Responding to Cyberattacks
Floor Speech
BREAK IN TRANSCRIPT
Mr. HIMES. Madam Speaker, as I rise, gasoline is once again flowing through the Colonial Pipeline, and we are getting ready to undertake our routine briefs--those of us who sit on the Intelligence Committee and the Committee on Homeland Security--of this week's cyberattacks. Many of them will have come from Russia, from China, from North Korea, from Iran, or from some shadowy criminal group, which is often sheltered or at least tolerated by one of these countries. Many will have succeeded in stealing critical data or penetrating essential networks. Only a few, like the recent attacks on the Colonial Pipeline, will ever become publicly known.
There is a long list of things that we must do to stop these attacks. We should require private companies to tell the public, or at least the government, when these attacks occur. We should make sure that experts in places like the NSA and the FBI are working side-by-side with network operators to address these attacks, and we should have a clear policy on the payment of ransom to ransomware attacks.
But at the very top of the list is the need to fundamentally change the game by establishing a sure and swift deterrence.
Time and again, we do too little, too late.
Five years ago, President Obama responded to the Russian attack on our 2016 election, the very essence of our democracy, with the expulsion of 35 so-called Russian diplomats and the closing of a few secondary Russian facilities, and he told Putin to ``cut it out.'' Putin barely felt the slap on the wrist.
We know that, because fewer than 4 years later, a Russian intelligence agency used a supply chain attack on Microsoft and SolarWinds to penetrate thousands of networks, including those of the Federal Government. In response, the United States--you guessed it-- expelled some Russian diplomats.
For the bad guys, the cost of doing business is very low indeed.
It is time to strike back using our unparalleled offensive cyber capabilities with the ferocity and precision and, yes, the proportionality that these and many other cyberattacks would have provoked had they been undertaken kinetically.
Let's hurl the full weight of the American legal, diplomatic, and cyber capabilities against DarkSide and the organizations or countries that assisted it. There is no reason why our immense power, if applied, can't result in jailed hackers, businesses sanctioned into bankruptcy, emptied bank accounts, and melted computers.
The same goes for Putin, who draws no formal distinction between the Kremlin and the private groups who supply it with propaganda, mercenaries, and hacking services. Putin respects only the Machiavellian language of force and retribution. For him, all else is tactical. So let's demonstrate the cyber capabilities we have spent billions of dollars developing. Let's make sure that he and the oligarchs who support him feel the fear and anxiety felt by millions of Americans contemplating crashed email systems and gasoline lines down the street.
The objection to my arguments has always been consistent: that as a highly networked nation, we are particularly vulnerable to a cyber tit- for-tat. In a cyber exchange, the Russians, the Chinese, or the Iranians might choose to attack our critical infrastructure, like, say, a gasoline pipeline. Yes, there is risk, but that risk must be weighed against the fully unacceptable status quo.
Hitting back isn't the only answer. It is part of the answer. In this new world, a credible deterrent must be combined with clearly articulated international rules, norms, and an understanding of our national doctrines: all the things that helped keep the Cold War with the Soviets from becoming hot.
Above all else, however, it is time to change the game and impose the meaningful costs that will finally deter our adversaries. Until we do, we are all just waiting for the next Colonial Pipeline attack.
BREAK IN TRANSCRIPT
Source