the bottom line of companies?

Lerner: There is a jurisdictional issue. Everyone wants to see the lead cyber org be in their agency. Congress has issues navigating the jurisdictional challenges. Who is best suited to lead it? Does it even exist yet?

Bahar: Jurisdictional problems are not just from dysfunction. There are challenges with assessing exactly where it should sit, based on an agency’s current purpose and responsibilities.

Brown: Regarding Russia, what do you look at with respect to upcoming roles and responsibilities and potential options – legislatively, or even coordinating activity among agencies, and possibly the private sector?

Lerner: At end of the Obama Administration, were sanctions and diplomatic punishment sufficient? What is the future of existing sanctions? What is a cyber attack that warrants a military response? That’s not yet defined. They’re all handled as one-offs. That doesn’t create stability, it undermines our security posture.

Shields: It’s easy to forget the hack of the day, but how are you going to make offending state actors think twice? If someone does something and you don’t respond appropriately, are you encouraging them to do it again?

Bahar: It’s also about defense. The Russians used spear phishing, which is not very sophisticated. They’ve been trying it for a long time, and this time they were able to do it. We have to be honest with ourselves and look at how this was possible. What will we do? When? How do we avoid escalation? Do we avoid the fortunate or unfortunate fact that we’re much more dependent on cyber than other countries?

Lerner: The challenge is that deterrence is an Executive Branch function, but it’s hard to draw that out of them. Congress can’t set policy, but they can provide a framework for building a deterrence strategy.

Shields: We need common definitions – what is an attack? When an attack happens, what is our response? There is a growing desire to make sure deterrence is real.

Bahar: But we’re also aware of the complexity. Consider attribution – you don’t know right away where an attack came from. It’s not like a nuke. When I figure it out, can I say I know? Does that give up my sources and methods? How do you deal with rules of engagement against a server that’s in an otherwise neutral country? Creating common international operating principles can help.

Brown: What are the top 3 things you’d like addressed by the Trump Administration?

Shields: That the pending Executive Order comports with existing law.

Lerner: A recognition that the status quo isn’t working; an understanding of how we’re going to address these challenges.  

Bahar: We won’t get to these questions until we figure out the Russia issue. It’s not about party, it’s about country. It’s not going to stop. We’ll see it in other countries, our allies. We have to get to the bottom of what happened before we’re able to get to these other urgent concerns.

What’s Hot on Infosecurity Magazine?