Cybersecurity: Legislation

Sequestration, Cyber and the 2013 Worldwide Threat Assessment

By Raffaela Wakeman
Tuesday, March 12, 2013, 1:59 PM

This morning was the Senate Select Intelligence Committee's open hearing on worldwide threats to the United States. Witnesses included DNI James Clapper, newly-minted CIA Director John Brennan, NCTC Director Matthew Olsen, FBI Director Robert Mueller, Director of the DIA Lt. Gen. Michael T. Flynn, and Assistant Secretary of State for intelligence and research Philip Goldberg.

Here's the unclassified version of the Worldwide Threat Assessment. The Intelligence Community placed cyber at the forefront of its global threats this year (in its 2012 Assessment, the IC ranked cyber alongside counterterrorism, counterprofileration, and counterintelligence, and noted the interconnected nature of these threats), with terrorism and transnational organized crime coming in next, and WMD proliferation, counterintelligence, threats to the U.S. presence in space, natural resources, health and pandemic threats, and mass atrocities rounding out the list. The assessment then goes region by region, reviewing the most significant of the (unclassified) threats.

DNI Clapper emphasized during his testimony the pernicious effect that sequestration will have on the intelligence community (add this to the list that Carrie Cordero of Georgetown Law's National Security Studies Program has compiled). DNI Clapper called the cuts "insidious" on the intelligence community's mission, just as they were after the end of the Cold War.

He said, “Sequestration forces the intelligence community to reduce all intelligence activities and functions without regard to impact on our mission. . .jeopardizes our nation's safety and security. . .and [the problem] will increase over time.”

DNI Clapper also noted that because the cuts begin halfway through the current fiscal year, the actual impact is a 13% reduction. Josh Gerstein at Politico goes into more detail on his remarks here.

The assessment's discussion of cybersecurity threats may be of particular interest to Lawfare readers. It discusses not only the threats from both state and nonstate actors, but also the implications of the ITU's treaty negotiations last December in Dubai, which raised the profile of the varying approaches to internet governance that different global actors advocated in favor of. Here's the introduction to the section of the assessment dedicated to cyber:

We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the Internet.  In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.

State and nonstate actors increasingly exploit the Internet to achieve strategic objectives, while many governments—shaken by the role the Internet has played in political instability and regime change—seek to increase their control over content in cyberspace.  The growing use of cyber capabilities to achieve strategic goals is also outpacing the development of a shared understanding of norms of behavior, increasing the chances for miscalculations and misunderstandings that could lead to unintended escalation.

Compounding these developments are uncertainty and doubt as we face new and unpredictable cyber threats.  In response to the trends and events that happen in cyberspace, the choices we and other actors make in coming years will shape cyberspace for decades to come, with potentially profound implications for US economic and national security.

In the United States, we define cyber threats in terms of cyber attacks and cyber espionage.  A cyber attack is a non-kinetic offensive operation intended to create physical effects or to manipulate, disrupt, or delete data.  It might range from a denial-of-service operation that temporarily prevents access  to a website, to an attack on a power turbine that causes physical damage and an outage lasting for days. Cyber espionage refers to intrusions into networks to access sensitive diplomatic, military, or economic information.

The assessment mentions three states by name -- China, Iran and Russia -- as significant actors in cyber. Given the increased attention that top administration officials are giving to cybersecurity, indications that the private sector also has this high on its priority list, and detailed reports like the one released by Mandiant, senators paid particular heed to the cyber threat assessment, queried the witnesses about last year's attempt in the Senate to pass a bill on cybersecurity, discussed the implications and limits of the executive order that President Obama released at the State of the Union.

On the Committee's part, Senator Feinstein confirmed that the committee will begin working on a bill specifically addressing information sharing among the public and the private sectors this session.

The hearing is available at C-SPAN.