Is the United States doing enough to equip itself to thwart state-level and criminal attacks?
The unprecedented scale of the SolarWinds attack, Greg Austin, was a powerful example of how the cyber threat landscape has intensified.
Statements by leading experts to the US Congress on Feb. 10 make it clear that the country’s cyber defense and deterrence strategies are not effective against foreign cyberattacks. Criminal activities also pose a significant threat to national cyber defenses, with lawsuits filed days after an attempt to chemically pollute a city’s water supply through cyber sabotage and potentially poison its residents. This statement was made as part of the first Internal Security Committee hearings since the phenomenal Russian spying success involving software from the US company SolarWinds, which emerged in December 2020, and the inauguration of President Joe Biden.
All four experts, including Christopher Krebs, former founding chairman of the Agency for Cyber Security and Infrastructure Security (CISA), were optimistic about the prospects for successful and effective upgrades to national cybersecurity. They gave reliable advice for improvement. On the other hand, their explanations show that there is still a long way to go, and the field of optimism is much narrower than suggested, given that few portray it as a seriously intensifying cyber threat landscape.
The same day, the White House announced plans for an investigation into the SolarWinds attack. In this attack that may still be in the game, a Russian intelligence agency has successfully exploited software weaknesses by SolarWinds to accomplish what some call the most serious cyberattack ever.
US cyber defense today
In May 2017, four months after taking office, the Trump administration set an urgent agenda for cybersecurity reform. It covered most of the foundations: critical infrastructure; elimination of old insecure systems; supply chain transparency; industrial base; labor; diplomacy; and military cyber power.
New institutions, such as CISA, emerged, and other units in key agencies were elevated in importance and received higher levels of funding. The National Cyber Strategy of 2018 announced the Cyber Deterrence Initiative, which promised to impose costs on nations engaged in sustained malicious cyber attacks on the United States. The administration was doing many things well, including the delivery of what the CISA described as the ‘most secure [election] in American history’.
Still, attacks from other governments continue to be successful, as evidenced by the SolarWinds attack and criminal attempts. Russia and China have not been discouraged from mass cyber espionage against the US, at least for now. One reason is that espionage is what great powers do, and they will use all available tools as effectively as they can to do this.
Another reason is that cyber defense is a very difficult undertaking, even for the most powerful country in the world. Most of the US federal government, made up of more than 100 institutions and thousands of unique cyber systems, is not well placed for cyber defense. Krebs, who left office only in November, said the same in his testimony.
In cyber security policy, nobody believes in waterproof defense. Instead, they plan to reduce the likelihood of successful attacks and minimize their impact. This is a good approach, because it prioritizes protecting the ‘royal jewels’, the country’s most precious secrets, while leaving a certain amount of low-value cyberspace to inevitable raids and inevitable failures such as the SolarWinds breach.
Recommendations for the future
Taken together, the testimony of four witnesses – national leaders in the field – calls for radical improvements in the way decision-makers handle cybersecurity.
Krebs called for a bolder vision and much more investment than the federal government. He advocated expanding the powers of CISA and much better coordination between the government and the corporate sector. He described the ransomware threat as a “national emergency” that must be met with aggressive action, citing the overall weakness of cyber law enforcement in the United States. It has increased the likelihood of serious legal action and other retaliatory measures against ransomware gangs, as well as legal measures to prevent ransom payments.
In his brief written statement, Susan Gordon, a former senior official in charge of national security, demanded more transparency about cyber attacks and cybercrime, especially through intelligence sharing. He warned that solutions could not be purely technical, an allusion to the growing calls for further study of the social aspects of cybersecurity and socially focused cyber defenses.
Michael Daniel, president and CEO of the Cyber Threat Alliance, made a strong call for more attention to the social dimensions of cybersecurity: economic; psychological; organizational; process; policy; and legal. He warned that the mentality of seeing cyberspace as an amorphous global partner such as the oceans or the atmosphere reduces the necessary focus on the harsh, physical regional aspect of cyber activity. He called for a more precise articulation of cybersecurity as a way of preventing an enemy from achieving their overall goals, thus shifting the focus to blocking such efforts and acknowledging that not every cyber attack will be defeated.
Dmitri Alperovitch, chairman of the newly established Silverado Policy Accelerator, included several business-oriented recommendations in a written statement. He called for increased powers for CISA to enable the entire federal government to become Chief Information Security Officer. It also supported the need for greater transparency by advocating a national breach notification law and stronger action to defeat the ransomware business model.
In terms of a strategic level approach to malicious acts committed by states in cyberspace, Alperovitch’s statement came closest to a comprehensive policy approach. His remarks to that effect reflected notes written by other witnesses. He suggested that cybersecurity could only be optimized through more effective geopolitical responses to the malicious actions of the US’s four biggest enemies in cyberspace – Russia, China, Iran, and North Korea. This sentiment is likely to be a guiding principle for the cyber policy of the Biden administration and for broader bilateral diplomacy with these four countries.