Twitter Hack Highlights Need for White House Cyber Director, Hearing Told
Twitter’s human-enabled hack is another example of why the White House needs a national cyber director and the Cyberspace Solarium Commission’s (CSC) recommendations should be implemented (see 2007150065), said House Cybersecurity Subcommittee members during a hearing Friday. “It doesn’t take much imagination to see what chaos one could sow with such access on election day if a bad actor was pushing out disinformation,” said Rep. James Langevin, D-R.I., of the Twitter hack.
Hackers reportedly fooled or convinced a person at the company to provide administrative credentials that led to the breach of several high-profile accounts (see 2007160074), said CSC co-chair Mike Gallagher, R-Wis. The biggest cyber successes and failures have been human-enabled, he said. Rep. John Joyce, R-Pa., noted how easy it is for human error to allow a breach.
The hack is a reminder that cyberattacks are an ever-present threat, said CSC co-chair and Sen. Angus King, I-Maine. More than 50 of the commission’s 82 recommendations have been presented as legislative proposals, he said, highlighting the need for a national cyber director in the White House. Rep. Sheila Jackson Lee, D-Texas, also drew attention to the Twitter hack, asking which commission recommendations would help prevent something like that.
Ranking member John Katko, R-N.Y., noted his support for Langevin's legislation to create such a position. As his top priority among the recommendations, Katko wants to “vastly” increase funding for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to carry out its role as the nation’s risk manager. He introduced this recommendation as a bill with Rep. Dutch Ruppersberger, D-Md., HR-7588, which requires CISA to assess its resources, facilities and future needs.
House Homeland Security Committee Chairman Bennie Thompson, D-Miss., supported creation of a national cyber director and “more clearly defining the roles and responsibilities of CISA and sector risk management agencies.”
Cyber responsibility is scattered throughout the federal government without anyone within the White House to resolve turf wars, said King, calling the director proposal one of the most “obvious” recommendations. The commission rejected the idea of elevating CISA as a new cabinet office because it would take a long time, would be duplicative and wouldn’t have the White House authority, he said. The model for the director is the Office for the U.S. Trade Representative, with the object being to have “one throat to choke,” he added. Reform starts with establishing a Senate-confirmed national cyber director in the White House, Gallagher said.
CISA needs prompt, proper authority, including administrative subpoena authority to be the national risk manager and act as the central civilian cybersecurity authority, said CSC Commissioner Suzanne Spaulding. It’s becoming clear that many networks can be “untrustworthy,” but individuals shouldn’t have to be cybersecurity experts, testified CSC Commissioner Samantha Ravich. The recommendations are common sense, and all should be implemented, said Rep. Kathleen Rice, D-N.Y.