From cyber theft to the public release of personal information, the cyber threat from non-state actors and hacktivists alike is growing. Consider Britain’s decision to send a drone to kill one of its own citizens who was a member of ISIS in Syria thought to be responsible for much of the terrorist organization’s cyberspace operations.
But despite the increase in cyber activity by groups such as ISIS, top U.S. intelligence officials still believe the greatest threat in cyberspace to interests are state actors.
Testifying in front of the House Intelligence Committee today, the heads of the leading intelligence agencies discussed cyber threats facing the United States, although notably absent from the hearing was any representative from the Homeland Security Department, which has the lead responsibility for protecting the .gov space.
“[C]yber threats come from a range of actors, including nation states, which fall into, at least in my mind, two broad categories; those with highly sophisticated cyber programs – most notably Russia and China – those with lesser technical capabilities but more nefarious intent such as Iran and North Korea – who are also more aggressive and more unpredictable, Director of National Intelligence James Clapper told lawmakers. Criminals, hacktivists and extremists are considered threats, but they take a back seat other countries.
“At the top of our threat stack when it comes to cyber are the nation-state actors,” FBI Director James Comey said. “Both their intelligence activities in the United States and their theft activities in the United States to steal our innovation, our ideas, our energy.”
Following on Comey’s comments, one of the topics lawmakers were keen to hone in on was the information gathered from the breach of the Office of Personnel Management, which compromised millions of records of Americans. IC leaders asserted that there is no indication this information has been used by state actors yet. Their initial assessments following the breach – which concerned the ability to seek out U.S. spies and understand various other U.S. intelligence practices – were just speculations and not based on actionable intelligence.
“What we’ve done is speculate how it could be used…What’s of great concern with respect to the OPM breach…had to do with potential uses of that data….Thus far we haven’t seen the evidence of their usage of that data and certainly we’re going to be looking for it,” Clapper said. “At this point, we haven’t seen, as we’ve discussed before, actual evidence of the use of any of this data in a nefarious way.”
While the government is providing credit monitoring to those affected, Comey said that he is not worried about the potential effect on individual’s credit rating given what the IC believes the information was taken for – namely espionage purposes.
Some of the officials were sure to correct lawmakers’ use of terminology, saying that the OPM breach should not be considered a cyber attack. Clapper said that the OPM breach was not an attack, given its passive nature – similar to U.S. cyber activities – and did not result in the destruction of systems, infrastructure or data.
However, Clapper and others described the next step from these passive data thefts could be data manipulation and deletion, which would be much more troubling. “I believe the next push on the envelope here is going to be the manipulation or deletion of data, which will of course compromise its integrity,” Clapper stated. Such a tactic would render manipulated data worthless and potentially detrimental.
In terms of trends and capabilities of other nations, panelists noted that there has not been any further action against U.S. companies following the Sony incident in which the company’s data was compromised last year as a coercive measure to not release a film dramatizing the assassination of the nation’s supreme leader. “We haven’t seen any offensive destructive actions directed against the U.S. corporate sector by the North Koreans since the Sony incident,” said Adm. Michael Rogers, NSA director and commander of U.S. Cyber Command. “I have watched them do offensive activity against other nations in the post-Sony environment,” adding that he hopes U.S. deterrent efforts such as acknowledging North Korea’s actions, attributing their actions and outlining what the response would be.
Some in Congress and in academia have wondered if U.S. deterrent efforts are truly enough, to which Clapper quipped they are not. “Personally, and this is not a company policy, this is my own view, that until such time as we do achieve or create both the substance and the mindset of deterrence, that this sort of thing is going to continue – the OPM breach.”
Officials noted that the pace of cyber activity can ebb and flow. Rogers said that, starting in 2012, Iran conducted significant activity aimed at taking down the U.S. financial sector and associated websites. And although this activity subsided after 2013 and during the nuclear pact negotiations with Iran, the respite is likely temporary. “I have not seen the Iranians step back from their commitment to cyber as a tool and we see it being used against a variety of actors in the gulf and the region – they continue to be fully committed to how can they use this capability to achieve a broader set of national objectives,” Rogers said.
Rogers also spoke earlier this week at a private event held at the Wilson Center in Washington, elaborating on the incident that affected the unclassified email system of the Joint Chiefs of Staff at the Pentagon. The incident has been believed to be carried out by the Russians, though Rogers did not describe the culprit. He described the attack as “aggressive, persistent and sophisticated,” saying it was a “different scheme and maneuver that I had not seen before.”
“We have seen nation states spending a lot of time and a lot of effort to try to gain access to the power structure within the United States, to other critical infrastructure, and you have to ask yourself why…It’s because in my mind they are doing this with a purpose, doing this as a way to generate options and capabilities for themselves should they decide that they want to potentially do something,” he said.