Congress to Focus on Shady RATIs a House Commerce Panel the Right Forum to Probe this APT?
One problem Congress faces in legislating cybersecurity is that there are just too many committees and subcommittees claiming jurisdiction.
Rep. Mary Bono Mack chairs the House Subcommittee on Commerce, Manufacturing and Trade, and the California Republican sees the panel having a jurisdictional link to IT security through its oversight of protecting consumers privacy and promoting America's international competiveness and economy through reliable online transactions. Bono Mack is sponsor of HR 2577, the Secure and Fortify Electronic Data Act or Safe Data Act, which would provide for national data breach notification. The bill passed the subcommittee in June (see House Panel Clears Breach Notification Bill).
But is Bono Mack stretching her subcommittee's jurisdictional responsibility by probing Shady RAT, the name given in a paper issued by security provider McAfee to a 5-year-plus advanced persistent threat hack carried out by a "state actor" that many believe to be China (see Is China the Nation Behind Shady RAT?)? In a letter to the paper's author, McAfee Vice President for Threat Research Dmitri Alperovitch, Bono Mack invited him to brief her committee on Shady RAT.
The cyberattacks described in the Shady RAT report aren't much like the breaches victimizing banks and consumer-oriented websites that expose personally identifiable information, which have prompted moves to nationalize data breach notification. The Shady RAT assailants sought government, military and trade secrets, not the PII on individuals. The questions in Bono Mack's letter to Alperovitch seem to recognize the differences between the two styles of attack.
For instance, Bono Mack asks:
"While the report suggests the high-profile intrusions of recent months that garnered significant media attention are neither sophisticated nor novel, are they representative of intrusions we should expect to continue; how do these unsophisticated intrusions differ from the intrusions that were the focus of your report? Are such intrusions something the government and private sector can effectively prevent or mitigate on a continuing basis?"
"The report states McAfee's security threat research team was 'taken aback by the audacity of the perpetrators.' Did the log analyzed by McAfee reveal novel techniques or patterns that would be helpful in our efforts to combat cybercrime?"
"The report describes 'a historically unprecedented transfer of wealth over the last five or six years. Is McAfee aware of any estimates that quantify the financial impacts on U.S. business, consumers and our economy at large?"
Of course, Alperovitch's IT security expertise goes well beyond Shady RAT and his insights into threats would benefit the subcommittee. Still, if the House of Representatives wants to get to the bottom of Shady RAT, and how to safeguard government and military secrets, other committees such as Homeland Security or Armed Services would be a more appropriate venue for Alperovitch's testimony. Congress should be more disciplined on how it addresses its cybersecurity oversight.