Defense nominee: US ‘not where it should be’ on cybersecurity

The Defense Department’s network security “is not where it should be,” said Ashton Carter, the nominee for Defense secretary, during his Wednesday nomination hearing.

“We’re not anywhere near where we should be as a country,” Carter said before the Senate Armed Forces Committee. “Not only is our civilian infrastructure susceptible to cyberattack, but we have to be concerned about our military infrastructure.”

{mosads}While the Islamic State in Iraq and Syria (ISIS) and Russian aggression in Ukraine dominated much of Carter’s hearing, the Pentagon pick also fielded questions on cybersecurity.

“A number of countries out there, including Russia, China, North Korea, probably many others, have very sophisticated means of attacking networks,” said Sen. Joni Ernst (R-Iowa).

Russia and China are both widely suspected of ongoing cyber campaigns to steal U.S. military secrets. Moscow is believed to be behind a 2008 cyberattack on the DOD. The government also recently blamed North Korea for a massive cyberattack on Sony Pictures.

“How do we best protect our equipment, protect our personnel moving forward?” Ernst asked.

“There’s no point in having planes and ships and armored vehicles in today’s world if the network itself is vulnerable,” Carter responded. “I hope we can work together if I’m confirmed by this committee on improving our cyber defenses, many aspects of cyber.”

While there is bipartisan agreement that the DOD must improve the nation’s cyber defenses, privacy advocates have pushed back on some of the tactics used by its agencies, including the National Security Agency (NSA).

In 2013, government leaker Edward Snowden disclosed secret NSA spy programs that were bulk collecting data on people in the U.S.

“Do you have an opinion on where the federal government should be in regards to protecting our national security interests versus the privacy of individuals out there that might be using the network?” Ernst asked.

“The federal government does have a role in protecting the country from a cyberattack in the same way it has a role in protecting the country from other kinds of attacks,” Carter replied. “I think it can do a lot more to exercise that responsibility without causing concerns over invasions of people’s privacy.”

Carter emphasized the need for the DOD and private sector to exchange more cyber threat information.

“I think if people fully understood … how vulnerable we are in cyberspace, they would want us to do more,” Carter said. “Not in a way that compromised anybody’s privacy, but they would want us to do a lot more than I believe we are doing now.”

Lawmakers have been trying to pass legislation that would provide legal liability protections for companies sharing cybersecurity information with the government. But concerns that the NSA could access the data to gather personal information on Americans have stalled the efforts.

The White House recently put support behind its own legislative proposal to encourage public-private cyber threat information-sharing. The offering attempts to assuage privacy advocates’ concerns by funneling all the data through the less controversial Department of Homeland Security, not the NSA.