House intelligence chair wants US to develop protocols for waging offensive cyberwars

Chairman U.S. Rep. Mike Rogers (Reuters / Gary Cameron)
​Amidst reports of high-profile hacks targeting major American entities, a top congressional lawmaker said this week that that the United States must act immediately to iron out offensive and defensive rules for the cyber realm.

Rep. Mike Rogers (R-Michigan), the chair of the House Intelligence Committee, told attendees at an event in Washington, DC on Thursday that the US government is absent sound policies for both protecting its cyber infrastructure and launching offensive attacks, and must move swiftly to ensure foreign actors don’t launch further attacks without either party risking significant repercussions.

The majority of networks in the US are “not prepared to handle” attacks from state-sponsored hackers, Rep. Rogers said at a summit hosted by the Washington Post, yet are nonetheless being probed on a routine basis by malicious actors, including some he claims could be from Russia.

Along with the private sector lacking proper protection, Rogers warned, the US government’s reluctance to adopt rules for launching offensive operations of its own against foreign targets is doing little to prevent the risk of future major attacks. Now on the heels of breaches suffered by the likes of Target, JPMorgan and others — and ahead of an imminent shift in congressional leadership — Rogers told attendees at the Post event that these issues need to be resolved immediately.

“As the [US government] writ large, we don’t have the policies down. We debate it a lot — I can’t tell you how much time we spent in the intelligence committee trying to figure out the way forward on what that looks like — and part of the challenge is the government has about 15 percent of the networks, and the private sector holds about 85 percent of the networks,” Rogers said. “And, contrary to popular belief, the NSA is not monitoring those networks. It is not on those networks. The only way that they see anything coming in is from the outside, so most of the offensive talk is from the private sector saying, ‘I’ve had enough and I’m going to do something about it.’ Because basically what we’ve done today by doing nothing in Congress is telling the 85 percent of these private networks, ‘You’re on your own. You have nation states who are targeting you; who are raving your networks. But you’re on your own. Good luck.’”

A bill co-authored by Rogers, the Computer Information Sharing a Protection Act, or CISPA, has twice been introduced to Congress, but in each instance failed to advance close to being signed into law, at least in part by efforts from activists who said letting the government go into private networks posed too much of a risk for Americans’ privacy. At Thursday’s event, Rogers said he has been working with Sen. Dianne Feinstein (D-California), the chair of that chamber’s intelligence committee, on getting Congress to act.

Rogers went on to say that recent reports in the press have pointed the finger at Russian hackers with regards to who may have recently breached the network of financial giant JPMorgan, and added that the absence of rules for having the US relegate retaliatory attacks is only making American systems more vulnerable.

“The very fact that a nation state believes that they could do that without any problem or consequence is another very, very serious issue for us,” Rogers said. “According to some public reports,” he added, “…the Russians were also flying around or attempting to get into some of our financial institutions,” possibly with the intent of being destructive or disruptive.

Although Rogers stopped short of linking Russian hackers to any US targets, his remarks come barely a month after US officials blamed Moscow for an attack on JPMorgan waged after the bank blocked payments from a Russian embassy to an affiliate of a bank sanctioned in America, Bloomberg News reported. Moscow has denied such claims.

On Thursday, Rogers threw his weight behind those allegations and said, “It was believed that [Russians] decided to make that decision based on the fact that they were having these sanctions imposed. And they believe, ‘Well if you’re imposing sanctions on us, we can use this very capable tool to cause you harm on your economy.’ This is a new dangerous form of warfare and international relations that, candidly, the United States, as a whole, is not prepared to handle.”

“Remember, the Russians can flick a switch, their internet goes down; Chinese can flick a switch, their internet goes down. We don’t do that nor do we want to do that nor should do that. But again that exposes these 85 percent of these private sector networks and puts them at the whim of nation state capability in cyber and this trend is very, very concerning.”

“I clearly believe that the Russians had an intent to try and cause some harm, some disruption, as a result of those sanctions,” Rogers added. “Again, that’s why I think that this is so dangerous and so important we get right on our defenses.”

Even if all the evidence points to Russia, though, Rogers warned it’s “getting harder and harder” to differentiate between state-sponsored hackers employed by Moscow and ones that launch attacks without the direct influence of the government. Within direct attribution, he warned, retaliatory attacks can be dangerous.

“You don’t want to reach overseas and flick somebody in the forehead if were not exactly 100 percent sure that that was the perpetrator of that particular event,” Rogers said.

“The problem with that is that the attack won’t necessarily come back to the US government,” he said. “Our security services are very good about trying to get what the threat matrix is and to apply that to the protection of our networks, but that’s only 15 percent of the networks. So that 85 percent does not benefit from that information, currently and today, and that would expose them to this attack.”

Hackers “are not likely to come back at whatever agency participated in that,” Rogers said, but “are likely to try and come back, again, at one of the private sector networks to cause their harm or damage.”

“We are not prepared if the federal government decides that they want to take an offensive action or disruptive action in any significant way, even in response,” he said. “Again it’s not the government we’re worried about: we can hunker down and put the helmets on. It’s the 85 percent . . . and they will not be ready for what comes next. I guarantee you that today.”