The U.S. doesn't have a “meaningful deterrent” in effect to battle cyber attacks, former NYC Police Commissioner said Tuesday evening at the Council on Foreign Relations (CFR) headquarters in Manhattan.
Kelly told SCMagazine.com at the event that he found the state of cybersecurity deterrence in this country to be "depressing."Kelly, who was the city's longest serving police commissioner, first under Democratic Mayor David Dinkins from 1992-1994 and then under Republican Mayor Michael Bloomberg from January 2002 to December 2013, contended that the varying types of attacks, motivations and bad actors make for a “very complex” threat landscape that is difficult to navigate.
“You have state sponsors of cyber intrusions, Russia, we have Iran, China—they're kind of the obvious ones,” he said. “And then you have kind of the next level down, these sort of Ocean 11 teams that are in for the money, for crime.”
He pointed to the difficulty of determining who's responsible for a cyber intrusion. “Attribution is difficult, they could be sitting in Belarus doing something here,” said Kelly. Just knowing where an attack came from doesn't mean that authorities can track down the perpetrators and bring them to justice.
“Let's assume we know there's a demon in Belarus and we have to work with the authorities in Belarus,” he explained. “And there's no compact that allows us to do that. What do you do? How do you deter?”
In some cases governments are either impotent against attackers or, in some cases, as observers of recent high-profile breaches at the Office of Personnel Management (OPM) and elsewhere have contended, are somehow complicit.
“In China, they have patriotic hackers, you have thousands upon thousands of them [that] supposedly the government doesn't control,” said Kelly, who also served as Commissioner of Customs for the United States and Undersecretary of the Treasury for Terrorism and Financial Intelligence under President Bill Clinton. “Or you have just hackers, kids just out to have fun in their minds.”
The former police commissioner called for national legislation to strengthen the U.S.'s cybersecurity posture and curb cyber intrusions. But, he said he doesn't hold much hope that Congress will deliver.
“We can't even get legislation passed in Washington,” he said, noting that data breach notification bills have “been floating around for years.” Kelly said that an obstacle has been companies that would be compelled to report data breaches want “certain protection…from liability.”
In the evening talk, which promoted his book, “Vigilance: My Life Serving America and Protecting Its Empire City,” and which centered on challenges facing police—ranging from women in the force to stop and frisk (a controversial program that he advocated) to gun control to community relations to the need for officers to obtain college degrees—Kelly noted that modern day police forces are charged not only with physically protecting communities, but also participating in cybersecurity initiatives.