JEFFREY BROWN: All this week, we have been looking at new initiatives launched by President Obama — tonight, cyber-security.
Ray Suarez reports.
PRESIDENT BARACK OBAMA: We know hackers steal people’s identities and infiltrate private e-mails. We know foreign countries and companies swipe our corporate secrets.
RAY SUAREZ: In his State of the Union address Tuesday, President Obama laid out one of his top priorities, protecting America’s critical infrastructure from the growing threat of cyber-attacks.
PRESIDENT OBAMA: Now our enemies are also seeking the abilities to sabotage our power grid, our financial institutions, our air traffic control systems.
RAY SUAREZ: Over the past six months, the websites of American banks have repeatedly been attacked, reportedly by Iran. In the last few weeks, major U.S. media companies, The New York Times, Bloomberg News, The Wall Street Journal, and The Washington Post, have all said the Chinese are behind sustained hacking attempts on them.
And earlier this week, The Washington Post reported the intelligence community now believes the U.S. is a target of a major cyber-espionage campaign, with China as its most aggressive perpetrator, seeking to steal data for economic gain.
To counter these efforts, President Obama announced a new initiative.
PRESIDENT OBAMA: I signed a new executive order that will strengthen our cyber-defenses by increasing information-sharing and developing standards to protect our national security, our jobs, and our privacy.
RAY SUAREZ: The National Cybersecurity and Communications Integration Center is in Northern Virginia. It’s the Department of Homeland Security’s premiere cyberspace monitoring facility.
This command center receives information from companies like AT&T and Verizon, and watches over the government’s information networks.
Lawrence Zelvin, the center’s director, says the president’s order will make it easier to combat cyber-threats.
LAWRENCE ZELVIN, National Cybersecurity and Communications Integration Center: The attacks should be measured in seconds, not days. The attacks are ever-present and ongoing. And, as I said, there’s a variety of motivations, criminal, nation-state, malicious, humorous. The attacks are happening in seconds.
The challenge is, is to be able to understand it all and to put that context to it, and then being able to alert people and help them solve it.
RAY SUAREZ: Yet, even before President Obama officially announced his plan, opposition was mounting. In January, the U.S. Chamber of Commerce issued a statement saying it believes that executive action is unnecessary and opposes the expansion or creation of new regulatory regimes.
And last August, Senate Republicans helped kill the most comprehensive cyber-security bill to date, arguing it would’ve imposed too great a regulatory burden on business. But others have argued the executive order doesn’t go far enough.
Dmitri Alperovitch is co-founder and CEO of CrowdStrike, a cyber-security company.
DMITRI ALPEROVITCH, CrowdStrike: What we need is for the government to say, we’re going to share information about attackers. That’s good, but ultimately we’re going to go after the attackers to stop them, because if we don’t remove them from the battlefield, their techniques are going to get better, their capabilities will ultimately exceed your defenses, and they will ultimately penetrate you and do real damage. And that is what’s not happening today, or at least a discussion about that is not happening.
RAY SUAREZ: Earlier today, I sat down with Janet Napolitano, the secretary of homeland security, to talk about this new cyber-security initiative.
I began by asking her which countries are the biggest sources of cyber-attacks.
SECRETARY JANET NAPOLITANO, U.S. Homeland Security: There are a number of countries that we see attacks emanating from. And, again, they can be just individuals who are located in the country.
But three that I think are of special concern would be Iran, would be Russia, and China.
RAY SUAREZ: Right now, there are private efforts, personal efforts, corporate efforts. There’s all kinds of people trying to fend off these attacks. What’s the right role of government? And what can government do that right now the private sector can’t?
JANET NAPOLITANO: Well, it’s always been government’s role to protect the security of the nation.
And this is a security issue, from our perspective. And it’s a security issue of particular concern with respect to the nation’s core critical infrastructure, the infrastructure everyone relies on, the energy sector, the telecommunications sector, the banking sector.
So what we’re going to do — and we have already actually started — we started well before the executive order actually was issued — is working with the private sector, determine how best to share information, because, you know, we can’t help until we know that there has actually been an attempted intrusion or attack.
So that information-sharing piece is very important. And in addition to that, what are the best practices that infrastructure owners should exercise to best protect their systems?
RAY SUAREZ: Is this a realm where the United States is not only taking incoming, but also seeking to disrupt the operation of networks in some of the countries you named, in Iran, in China, to stop their capability from attacking the United States?
JANET NAPOLITANO: Well, I think what we want to focus on at this point is what can the private sector do to interrupt these attacks.
So, for example, the NSA and the FBI, myself, Gen. Alexander for the NSA. Bob Mueller for the FBI, myself, met with a particular group of executives that have major roles in the so-called ISPs, the Internet service providers, what they could possibly do. We have met with leaders in private industry in terms of the core critical infrastructure of the country as to what they can possibly do.
RAY SUAREZ: Have cyber-threats moved to a new level, so that when you’re being briefed on people who are actually trying to physically attack the United States, this is also a standard part of what you’re told about people who threaten the nation?
JANET NAPOLITANO: Yes.
I receive information about cyber-actors or people using cyber-networks on a daily basis. And, as I said, we receive thousands of reports that come into us from private industry every year.
RAY SUAREZ: Is that a new kind of war? If you are not trying to blow something up or kill Americans, but you’re trying to steal a wing that took years to develop from a private aerospace manufacturer, trying to steal a program that took years and a lot of investment to develop in our Silicon Valley, is that just war by other means now?
JANET NAPOLITANO: Well, it’s huge economic loss to the country.
I mean, the United States is the nation of innovation. And we have the best innovators, really, in the world. Our international property is one of our huge national economic assets. Yes, so to the extent that some are seeking to infiltrate our network, steal that information, not to have invest in the research and development that goes into innovation, that’s a really big deal.
RAY SUAREZ: So, we have this new executive order. What does it create, what does it do that is new, that tightens up, that fortifies our defenses.
JANET NAPOLITANO: The executive order does several things.
One, it increases, we hope, information-sharing between the nation’s private sector that controls critical infrastructure and those of us who have the duty to protect the nation. Second, it asks the Department of Homeland Security to denominate precisely what is the nation’s core critical infrastructure, and working with NIST, which is a part of the Department of Commerce, and with the private sector to develop standards for that core critical infrastructure.
So it’s information-sharing, and it’s standards, standards setting and exchange of best practices. There is a carve-out. If a particular part of our industry already it regulated, and it is determined that those regulations are sufficient in the cyber-security realm, we’re not going to add a second set.
So this is really designed to say, what’s the nation’s core critical infrastructure, where is it adequately protected by existing regulations, where is it not? What are the standards that should be applied there? And how do we get to those standards in a fairly short time frame?
RAY SUAREZ: Sec. Napolitano, thanks a lot.
JANET NAPOLITANO: Thank you very much.
JEFFREY BROWN: We have more coverage of the interview with Sec. Napolitano and recent large-scale cyber-attacks. You will find links in our Rundown news blog.