An extremely sophisticated cyberattack was in progress Thursday against RSA, targeting the security unit of EMC's SecurID two-factor authentication products.
The attack comes one day after the top cybersecurity executive at the Department of Homeland Security told Congress that government and private-sector IT systems are at risk from such attacks "Sensitive information is routinely stolen from both government and private sector networks," Philip Reitinger, DHS deputy undersecretary for national protection and programs told the House Homeland Security Committee. "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis."
Gregory Wilshusen, Government Accountability Office director of information security issues, concurred that threats to information systems are evolving and growing. "Systems supporting our nation's critical infrastructure and federal systems are not sufficiently protected to consistently thwart the threats," he said.
Army Gen. Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, testified at another hearing that the military lacks the people and resources to defend the country adequately from vigorous cyberattacks. "We are finding that we do not have the capacity to do everything we need to accomplish," Alexander told the House Armed Services Committee, as transcribed by the BBC. "To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces. We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger."
At the Homeland Security Committee, a prominent cybersecurity policy analyst said the old ways of battling cyber threats haven't worked.
"Since 1998, we have repeatedly tried a combination of information sharing, market-based approaches, public-private partnership and self-regulation in a vain effort to strengthen our cyber defenses," said James Lewis, senior fellow and director of the Technology and Public Policy Program at Center for Strategic and International Studies (see Time Line of Major Global Cyber Incidents 2010-2011).
"However, despite this dispiriting record of opponent success, I feel confident in predicting that this year, the old, failed formulas will be trotted out again this year," said Lewis, who served as project lead for the Commission on Cybersecurity for the 44th Presidency. "Many of the reports and essays we see emerging now will advocate tired ideas in order to block change rather than increase cybersecurity. While individual government agencies have made strenuous efforts to improve our cyberdefense, as a nation, despite all the talk, we are still not serious about cybersecurity."
Coherent organization and leadership for federal efforts for cybersecurity and recognition of cybersecurity as a national priority.
Clear authority to mandate better cybersecurity in critical infrastructure and develop new ways to work with the private sector.
A foreign policy that uses all tools of U.S. power to create norms, new approaches to governance and consequences for malicious actions in cyberspace. The new policy should lay out a vision for the future of the global Internet.
An expanded ability to use intelligence and military capabilities for defense against advanced foreign threats.
Strengthened oversight for privacy and civil liberties, with clear rules and processes adapted to digital technologies.
Build an expanded workforce with adequate cybersecurity skills.
Change federal acquisition policy to drive the market toward more secure products and services.
A revised policy and legal framework to guide government cybersecurity actions.
Research and development focused on the hard problems of cybersecurity and a process to identify these problems and allocate funding in a coordinated manner.
"The cybersecurity debate is stuck," the report concludes. "Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing and self-regulation are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States."