U.S. Still Hunts July 4 Website HackersQ&A with the National Intelligence Director Dennis Blair
"But the process of tracking it down is still going on," Blair told attendees of a meeting of the U.S. Chamber of Commerce's National Security Task Force. "We're working with foreign partners to try to compare data to figure out if we can actually nail it down."
Besides U.S. government and business sites, hackers assaulted government websites in South Korea, with some South Korean officials accusing North Korea or its sympathizers behind the attacks.
In a question and answer session, Blair also spoke of America's overconfidence in Internet security and the continuing tensions among federal agencies to safeguard U.S. IT assets. Here's an edited transcript of the Q&A that focused on cybersecurity:
QUESTION: It seems that the cyber discussion is focused on domestic issues: securing .gov, .mil, the defense industrial base. But it would also seem to some of us that there is a global interest, that the United States needs to play a global leadership role in terms of global cyber governance, that there are global supply chains, global critical infrastructures. What might the government do better to begin to build an architecture of U.S. leadership in global cyber governance? And how can the private sector help?
BLAIR: I think that's an accurate observation. I would tell you, frankly, that in recent years I think we have felt a little bit of overconfidence in the American nature of the Internet, and that sort of thought that we will set the standards for it and not really focus on these global bodies, who in fact are setting up those protocols and many of the procedures which have an effect.
And I don't think we've been as strong with the teams that we've sent to those conferences with the positions we have going in. And, as you know, that's a State Department lead responsibility. We in the intelligence community provide some support, but I would think that that would be an important place for American computers, switch, cable, software manufacturers, to really focus on, to make sure that, as a country, we have our act together with the sort of standards, protocols and international agreements that are facing us. So I think that's one very important one to point to.
If you look at the story in China, for example, a huge number of computer users, a country that is, you know, if it could write its own ticket, it would write it all with Chinese leadership in designing the Internet across the board. If you look at what has actually happened, though, China has to play in the international game and many of their preferred domestic solutions have not won out over international - sometimes American, sometimes other - positions. So I think that the IT world is open enough and developing enough that good ideas - and a lot of these are American and a lot of these are right for us - can be the ones that still set the pace globally.
I think we have natural allies in many countries that we have worked with traditionally, but they don't come without work on it. So I think you're pointing to a very important area. I think we need to not only work with the President's cyber coordinator in the White House, once he or she is named, but really get our act together on these international delegations that negotiate these things.
QUESTION: The National Counterintelligence Executive's office, in their report to Congress, identified some 108 different countries, friend and foe, that are actively and aggressively stealing technology from the United States. How do we work with the government to get an understanding in the intelligence community that the government can help us, can work with us and can counter some of these issues? We see the Department of Justice has, since 1996, with the Economic Espionage Act, only done a couple of economic espionage cases because it doesn't meet their threshold. How about we get consistency across the country to protect the infrastructure so that the economic security of this issues are?
BLAIR: I think we still have this tension between attribution and enforcement on the one hand, and warning and protection on the other hand, in the cyber area. And we haven't really quite figured out the right area. You know, the law enforcement world operates on the premise that if you catch a few criminals, you generally deter the rest, and there's enough law and order that life can go on. When you apply that philosophy to - I'm not sure if you can apply that philosophy to cyberspace directly, where there seems to be an unlimited number of both nation-state actors and non-nation-state actors trying to steal secrets and cause havoc over the net. And I'm not sure if catching one or two will deter all of the rest.
So while we are catching those we can, by the very careful process of attribution of an attack, working through law enforcement agencies, we have to get this warning function out there that this is the vulnerability that was used in this particular attack; those of you who have a similar server or similar software or similar vulnerabilities need to work on them. And we need to be able to do both at the same time - to be able to prosecute and attribute at the same time we're fixing and patching.
And I think the evolving partnerships among the computer readiness teams - the CERT (United States Computer Emergency Readiness Team) teams, the FBI team, the DHS team, the teams that we have on the intelligence side, the private center up at Carnegie-Mellon - I think those are getting better in that regard, but I still see instances in which vulnerabilities go on for a longer period of time than they should have, when we actually know something either on the intel side or on the law enforcement side that could have helped others patch the vulnerability quicker.
For instance, in some of the budgeting that's before the Congress right now, there's increased funding for connections among these centers, so that they can be better connected in real time as one of them works a problem to pass around the technical knowledge on what was the source of that attack, and so that they can publicize it in the various ways they have within the government and within the private sector, so that patches can be put in, other vulnerabilities can be addressed.
So I guess my answer to your question right now is better connection among the operation centers and the cyber-security centers, earlier decisions on sharing information while we're prosecuting and attributing attacks, and then a greater level of technical interchange among those areas. I think that's the way we have to approach it.
QUESTION: I wonder if you all have determined who was behind that July 4th weekend cyberattack. Was it North Korea? And also, what steps is the government taking to prevent such things from happening in the future?
BLAIR: The answer is that we have not figured out exactly who conducted that July 4 - that attack that began on July 4. It was a relatively unsophisticated botnet-type attack that nonetheless did deny service for some Web sites in this country. But the process of tracking it down is still going on. ... We're working with foreign partners to try to compare data to figure out if we can actually nail it down.
The reason that it's taking as long as it has is that, like most Internet attackers, the person who perpetrated this attack went through a series of cutouts - different IPs - and the process of going back and sorting that out just takes some time. And on that one, I am happy to say that the sorts of vulnerabilities in the system which made that possible were quickly passed around to others so that they could make sure that their Internet was better-protected than that.