Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Experts: US Is Not Prepared to Handle Cyber Attacks

In Congressional testimony, authorities on cyber defense say neither government agencies nor private companies are ready for what may come

If the bad guys launched a coordinated cyber attack on the United States tomorrow, neither government nor industry would be able to stop it, experts warned legislators yesterday.

At a hearing held by the House Permanent Select Committee on Intelligence, cyber defense experts testified that government agencies are insufficiently coordinated to handle an attack, and that efforts to build a defense have not adequately addressed issues in the private sector.

"The Department of Homeland Security lacks the personnel, capability, authority, and culture required to do the job entrusted to them by the President and Congress," said Amit Yoran, CEO of NetWitness Corp. and former director of the National Cyber Security Division at DHS. "DHS's cyber efforts are disorganized and disjointed, and practical operations continued to be buried deeper within the organization.

Yoran quoted Robert Stephan, DHS Assistant Secretary for Infrastructure Protection: "Most of the time, every day, I spend most of the bullets in my single 30-round magazine that I bring to work every day shooting into the backs of our own bureaucracy, trying to clear a field of fire," Stephan reportedly said. "So, I have one bullet left to either pump at al Qaeda -- or save it for me, because the bureaucracy is about to overwhelm me."

"Our current information infrastructure is riddled with holes, unknown backdoors, and is extremely difficult to protect in the face of increasingly sophisticated adversaries," said Paul Kurtz, a partner with Good Harbor Consulting and a member of the Center for Strategic and International Studies's (CSIS) Commission on Cybersecurity.

Yoran and Kurtz both said that the government isn't doing enough to involve private industry in the cyber defense effort. For example, there is no organized way for companies and government to share information about attacks or breaches, they said. There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government, said the panelists

Yoran once again raised warnings that private companies which deliver parts of the nation's critical infrastructure -- such as utilities -- are not well coordinated in cyber defense. He said that the definition of "critical infrastructure" has become overly broad, which makes these defenses more difficult to develop.

Kurtz registered concerns about the theft of intellectual property from U.S. companies, which he said is occurring at a rate of $200 billion a year. "American industry and government are spending billions of dollars to develop new products and technology that are being stolen at little to no cost by our adversaries," he said. "Nothing is off limits -- pharmaceuticals, biotech, IT, engine design, weapons design."

The CSIS commission is scheduled to release a full report on its evaluation of U.S. cyber defenses in November.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...