With an introduction that characterized U.S. government data breaches as “eroding confidence in our government's ability to counter the threat,” Representative Devin Nunes, R-Calif., and Intelligence Committee chairman, kicked off his committee's Thursday cybersecurity hearing.
Directors from multiple major intelligence and law enforcement agencies, including James R. Clapper of National Intelligence and James Comey of the FBI, addressed legislators' questions and gave the public a better idea of the threats the agencies face, in their own words.
“Rather than a ‘Cyber Armageddon' scenario that debilitates the entire U.S. infrastructure, we envision something different,” Clapper said in his opening remarks. “We foresee an ongoing series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
Although there's a multitude of ways U.S. interests and the country itself could be targeted digitally, one possibility prominently sticks out in Clapper's mind as the most worrisome: the idea of “integrity of information.” This, he said, will likely be seen in the future and could involve “cyber operations that will change or manipulate electronic information in order to compromise its integrity instead of deleting or disrupting access to it.”
Government officials could struggle to make decisions if the information they rely on is tainted or seemingly can't be trusted.
But beyond these attacks, the directors also said policy and legislative gaps must be addressed.
Even without a policy regarding cyber actions and retaliation, Michael Rogers, director of the National Security Agency (NSA), said there are “very specific things” he finds “foreign intelligence organizations doing that frankly we cannot do.”
Plus, not helping discussions, Rogers said, are unclear definitions. The data breaches at the Office of Personnel Management (OPM), for example, weren't classified as an attack, Clapper said, even though many news outlets reported it as such.
“Though it's been characterized by some loosely as an attack, it really wasn't since it was entirely passive,” he said. “And it didn't result in destruction or any of those kinds of effects.”
“Terminology and lexicon is very important in this space,” Rogers added. “Many times I'll hear people throw out ‘attack, 'or ‘an act of war,' and I go that's not necessarily in every case how I would characterize the activity that I see.”
