With dueling comprehensive cybersecurity slated to come to the Senate floor in the next three weeks, influential upper chamber lawmakers are continuing their aggressive effort to sway their colleagues.
Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), chairman and ranking member of the Homeland Security and Governmental Affairs Committee, respectively and authors of one of the main bills, held at least their third formal presentation for members and staff, bringing in administration cyber experts for a demonstration.
The demonstration Wednesday focused on a spear phishing attack against the Homeland Security Department.
Mark Weatherford, DHS’s deputy under secretary for cybersecurity, said the point of the demonstration was not to scare members and staff, but to enlighten them about how easy spear phishing attacks are to put together. Weatherford’s team from the U.S. Computer Emergency Response Team (U.S. CERT) used open source tools found for free on the Internet.
“Anyone can do them. Many of them are point and click,” Weatherford said. “It’s to use a very simple spear phishing attack, craft an email, get someone to open and email. The email then compromises the computer, gives the attacker control of that computer to do whatever he wants on that computer, download files, violate the integrity of files and use that computer as a pivot point to go somewhere else. These are very common techniques and tactics that are used to do these kinds of things.”
The DHS exercise showed how in less than five minutes, an attacker, using free tools found on the Internet, could attach malicious code to a PDF document — in this case a copy of the cyber bill — and send a fake email that seemed to go from a manager to an employee at DHS.
Once the victim opened the PDF, the hacker used the toolkit’s password cracker to get the user’s password as well as the network and administrative passwords. DHS showed that once the hacker did that, they could download, delete, upload and change files. The hacker could turn on the computer’s microphone and record 30 seconds of audio at a time, and turn on the PC’s Web camera.
DHS officials say agencies can protect themselves by updating software patches often, which look for certain known attack codes in attachments.
“Einstein 3 is essentially the intrusion prevention system part of it,” Weatherford said. “We are working right now on how we are going to deploy that.”
He said any rumors about Einstein 3 going away are false.
A DHS official said the agency “plans to accelerate the transition of the Einsten 3 program from a system that government builds and deploys intrusion prevention systems to one in which DHS contracts with major Internet Service Providers (ISPs) to supply intrusion prevention services, augmented with sensitive government information.”
Most common type of cyber attack
DHS performed two presentations of the spear phishing attack. About 40 legislative staff members and three senators — Sens. Dick Durbin (D-Ill.), Tom Carper (D-Del.), and Roger Wicker (R-Miss.) — attended the first closed demonstration. DHS then opened up the show to the media.
“Spear phishing is the most common form of cyber attack that we know now,” Lieberman said. “It’s not just used against personal computers, for instance, but it is the most common form of attack against some of the critical cyber infrastructure that we want to defend and we need to defend such as the electric power grid.”
Lieberman said his bill, the Cybersecurity Act of 2012, would help reduce the risk critical infrastructure owners and operators face.
“We believe that our bill will raise the defenses against spear phishing, both in the information sharing parts of it and also through the standards or performance requirements part of it,” he said.
But that issue of regulation is what is holding the Senate up from debating the bill. Sen. John McCain (R-Ariz.) introduced a competing bill that would focus on a more voluntary approach to cyber protections.
Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) announced earlier this week they are developing a compromise bill to help solve some of the sticking points between the Lieberman-Collins and the McCain bills.
Lieberman urges action on cyber bill
Lieberman said Senate Majority Leader Harry Reid (D-Nev.) promised to bring the cyber bills to the floor for debate no later than July.
“It is not clear to me yet whether that means before the end of June or right after July 4,” Lieberman said. “I’m confident that this will come up no later than July with the caveat in the Senate these days that you know when it comes up when it’s actually called up by the clerk of the Senate. But that’s our expectation.”
Lieberman also went to the floor of the Senate Wednesday to advocate for a vote on his cyber bill.
He said his bill is the best one “because it addresses the need to secure our nation’s critical infrastructure — the computers that control heavy machinery that if commandeered could allow an intruder to open and close key valves and switches in pipelines, refineries, factories, water and sewer systems and electric plants without detection by their operators.”
Lieberman said the Senate needs to act as soon as possible not only to address the risks, but because the legislative calendar is running short too.
“[W]e need to pass our bill so we can go to conference and iron out our differences with the House — and the time remaining to do this is growing short,” he said. “We know that the ‘lame duck’ session will be almost exclusively taken up with the crucial national security debate about reversing the $500 billion in Defense cuts mandated by the Budget Control Act, as well as dealing with the expiration of the Bush tax cuts and the payroll tax cuts.”
Lieberman asked his colleagues to resolve their differences, or at least let the bills come to the floor and let the amendments be voted upon.