From left, FBI Director Robert Mueller, Director of National Intelligence James Clapper, CIA Director Leon Panetta and Defense Intelligence Agency Director Lt. Gen. Ronald Burgess testify Feb. 10 before the House Intelligence Committee. (Saul Loeb / Agence France-Presse)
Who's in charge? That's the question that emerged from Capitol Hill this week after a series of U.S. congressional hearings addressed the growing problem of cybersecurity.
Jurisdictional issues complicate the prevention of and response to cyber attacks inside and outside the government, intelligence and DoD, officials told Congress.
Which government agency responds to a cyber attack depends on where the attack originated, and this is an incredibly difficult thing to decipher in the cyber world, officials said.
"The problem from our perspective is we tend to think of it in particular categories — crime versus government involvement — and yet at the outset you do not know whether it may be a state actor, a group of individuals operating at the behest of a state actor, or a high school kid across the street," FBI Director Robert Mueller said Thursday at a House Intelligence Committee hearing on worldwide threats.
Government agencies need to collaborate to determine where an attack originates so that they can determine the appropriate response, he said.
The next day, cyber experts told the House Armed Services emerging threats and capabilities subcommittee that distinct lines of responsibility are not only needed within the government, but also between the government and the private sector.
There is no clear delineation of responsibilities between the government, the military and the private sector, said Gerry Cauley, president and CEO of the North American Electrical Reliability Corp. (NERC).
Founded in 1968, NERC's mission is to ensure the reliability of North America's electrical grid, one of the key infrastructures vulnerable to cyber attack.
More than 85 percent of critical infrastructure systems are privately owned and operated, making the government's role in their protection problematic, said Gregory Nojeim, senior counsel for the Center for Democracy and Technology. He warned against adopting cybersecurity legislation that would expand government powers to the point that they infringe on privacy and innovation.
While experts said there is no silver bullet, they agreed that better information-sharing was an important first step.
Cauley said the private sector does not have access to the same amount of intelligence as the government and military do, and is therefore always a step behind when it comes to cybersecurity.
"Too often, we have heard from government agencies that the threats are real, but are given little or no additional information. This leads to frustration among private sector leaders who are unable to take fact-based responsive measures due to ill-defined and nebulous threat information," Cauley said.
To improve this, NERC is working with DoD and the Department of Homeland Security on a memorandum of understanding that would allow the sharing of "bi-directional actionable intelligence," Cauley said.
Nojeim urged Congress not to solve the information-sharing dilemma by expanding government power to obtain privately held data. He recommended the government find ways to share its intelligence on cyber attacks with the private sector so they can defend themselves against outside threats.
The Pentagon should focus more on prevention of cyber attacks than reaction to them, advised Shari Pfleeger, director of the Research Institute for Information Infrastructure Protection at Dartmouth College.
She also encouraged greater collaboration between DoD and the Commerce Department and DoD and the State Department.
How big a threat?
Congress needs to understand if cyber attacks can be categorized as annoyances, crime or national security threats so that it can determine what types of authorities and resources need to be devoted to them, said Mac Thornberry, R-Texas, who sits on the House Intelligence Committee and is chairman of the House Armed Services emerging threats and capabilities subcommittee.
CIA Director Leon Panetta described it as the "battleground for the future.
"I've often said that I think the potential for the next Pearl Harbor could very well be a cyber attack."