RSA Hack Reverberates a Year LaterCyber Commander Analyzes Breach before Senate Panel
It's been a year since attackers - believed to be from China - hacked into servers of security maker RSA and pilfered the underlying software of its SecurID two-factor authentication product [see RSA Says Hackers Take Aim At Its SecurID Products]. That March 2011 attack continues to resonate among the highest echelon of the United States government's cybersecurity leadership.
Army Gen. Keith Alexander - the director of the National Security Agency and commander of the military's Cyber Command - testified this past week before the Senate Armed Services Committee about U.S. cyber defense, and specifically mentioned the ramifications of the RSA attack in his prepared testimony and live response to senators' questions.
Alexander credited RSA for its quick response, noting the security provider furnished the Defense Department and key contractors with new, secure certificates, but the 4-star general used the breach to show how vulnerable the military, government and business are to those who would do us harm.
"When you think about it, the ability to do it against a company like RSA with such high-order capability - RSA, say, being one of the best - that if they can do it against RSA, that makes most of the other companies vulnerable," Alexander said in response to a question from Committee Chairman Carl Levin, D-Mich.
The "they" Alexander referred to is the Chinese, who used the stolen certificates to hack into several American companies, including a major defense contractor, which Alexander didn't name but believed to be Lockheed Martin. [see Lockheed Attack Linked to RSA?]
Levin suggested that Alexander lobby Vice President Joseph Biden who has been in discussions with the Chinese over the theft of American intellectual property to get Beijing to stop. Alexander didn't respond directly to Levin's suggestion that he be the "spokesman" to Biden, but did respond to the senator's question regarding the options the United States can take to prevent Chinese and others from stealing U.S. secrets and intellectual property.
At first, Alexander tried a bit of levity. "Well, I suppose using the rest of Stratcom is out," Alexander said, in reference to the military's combatant command that oversees U.S. nuclear arms.
Alexander suggested that diplomacy won't work, saying the best approach to stop the Chinese and others is to build a better cyber defense. "The most important thing that we can do is make it more difficult for them to do what they are doing," he said. The general compared today's protection of intellectual property to a bank that keeps its money on tables in a New York City park. "We're losing money, and we're wondering why it's not well protected," the cyber commander said. "Our intellectual property is not well protected, and we could do better."
The United States, heavily indebted to the Chinese, doesn't seem to be in a position to persuade China to change its cyber-espionage and cyber-theft ways. Alexander is right; the best approach is building a better defense. And, it is not just the military that needs to toughen its cyber defense; other parts of the government as well as business must do so also. Sounds good, but not something most people think will be done anytime soon. That doesn't mean we won't try.