“Our nations have different cyber laws and privacy expectations, but we have got to figure out how to respect those differences, while working together quickly because the attackers won’t give us the benefit of time,” he told the 2017 RSA Conference in San Francisco.
McCaul said there is a need confer with partners and to develop for “clear rules of the road” to prevent uncertainty and lack of co-ordination in times of crisis causing situations to “spiral out of control”.
He also called for the US and its allies to work together to build mutual defences and put infrastructures in place for joint action.
“We should also ensure we are prepared for what lies ahead. For instance, we need to be prepared for the era of quantum computing: the digital atomic bomb is on the not-too-distant horizon.
“The first hostile country to gain such capability will pose a serious threat to the rest of the world, and the US should lead a coalition of like-minded nations to prepare for the quantum future and to ensure we have the right cyber defences in place when it comes,” he said.
McCaul described 2016 as a “watershed” year in cyber space that made everyone more realistic about the danger and more clear-eyed about needs to be done.
Putting a political spin on the topic of cyber security, the Republican representative for Texas’s 10th congressional district made reference to concerns about whether the US will continue to welcome international talent.
“Our country is a magnate for creators and entrepreneurs who are willing to take risks and pursue their dreams. The United States must maintain that tradition, not only for our country’s credibility, but for the survival of liberty itself,” he said.
McCaul said governments and companies face the challenge of finding talented cyber security people. “You want the flexibility to bring in specialists from around the world. I believe America’s doors must stay open to high-skilled workers who will contribute to our society and join us in building an innovation economy,” he said.
Losing the digital fight
Regarding the “war in cyber space”, McCaul said: “We are in the fight of our digital lives, and we are not winning.” He added that cyber attackers are overtaking cyber defences.
“Nation states our using cyber tools to steal our country’s secrets and to copy our intellectual property. Faceless hackers are snatching our financial data and locking down access to our healthcare information.
“Terrorists are abusing encryption and social media to crowdsource the murder of innocent people. Web-based warfare is becoming incredibly personal and the combatants are everywhere and the phones in your pockets are the battle space,” he said.
According to McCaul, the problem is much greater than cyber espionage, with democracy itself is at risk. “There is no doubt in my mind that the Russian government tried to undermine and influence [the 2016 US presidential] elections.
“They broke into political institutions, invaded the privacy of citizens, spread false propaganda and created discord in the lead up to an historic vote,” he said.
McCaul said he pressed the Obama administration and then candidate Donald Trump to take public and forceful stands on the issue. “But I was disappointed in their response. The crisis was the biggest wake-up call yet that cyber intrusions have the potential to jeopardise the very fabric of a country.”
McCaul calls for information to be shared
According to McCaul, there are five main reasons that cyber attackers are gaining the upper hand and that defenders are not winning.
First, he said, there is the issue of volume with law enforcement struggling to keep up with the volume and complexity of network intrusions. At the same time, laws have not kept up with technology.
Second, the high speed of high tech gives cyber criminals an advantage. “History shows that offensive weapons always outpace our defences.
“Yet we have never seen a weapon used against us so regularly and so aggressively – a weapon that can adapt while we are trying to defend against it. And it is expensive to keep up.
“Today, in some cases, the US government is facing 21st century threats, with 20th century technology and a 19th century bureaucracy,” said McCaul.
Third, he said the challenges in sharing information continue. “Before 9/11, we all had the information we needed from keeping terrorists from attacking on that fateful day, but we did not connect the dots.
“The walls were up and we did not share the information, and we are in the same place with cyber [threats]. Between your companies, government agencies and US allies we have the threat data to stop many of these intrusions, and yet the sharing is still far too weak.
“As a result, the vast majority of cyber attacks go unreported, leaving others vulnerable to the same intrusions,” said McCaul.
Fourth, he said deterrence is difficult. “If there are no consequences for bad behaviour, that bad behaviour will continue. In the cyber realm, we have to show that there will be consequences; that intruders will be brought to justice.
“But unfortunately we still do not have clear, proportionate response policies for striking back against nation states, cyber criminals and other who invade our systems, and we certainly do not have the manpower, appropriate legal structures and global co-operation to take down suspects as fast as we need to,” said McCaul.
Fifth, he said there is a real paradox between national security and digital security. “Nowhere is this more obvious than with the terror threat.
“We have a new generation of terrorists who are recruiting over the internet and using virtual safe havens to escape detection and spread their propaganda on a global, internet-scale,” said McCaul.
“But while terrorist are using end-to-end encryption to cover their tracks, we must resist the temptation to go after encryption with simple, knee-jerk responses.
“I believe that creating backdoors into secure platforms would be a huge mistake. It would put our personal data at risk and leave our companies vulnerable to intrusion. Instead, we need to find a way to keep our country safe, while also keeping our data safe and secure, but we are not there yet,” he said.
Cyber is a ‘team sport’
Having given his perspective on the cyber threat, McCaul said successful defence begins with the right mindset. “We need to acknowledge that we are under siege in cyber space and respond with urgency and resolve,” he said.
But McCaul said the answer does not lie with government agencies, but with the “bleeding edge” work being done in the private sector.
“Government plays a critical role in co-ordination. In the wake of the Snowden revelations, it is more important than ever before to reassure the public that federal cyber security is being led by a civilian department, not the military or intelligence agencies,” he said.
“Cyber is a team sport. We need strong offence and strong defence and so I am pushing to make the lanes of responsibility clear.
“I propose the creation of a stronger, consolidated cyber security agency at the Department of Homeland Security, and our next priority should be fixing the information sharing weaknesses by making it easier for companies to share threat data with each other and the government,” he said.
McCaul called for closer collaboration between government in the private sector. “We know that our adversaries are targeting our infrastructure, 85% of which is in the hands of the private sector,” he said.
McCaul said he plans to work with the US administration to address vulnerabilities in critical infrastructure more seriously.
“More broadly, I have been urging the administration to develop new national cyber security strategy as soon as possible.
“We are feeling tectonic shifts in the virtual ground beneath us and our current cyber plans just won’t cut it. The US government needs better response options and needs to be conducting regular cyber exercises to ensure we are prepared.
“Our ability to win the war in cyber space depends on our ability to deliver consequences by striking back when appropriate,” he said, including the threat of sanctions and other penalties.
“We must continue to call out Moscow for election interference, and if we don’t hold the line on sanctions and deliver meaningful consequences, I am certain that they will do it again.”
Read more about encryption
- A report from US district attorney Cyrus Vance claims the encryption of data on mobile operating systems has had severe consequences for public safety.
- The Wikimedia Foundation calls on all websites to join its move to encrypt all connections by default.
- Seven more security suppliers join Blue Coat’s encrypted traffic management programme amid fresh warnings of attackers using encryption to hide malicious activity.