Meeting of the Minds Over Fed Cybersecurity
What worries her? "A run on our money system," she said in an interview with GovInfoSecurity.com (transcript below).
"Let's say we all woke up one day, and we went to the ATM, and no money came out, and there was zero dollars in your check account. Guess what? You would panic, everybody would panic. All of a sudden, yeah, everything would go crazy in the United States."
Another concern: our soldiers battling abroad. "Imagine if, they use a lot of technology, and instead of having the soldier in the field, unable to understand what is going on around him, and where the enemy is, for example, that is all now beamed to him through electronics," she said. "Imagine if, somehow, somebody hacked into the system, and was able to give a dark field to our soldiers in the field. That would be a difficulty for them."
Sanchez, who also is vice chair of House Homeland Security Committee and sits on its Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, addressed in the interview:
GovInfoSecurity.com's Eric Chabrow interviewed Sanchez.
Sanchez is in her seventh term in Congress, representing Anaheim and the surrounding areas of Orange County. She and Rep. Linda Sanchez, a Democrat who represents part of Los Angeles County, are the only sister pair ever to serve in Congress.
As co-chair of the Congressional Vietnam Caucus - her district has one of the largest concentrations of Vietnamese outside of Vietnam - Loretta Sanchez expressed outraged that Vietnam's government has been using the Internet as a weapon against its own people.
Sanchez earned a bachelor degree from Chapman University in Orange County and an MBA from American University.
ERIC CHABROW: You chair a subcommittee that deals with threats on our nation, including cybersecurity, as well as sit on another panel that addresses Homeland cybersecurity. What worries you the most about defending the military, government, and key national IT infrastructures, and what can Congress do about that?
REP. LORETTA SANCHEZ: Well, probably, a couple of scenarios that worry me. One would be, for example, a run on our money system. Let's say we all woke up one day, and we went to the ATM, and no money came out, and there was zero dollars in your check account. Guess what? You would panic, everybody would panic. All of a sudden, yeah, everything would go crazy in the United States. That would be from the nonmilitary sort of situation. What could somebody do to us? The second one would be our soldiers in the field, wherever they might be. We are in 120 different countries in the world right now, doing all sorts of different things, including two major wars. Imagine if, they use a lot of technology, and instead of having the soldier in the field, unable to understand what is going on around him, and where the enemy is, for example, that is all now beamed to him through electronics. Imagine if, somehow, somebody hacked into the system, and was able to give a dark field to our soldiers in the field. That would be a difficulty for them. Or getting into the computers of the FAA, and eliminating all of our airspace ability to understand what is going on in airspace, and inability to communicate back and forth with the 56,000 planes that are up in the sky every day over the United States. These are some of the scenarios that I worry about.
CHABROW: What can Congress do about it?
SANCHEZ: I've been the head of cybersecurity now for about a month, the subcommittee that we have, and I've probably had about three hearings on it. The first one was from the private industry, to talk about what needs to happen. And one of the ideas they had was that, you know, we developed cyber, in a sense, the Internet, in particular, because of DARPA (Defense Advanced Research Projects Agency). We developed it through the Defense Department, and we have stumbled upon new things that we can do, we sort of just added that on. And so, as people have hacked into our systems, we have sort of did a band-aid job on stopping these people. So, one of the things that one of these guys said was, "You know, maybe we have to sit back and say, 'This is a complete new branch of science, and let's really make it a field of study, let's do real research, and let's figure out if this is something we've been using, and maybe it's not the correct one. Maybe there's a tighter system, there's standards we can set up, and there's a whole body whose only job it is to anticipate ahead of time, rather than to do the Band-Aid job after the fact.'" And so, we are really taking a look at that, to see if that makes sense.
CHABROW: In his confirmation hearings to be director of the National Security Agency, as well as the military cyber commander, Army Lieutenant General Keith Alexander testified that the Defense Department computers receive hundreds of thousands of probes each day from outsiders, including other nations. How safe are defense and military computer systems, in your view?
SANCHEZ: At this point, they're still safe, because, believe it or not, we actually have the best hackers within our Department of Defense. Not only are we trying to stop hackers from getting into our system, but we're constantly also trying to devise how to hack into other systems. We have a big body of people who actually do this. And then, of course, this is also going on in our research institutions, in our public universities, like UCLA, for example, or UC Irvine. We have the smartest people, and we have the best people working on this. But, there comes a point where that may not be enough. There are lots of people hacking in, some more problematic than others, and we need to have the right laws on the books, and we need to have the right defenses to go after these people. But, we also need to just make better systems. So, it is a concern. We are, at this point, okay. But, we are getting to that point where there is just too much of it going on, and it's getting too strong, to tell you the truth.
CHABROW: You mentioned "the right laws." You're a lawmaker. What are some of the right laws that should be enacted?
SANCHEZ: It's a difficulty. It's a difficulty. For example, we do not have enough local law enforcement to respond to cyber attacks. For a government computer, for example, we have plenty of laws on the books. They are pretty broad. We can actually get a hacker and we can prosecute them. But, if someone breaks into your own personal e-mail, it's a little bit more difficult to go after them. And so, we really have to look at the laws at each of the state levels, and also at the local jurisdictions, to give law enforcement more capability to go in and to figure it out when the attack is fresh. Because that's at the point where we can trace it back easier than if we, you know have to get it to the FBI a month later.
CHABROW: Looking at our nation's defense on cybersecurity, Rep. Randy Forbes of Virginia, a Republican who chairs a Congressional Chinese Caucus, has called for the House Armed Services Committee to hold hearings on cyber attacks originating from China on the military IT. Do you think such hearings should be held?
SANCHEZ: Remember that if we have such hearings, they probably wouldn't be in full focus out in the open. These are highly sensitive matters. We get briefed on them even before I was "cybersecurity," if you will. We would have hearings and briefings for all the membership here in the House, once in a while, to discuss some of the attacks that had happened, whether it was from China, North Korea, or quite frankly, sometimes even some of our allies hacked into our system. Everybody is doing hacking out there. If a member wants to know about it, they can. They can get the information that they need. But, more importantly, if we were to hold hearings in this committee or in a joint, with the intelligence committee, it would probably have to be behind closed doors.
CHABROW: Do you think that would be valuable that you have to work behind closed doors?
SANCHEZ: Well, I will tell you that, since I have become the chairwoman, I have asked for the person who handles this on intel here in the House of Representatives, the person who handles it on Commerce and Energy Committee, the person who handles it on Homeland, the person who handles it on the Appropriations, Defense committees, to all sit down with me, and have a meeting about what each and every one of us is worried about, looking at what have done from our end, and to see what is falling between the floorboards, because there is a lot of that going on. And, you know, they all looked at me, and they said, "You know, this is the first time we're ever going to do this. First, we have to decide what is the body of work that we really have. And then we have to decide, as chairmen of these subcommittees, that we are going to work together. And then we have to figure out what, if and what the Senate has done, and of course, what the new cyber czar over in the administration is doing. So, I think that hearings for the membership, meaning the Congress, just the normal Congress members, who don't deal on this on a day to day basis, would be good. But, I think first and foremost, I would like to know what the heads of these committees have done. What these committees have done, before we go and try to educate the rest of the membership.
CHABROW: Former National Intelligence Director, Mike McConnell, contends that we would lose a cyber war if one were to occur. But, White House Cybersecurity Coordinator, Howard Schmidt dismisses talk of a cyber war. Where do you stand on the potential of the U.S. being involved in a cyber war?
SANCHEZ: Let me say that we have the most systems to be attacked. We have the most people, the biggest economy, the biggest framework, both from our defense, and the private sector and the public agencies, like Homeland and law enforcement that we have. So, to the extent that cyber warfare is an asymmetrical, sort of insurgent, sort of terrorist type of thing versus the conventional warfare, I would say yes, we have the most to lose. We have many more systems. And remember, also, that you are only as good as your weakest link. Your weakest link is an individual user. And that individual user, if he is not using the password, if he is leaving his password around, that is an entryway into a multiple group of cyber networks. For example, I might have a government Defense computer that is very tight, people are using their passwords, etc. Then, I have a contractor, a defense contractor, who's got a program to interface with that Defense computer, and then he may have taken his laptop home, and worked on the stuff, and left his account open, and his kid gets on there, and his kid e-mails something from there into his own, let's say, Yahoo account. All of a sudden, that relationship can enable a big government, like China, or somebody else, to go into this kid's Yahoo and make the connection to go into what ultimately is our Department of Defense computers. We have the most to lose, we have the most openness to our system, and so, it just depends what type of cyber attack it would be.
CHABROW: I just want to switch gears just for a moment. You sponsored legislation to study cybersecurity insurance. What is cybersecurity insurance, and what are its potential benefits?
SANCHEZ: One of the things we know about insurance is that because of financial incentives with insurance, people modify their behavior. You know, if I can put in a fire alarm, and I can put in a security firm to watch my house, etc., then my insurance policy is going to be lower on an annual basis, I'm going to start to change my behavior. So, insurance is one of those ways in which we can incentivize, if you will, people to change their behavior. Can I go back to this whole issue of the weakest link is the individual user to a system. So, I think that cybersecurity insurance is an unexplored market, but it has benefits that we still don't know and that we should take a look at it. Insurance companies, also, are better than most of us, in being able to assign risk to situations. So, if we did study this, I think we would get more information about the risks involved, and about how to use insurance, in order to modify people's behavior.
CHABROW: Do you see this as just something for individual citizens, or is this something that could be somehow used in business?
SANCHEZ: I could see it not only happen with respect to individuals, but I could also see it happening with respect to private companies.