Biden Prodded to Take Muscular Approach to Cybersecurity
Officials and analysts are urging the Biden administration to be more aggressive than its predecessors in dealing with cyber threats from adversaries such as Russia and China as well as non-state actors.
A December report by the Aspen Institute, “A National Cybersecurity Agenda for Resilient Digital Infrastructure,” offered a scathing critique of the U.S. posture.
“The increasing costs of malicious cyber activities demonstrates that current processes and structure are insufficient to safeguard national security, economic prosperity, and public health and safety,” said the study. “Numerous adversaries, whether nation-states or cybercriminals, can attack consumers, businesses and government agencies with relative impunity.”
The SolarWinds hack, which was revealed in December, highlighted the challenge and amped up the pressure on the federal government to do more to secure the nation’s systems.
SolarWinds’ Orion software platform had 18,000 public and private sector customers, although not all were subject to follow-on attacks, according to U.S. government officials.
A rare joint statement issued in January by the Cybersecurity and Infrastructure Security Agency, FBI, National Security Agency and Office of the Director of National Intelligence, stated: “An advanced persistent threat actor (API), likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence-gathering effort. … This is a serious compromise that will require a sustained and dedicated effort to remediate.”
The Russian government has denied its alleged involvement.
The breach appears to have gone undetected for many months.
“The cyber hack is like Russian bombers have been repeatedly flying undetected over our country: alarming U.S. vulnerability; apparent cyber warfare weakness; glaringly inadequate cyber defenses,” Sen. Mitt Romney, R-Utah, tweeted. “Past time for a national security reset that prioritizes cybersecurity capabilities and defenses.”
The United States is especially vulnerable because its economy and military are so dependent on information technology networks, analysts say.
“We have many points of potential entry which are difficult to guard,” Paul Kolbe, director of the Intelligence Project at Harvard University’s Belfer Center, said during a recent panel hosted by the Center for the National Interest.
However, Kolbe and other experts say there are a number of steps that should be taken to improve the nation’s cybersecurity posture.
One is better information sharing and situational awareness.
“We see a tiny fraction of the breaches of American companies in the public reporting,” Alex Stamos, founder of the Stanford Internet Observatory, said at the Aspen Cyber Summit.
“Anybody who has worked as a consultant for companies as an incident responder knows that we’re probably seeing 5 or 10 percent of the successful breaches that happen,” he said. “Imagine a world in which we only talked about one out of 10 plane crashes — would we actually be able to improve airplane safety?”
Congress should enact a federal disclosure law that includes more requirements and instructions for the private sector to report cyber intrusions so that government agencies can take action if needed, Stamos said.
The Pentagon’s new Cybersecurity Maturity Model Certification rules will compel contractors to meet certain standards to be eligible to do business with the Defense Department. There have been suggestions that other agencies such as the Department of Homeland Security could implement a similar paradigm.
“You would want to think about how you do this at a [broader] federal level,” James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, said in an interview.
Cybersecurity requirements would need to be tailored for the type of organization they are being applied to, he noted.
“What might be appropriate for a defense contractor isn’t going to make sense for a grocery store or a consumer oriented company,” he said.
“It has to be adjusted to match the security risk posed by each industry.”
Lewis said DHS needs to do a better job of warning and advising the private sector about threats.
“That might mean working with the [cybersecurity] companies that do this for a living, you know, the CrowdStrikes or the FireEyes or the McAfees. But this is a place where people want to see their government do more,” he said.
Lewis noted that President Joe Biden needs to bolster interagency cooperation including recreating the White House cybersecurity coordinator position, which was eliminated during the Trump administration.
The nation also requires more layered defenses to mitigate risks from single points of failure, experts say. Kolbe compared the United States’ current cybersecurity posture to France’s “Maginot Line,” a chain of border fortifications that the German army outflanked during World War II, which led to France being overrun.
The growing popularity of managed services for IT creates challenges, Lewis noted.
“We need to upgrade our cybersecurity rules to take into account the fact that you might be a network operator, but you’re going to have a third party who is involved in your network operations as well,” he explained. “You might be doing everything according to the [National Institute of Standards and Technology security] framework and you’ll still be vulnerable. And that’s where we’re going to need to do some rethinking. That’s a task for DHS and for the Biden White House.”
But playing better defense isn’t sufficient. The United States needs to be more aggressive in pushing back against cyber attackers, analysts say.
“We need to increase costs for adversaries,” the Aspen Institute report said. “Too often, our efforts to shut down adversary networks only impose minor setbacks that still allow them to pivot and quickly recover operations.”
In recent years, U.S. Cyber Command has adopted operating concepts known as “defend forward” and “persistent engagement” to proactively pursue and counter adversaries’ malign activities.
“It’s definitely a step in the right direction,” Lewis said, but more needs to be done. “We’re going to have to think what are the actions that we take that will be coercive … to get Russia and China to change their behavior.”
Coercion could involve using a wide variety of policy tools — including economic sanctions or law enforcement actions against offending parties — not just military moves. Whatever policy approach is taken, working in concert with international allies would be much more effective than the United States going it alone, experts say.
Lewis said the Trump administration deserves credit for giving the Defense Department and Cybercom more authority to conduct cyber operations without the president having to sign off on them.
“That delegation was really important in giving us the flexibility to respond quickly,” Lewis said, suggesting the Biden administration should embrace that approach.
Lewis cautioned against splitting leadership of Cybercom and the NSA, as some have been advocating. Army Gen. Paul Nakasone is currently dual-hatted as the head of both organizations.
“It’s actually good from an efficiency standpoint to have the same guy in charge of both. It makes it easier to deconflict” military and intelligence community activities, Lewis said. “The tools that NSA develops are the tools that Cyber Command uses. Cyber Command can’t develop those tools on its own. So right now the most efficient solution is to have one person at both organizations. It has worked out pretty well.”
Meanwhile, the U.S. government needs to better attract cyber talent. However, recruitment is a challenge because agencies can’t offer salaries that compete with the private sector.
“Part of what we need to do is think about how do we increase the pipeline of talent flowing to cybersecurity?” Lewis said. “How do we make it easier for DHS to get their share of that?”
Leveraging artificial intelligence and automation tools could help mitigate personnel shortfalls and bolster capabilities, he noted.
Some observers have called for strengthening international norms against certain behaviors in cyberspace. But a lack of norms isn’t the problem, according to Lewis, it’s that they aren’t sufficiently enforced.
“We have agreed norms adopted by all UN member states in 2015,” said Lewis, who helped write them. “The Russians and Chinese just ignore them and they’ll continue to ignore them as long as there’s no penalties for doing that. We want norms, we want people to observe the norms, and the way to get people to observe norms is to take actions when they don’t.”
A complicating factor is that some nations might accuse Washington of hypocrisy.
The United States — along with Israel — was reportedly behind the Stuxnet attack that used a malicious computer worm to physically damage Iranian nuclear material production during the Obama administration.
“It probably did violate international law,” Lewis said. “That’s really what the Russians would point to — ‘Hey, how can you guys complain? Look at what you did in Iran.’”
The UN norms also don’t generally apply to cyber espionage activities, he noted.
However, the current environment presents significant risks for escalation, experts say, especially if the use of cyber weapons leads to physical damage of critical systems or human casualties. Lewis said such fears caused previous U.S. administrations to take a cautious approach to retaliating for cyber intrusions.
“The potential for destruction on our side and on the sides of our adversaries is enormous,” said George Beebe, director of studies at the Center for the National Interest, noting that “cyber bombs” could be used to attack critical infrastructure.
Beebe and others advocate for bilateral diplomatic engagement at the highest levels with countries like Russia to address the issue.
“We’re going to have to figure out how do we do some things like what we did in the Cold War … that helped us ensure that things didn’t spin out of control in ways that hurt both of us,” he said.
Kolbe added: “I believe that there are at least some areas that you would be able to identify of common interests, where each side would be able to say, ‘Look, we believe that this set of behaviors would either be so destabilizing, so dangerous or so inimical to our interests that it’s worth doing an agreement.’”
However, some U.S. agencies might not want to be restrained in what they are allowed to do.
“There’s a tension, I think, between the people who are in the intelligence business … and people who are looking at broader aspects of national security and other aspects of national interest here,” Beebe said. “The intel guys may well say, ‘Don’t tell me what I can’t collect on. … We need to be doing this.’”
A lack of trust between great power competitors could also pose an obstacle to a bilateral agreement, Kolbe noted.
In December, Biden issued a statement saying cybersecurity will be a top priority for his administration.
“We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks.
“But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” he added. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”
The Biden transition team did not respond to a request to comment for this story.