Statement for the Record Mr Michael Moss Deputy Director Cyber Threat Intelligence Integration Center Office of the Director of National Intelligence FOR A HEARING ON “Cyber Threats to Our Nation’s Critical Infrastructure” BEFORE THE UNITED STATES SENATE COMMITTEE ON JUDCIARY SUBCOMMITTEE ON CRIME AND TERRORISM Tuesday 21 August 2018 Senate Dirksen 226 2 30pm – 4 00pm Washington DC Chairman Graham Ranking Member Whitehouse Members of the Subcommittee thank you for the opportunity to appear before you today to discuss cyber threats I would first like to extend my appreciation for your efforts to focus attention on cyber threats through such forums as this subcommittee hearing It is hard to believe that just a year or two ago cyber security experts routinely lamented the lack of attention these threats received in our public discourse Now it seems that we do not go a single day without a headline about a concerning vulnerability a serious breach or a call to action from a local state or federal official Awareness of the threat is a critical first step to action not only by the government but also especially every citizen each of whom can take important steps to protect themselves while also increasing our collective cyber security The Director of National Intelligence wants the American people to know the Intelligence Community IC is postured to identify threats of all kinds against the U S and our allies and to provide appropriate warnings Regarding the threat to our elections and efforts to undermine our democracy the IC’s TOP priority is to identify threats against the U S and provide accurate timely warnings With respect to operations that target elections it is important to distinguish between two types 1 cyber operations that target our election systems such as voting machines and voter databases and 2 foreign malign influence operations designed to influence the views of voters depress voter turnout or undermine confidence in election results The IC continues to be concerned about threats to upcoming US elections – both the mid-terms and the 2020 election cycle Regarding Russian involvement in the mid-term elections we continue to see a pervasive messaging campaign by Russia to try to weaken and divide the U S These efforts are not exclusive to the election but certainly cover issues relevant to the election We also know Russia tries to hack into and steal information from candidates and government officials alike We are very cognizant that Russia is not the only country that has an interest in trying to influence our domestic political environment We know there are others who have the capability and may be considering influence activities We have incorporated lessons learned from the 2016 elections and implemented a broad spectrum of initiatives to share more information across the federal government state and local governments and with the private sector Among those initiatives The Office of the Director of National Intelligence’s ODNI’s National Counterintelligence and Security Center NCSC and Cyber Threat Intelligence Integration Center CTIIC co-sponsored an elections-focused Tabletop Exercise TTX in April where we examined how to strengthen the U S Government’s ability to share information on foreign threats to U S elections The day-long TTX was attended by more than 50 senior representatives from the National Security Council and offices in the Central Intelligence Agency CIA 2 Department of Homeland Security DHS Federal Bureau of Investigation FBI National Security Agency NSA and ODNI that have cyber counterintelligence regional and intelligence reporting responsibilities ODNI leads the interagency working group with the Department of Justice DOJ FBI DHS CIA and NSA regional cyber and counterintelligence experts now meeting weekly as we push towards November all focused on ensuring election security and integration of our efforts ODNI supports both DHS and FBI in their respective roles in their efforts to effectively provide States and State Election Officials with up to date and relevant information from the IC Cyber Threat Intelligence Integration Enhanced awareness of cyber threat is one of the core missions of the center I am privileged to lead CTIIC and I would like to share with you our approach to this important mission CTIIC is the newest of four multiagency intelligence centers under the ODNI and was authorized under the Intelligence Authorization Act for Fiscal Year 2016 Our mission is to build understanding of foreign cyber threats to U S national interests to support decisionmaking We do this by working with and integrating information from the Federal centers and other departments and agencies that make up the federal cyber community Elements of this community specialize in intelligence law enforcement network defense operations and incident response CTIIC brings together information from these partners to build awareness integrate analysis context and identify opportunities to mitigate and counter cyber threats using all instruments of national power CTIIC’s workforce is mostly composed of personnel on loan to us from these very partners Our leadership team includes senior executives from FBI NSA and CIA and our workforce includes analysts from those three agencies DHS the Defense Intelligence Agency the Department of Energy and the ODNI These professionals contribute their unique expertise knowledge and tradecraft and notably their reach back to other experts in their parent Agency Anticipating and countering foreign cyber threats is a whole-ofgovernment effort and the makeup of CTIIC is reflective of that effort In 2016 our first year of operation CTIIC’s role was further emphasized in Presidential Policy Directive 41 This PPD outlining the Federal government’s approach to Cyber Incident Coordination named CTIIC as one of three Federal leads along with DHS and FBI responsible for coordinating the government’s response to significant cyber incidents CTIIC does not direct or engage in intelligence collection operations or unilateral engagement with the private sector Rather we support the agencies who do have those responsibilities and relationships by providing integrated intelligence and assessments that support their efforts CTIIC is committed to overcoming the jargon barrier that sometimes limits our ability to have meaningful discussions of cyber threat Part of enabling a whole-of-government 3 approach to countering these cyber threats is building understanding of how our adversaries are using capabilities in cyber space to address their strategic objectives We and our colleagues in ODNI are focused on making that analysis available and comprehensible to the non-cyber experts in government who vastly outnumber those of us who focus daily on this threat In many ways the nature of the cyber threat requires that we the national security community also treat the private sector and American people as intelligence customers That is why you will see us address this threat more publicly and why you will continue to see us publish unclassified estimates and statements to inform the American people Cyber Threats to U S Critical Infrastructure To that end I will now address the IC’s estimates of cyber threats to critical infrastructure These threats include not only destructive attacks but also cyber-enabled theft of information that undermines our strategic advantage Our adversaries are becoming more assertive more capable and more adept at using cyberspace to threaten our interests And the number of adversaries is growing as nation states terrorist groups criminal organizations and others continue to develop cyber capabilities The risk is growing that some adversaries will conduct cyber attacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the U S in a crisis short of war The potential impact of these cyber threats is amplified by our growing interconnectedness The advancing integration of technology—such as artificial intelligence and the internet of things—into both our critical infrastructure and our daily lives adds convenience but also significant risk The potential for surprise in the cyber realm will increase in the next year and beyond as billions of additional digital devices connect—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits In 2016 and 2017 state-sponsored cyber attacks against Ukraine and Saudi Arabia targeted multiple sectors across critical infrastructure government and commercial networks In the case of Ukraine over 225 000 citizens lost power for over 3 hours Ransomware and malware attacks have spread globally disrupting global shipping and production lines of U S companies The availability of criminal and commercial malware is creating opportunities for new actors to launch cyber operations In March the city of Atlanta Georgia was hit by ransomware crippling a large portion of the city’s online systems Citywide services came to a grinding halt More than a third of the 424 software programs used by the city were knocked offline or partially disabled and nearly 30% of those were “mission critical ” affecting core city services We believe that concerns about U S retaliation and still developing adversary capabilities will mitigate the probability of attacks aimed at causing major disruptions of 4 U S critical infrastructure but we remain concerned by the increasingly damaging effects of cyber operations and the apparent acceptance by adversaries of collateral damage Adversaries and Malign Actors Poised for Aggression Russia China Iran and North Korea will pose the greatest cyber threats to the U S during the next year These states are using cyber operations as a low-cost tool of statecraft and we believe they will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations Meanwhile non-state actors will continue to use cyber operations for financial crime and to enable propaganda and messaging Of these adversaries we believe Russia poses the greatest threat to U S critical infrastructure We expect that Russia will conduct bolder and more disruptive cyber operations during the next year most likely using new capabilities against Ukraine In June 2017 the Russian military launched the most destructive and costly cyber-attack in history The attack dubbed “NotPetya ” quickly spread worldwide causing billions of dollars in damage across Europe Asia and the Americas The Russian Government is likely to build on the wide range of operations it is already conducting including disruption of Ukrainian energy distribution networks hack-and-leak influence operations distributed denial-of-service attacks and false flag operations Over the next year Russian intelligence and security services will continue to probe U S and allied critical infrastructures and target the U S NATO and allies for insights into U S policy In March DHS and FBI issued a Technical Alert regarding Russian government targeting of U S Government entities and organizations in the energy nuclear commercial facilities water aviation and critical manufacturing sectors In April as a result of analytic efforts between DHS FBI and the United Kingdom’s National Cyber Security Centre DHS and FBI issued an alert regarding the worldwide cyber exploitation of network infrastructure devices e g router switch firewall and Network-based Intrusion Detection System devices by Russian state-sponsored cyber actors In May DOJ announced they had seized an internet domain at the center of a hacking campaign thus thwarting the potential weaponization of a network of more than half a million web-connected devices across the globe The network of infected devices or “botnets” was one of the largest of its kind China will continue to use cyber espionage and bolster cyber attack capabilities to support national security priorities The IC and private-sector security experts continue to identify ongoing cyber activity from China although at volumes lower than before the bilateral U S -China cyber commitments of September 2015 Most detected Chinese cyber operations against U S private industry are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide Since 2015 China has been advancing its cyber attack capabilities by 5 integrating its military cyber attack and espionage resources in the Strategic Support Force which it established in 2015 We believe that Iran will continue working to penetrate U S and Allied networks for espionage and to position itself for potential future cyber attacks Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations despite Iran’s recent restraint from conducting cyber attacks against the U S or Western allies Iran’s cyber attacks against Saudi Arabia in late 2016 and early 2017 involved data deletion on dozens of networks across government and the private sector We expect the heavily sanctioned North Korea to use cyber operations to raise funds and to gather intelligence or launch attacks on South Korea and the U S Pyongyang probably has a number of techniques and tools it can use to achieve a range of offensive effects with little or no warning including distributed denial of service attacks data deletion and deployment of ransomware North Korean actors developed and launched the WannaCry ransomware in May 2017 We also believe that these actors conducted the cyber theft of $81 million from the Bank of Bangladesh in 2016 Terrorist and criminal groups will continue to use the Internet to organize recruit spread propaganda raise funds collect intelligence inspire action by followers and coordinate operations Given their current capabilities cyber operations by terrorist groups most likely would result in personally identifiable information PII disclosures website defacements and denial-of-service attacks against poorly protected networks Transnational criminals will continue to conduct for-profit cyber-enabled crimes such as theft and extortion against U S networks We expect the line between criminal and nationstate activity to become increasingly blurred as states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations Mr Chairman I look forward to the Sub-committee’s questions 6
OCR of the Document
View the Document >>