Can Corporations Really Defend Against Nation-State Cyberattacks?

The former CEO of Yahoo says Russian hackers are too sophisticated for the private sector to handle—and some in Congress agree.

Former Yahoo! Chief Executive Officer Marissa Mayer, (second from right) listens as Paulino do Rego Barros, Jr., (left) interim Chief Executive Officer of Equifax, Inc., answers a question as he testifies before the Senate Commerce Committee on Wednesday Richard Smith (second from left) former chief executive officer of Equifax, Inc., and Karen Zacharia (right), deputy general counsel and chief privacy officer at Verizon Communications, Inc., listen.
AP Photo/Susan Walsh
Brendan Bordelon
Add to Briefcase
Brendan Bordelon
Nov. 9, 2017, 8 p.m.

During Wednesday’s Senate Commerce Committee hearing on the recent high-profile data breaches at Yahoo and Equifax, ranking member Bill Nelson declared that top-tier U.S. companies are little more than sitting ducks for America’s foreign adversaries in cyberspace.

“At this point I’m wondering if there’s no such thing as data security,” the Florida Democrat told Marissa Mayer, the former chief executive of Yahoo, and the current and former chief executives of Equifax, all of whom had been called to testify. “When you think of a sophisticated state actor such as China or Russia, your companies can’t stand up against them. The only person, or institution, that can stand up against them is the National Security Agency.”

“There’s going to have to be a cooperation between the most sophisticated player in the United States—which is the NSA—and you all,” Nelson continued. “Otherwise we—Americans—are not going to have any more privacy.”

Mayer backed up the senator’s assertion. “Even robust defenses and processes are not sufficient to protect against a state-sponsored attack, especially one that’s extremely persistent and sophisticated,” the former CEO said. Over four years after an attack backed by the Russian government compromised around 3 billion Yahoo accounts, Mayer said the company still isn’t sure how the hackers penetrated Yahoo’s network defenses. And unconfirmed reports that the Equifax hack was also perpetrated by a nation-state continue to percolate.

It’s become commonplace to see executives from companies hit by cyberattacks trudge to Capitol Hill, preparing for a browbeating as lawmakers berate them on behalf of victimized constituents. But when attackers are able to marshal the skills and resources of some of the most powerful nation-states on the planet, does it really make sense to blame the C-Suite? If not, is the U.S. government in a position to pick up the slack? And do companies even want them to?

If Russia or China really want to steal data from American companies, most cybersecurity experts say there’s not a corporate cybersecurity system in the world that can stop them. “When we’re talking about the top-tier, the upper echelon of nation-states out there that have very sophisticated programs—if their goal is to get in and they really want to do it, they’re going to find a way to get in,” said David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet and Society.

But that doesn’t mean U.S. companies should throw up their hands and hope Uncle Sam can save them—or even that they’re incapable of defeating most nation-state attacks. “Not all operations of the most sophisticated states are going to be tasked to the A team,” said Tim Maurer, the codirector of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. “And that means some of the companies—including Yahoo and some of the wealthiest companies on the planet—are able to defend against even some state-sponsored activity from some of the most advanced states.”

While Yahoo allegedly still doesn’t know if Russian-backed hackers penetrated their systems, the indictment and arrest of several of the perpetrators means other facts about the attack are public record. According to those documents, Russian intelligence agents contracted the Yahoo hack out to criminals, whom they allowed to make money from the attack on the side. Cybersecurity experts say that’s common practice for both Russia and China, whose “A teams” are often too busy targeting Western governments to hit corporate targets.

Maurer and O’Brien both believe that the success of the Russian-backed attack on Yahoo was largely due to weaknesses in the company’s security system—particularly its lack of segmentation, which allowed the hackers to access all of Yahoo’s networks after breaking into just one. “I wouldn’t consider integration with government agencies the panacea to what I think we’ve seen in the past two years, in that a lot of companies still don’t take even basic cybersecurity defense seriously enough to raise the bar,” Maurer said.

Still, some experts see an opening for greater government oversight if foreign adversaries continue to breach high-profile targets. Nelson’s proposal to integrate the NSA into the security systems of private networks sounds aggressive, but O’Brien says similar ideas have been discussed for years in the cybersecurity community. The Homeland Security Department’s EINSTEIN system now runs across most of the federal government, working to detect and block network intrusions in real time. “There’s been some debate about, well, should we deploy it on private networks too?” said O’Brien, explaining that intelligence analysts could monitor traffic on private networks deemed critical infrastructure and work quickly to shut out anomalies before sensitive consumer data is stolen.

But a government foray into the private sector’s cybersecurity networks would undoubtedly run up against opposition from across the spectrum—particularly from privacy advocates. Eva Galperin, the head of cybersecurity at the Electronic Frontier Foundation, said Nelson’s proposal is driven by “absolute ignorance about the landscape, and a lot of people spreading fear, uncertainty, and doubt.”

“It’s extremely common in Washington to believe, because Washington is the center of government, it is the answer to all of our problems,” Galperin added.

And even while some companies bemoan their vulnerability when faced with aggressive nation-states, most aren’t keen to give U.S. security agencies greater access to their systems. “What we’ve heard sort of collectively from the industry is they’re not very interested, at least at this point in time, in the government moderating their networks,” said O’Brien. That’s particularly true for firms that operate internationally, where customers in Europe and Asia would worry that U.S. intelligence agencies could use their access to snoop on their own private activities.

For now, at least, Nelson’s idea of a direct government footprint in private networks looks unlikely to gain traction on Capitol Hill. When asked about Nelson’s remarks at the conclusion of Wednesday’s hearing, Senate Commerce Committee Chairman John Thune was noncommittal. “In a lot of the conversations that we’ve had in the past about data-breach legislation, the NSA hasn’t played a prominent role in those conversations,” he said. “So we’ll bat that around a little bit, but it’s something we’ll kind of have to take a look at.”

What We're Following See More »
House Approves Opioid Package
9 hours ago

"The House on Friday overwhelmingly passed sweeping bipartisan opioid legislation, concluding the chamber’s two-week voteathon on dozens of bills to address the drug abuse epidemic. The measure combines more than 50 bills approved individually by the House focusing on expanding access to treatment, encouraging the development of alternative pain treatments and curbing the flow of illicit drugs into the U.S. It was passed 396-14, with 13 Republicans and one Democrat voting against the package."

Trump Tells Congress North Korea Remains a Threat
9 hours ago

In a letter to Congress on Friday, President Trump wrote that he's continuing the national emergency status with respect to North Korea, citing the country's “provocative, destabilizing, and repressive actions," which "continue to constitute an unusual and extraordinary threat” to the United States. In a series of tweets following his meeting with Kim Jong-un, Trump said Americans could sleep well at night because North Korea no longer poses a nuclear threat.

Navy Document Outlines Plans For Detention Camps
10 hours ago

"The U.S. Navy is preparing plans to construct sprawling detention centers for tens of thousands of immigrants on remote bases in California, Alabama and Arizona, escalating the military’s task in implementing President Donald Trump’s 'zero tolerance' policy for people caught crossing the Southern border." The document outlines plans for "temporary and austere" internment camps for 25,000 migrants "at abandoned airfields just outside the Florida panhandle," and in Alabama, for 47,000 people near San Francisco, and "as many as 47,000 people at Camp Pendleton" in California. The document estimates that operating a camp to detain 25,000 people for six months would cost approximately $233 million.

U.S. May House 20K Immigrants on Military Bases
17 hours ago

"The United States is preparing to shelter as many as 20,000 migrant children on four American military bases" in Texas and Arkansas, "as federal officials struggled to carry out President Trump’s order to keep immigrant families together after they are apprehended at the border."

Vote on Compromise Immigration Bill Gets Bumped to Next Week
1 days ago

"House Republican leaders are further delaying a vote on a compromise immigration bill, planning to make changes to the legislation for a vote next week. The news comes after a two-hour Republican Conference meeting Thursday, in which authors of the bill walked through its contents and members raised concerns about issues the bill doesn’t address, multiple GOP lawmakers said. Many members requested the addition of a provision to require employers to use the E-Verify database to cheek the legal status of their employees."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.