Want to Dominate in Cyber? Better Change your Policy.
EXPERT PERSPECTIVE/OPINION — Following the early 2021 cyberattacks against Colonial Pipeline that led to widespread gas shortages on the U.S East Coast, the U.S. government (USG) took concrete steps to ensure that ransomware attacks on critical infrastructure should be treated as national security issues. The USG tapped additional resources in the Department of Defense and leveraged foreign partners and the private sector to take the fight to one of the most damaging of ransomware gangs, REvil, in October 2021.
The entire USG approach is in deep partnership with the private sector and a multi-country effort to modernize defenses and disrupt the infrastructure and actions of malign cyber actors and ransomware gangs. It is a recognition that the confrontation with cyber adversaries is not directly kinetic, but a hybrid “war”.
Unlike previous iterations of war, the methods used by the adversary today to undermine stability in the United States are economic. The adversary is targeting the private sector, among other things, and stealing intellectual property, attacking our supply chain, and disrupting operations, often of critical infrastructure — 80% of which is held by private companies.
In early 2021, The New Yorker reported that 90% of American companies have been hacked. In September 2021, Fox News reported that the number of organizations affected by ransomware attacks had jumped 102% compared to the beginning of 2020. Cyber insurance industry rates have increased to a point that companies are now dealing with this issue as a business operations challenge: Do they spend millions on defense and insurance, or do they spend millions to pay the ransom?
A strong defense is important but insufficient: no soccer team ever won a game playing in the defensive third of their field. Likewise, a strategy built on an expectation of submission will not win the day. One thing is clear- the risk of doing nothing and continuing with the status quo is untenable in light of the exploding instances of hacking against the US private sector and the deleterious downstream implications on our economy writ large.
The exponential growth of hacking events against the US private sector begs the question of how we should respond. Were this a terrorist attack, the rules of engagement would be clear. But cyberspace is an unregulated playing field subject to exploitation from adversaries. All too often, there is an assumption made that there is rules-based order in cyberspace, but the truth is that there is not. The narrative that the imposition of our values in defining the way forward would somehow be destabilizing to the world hacking order, is false.
In fact, because technology is agnostic, and it is human motivation and intent that defines how technology is used, the U.S and likeminded foreign partners must impose their values in molding the rules of engagement. It is incumbent on us to set the tone and impose our values to drive a framework that is acceptable to the US. We must remember that China and Russia outnumber us — the values that drive the use of technology moving forward must replicate our core values that respect civil liberties and human rights.
The themes at the center of the discussion all boil down to one thing: The winner of this hybrid “war” in cyberspace will be the one who out-thinks their opponent. Breaking down the barriers between the public and private domain and academia will provide ample opportunity to leverage the best-in-class technology, capability, and approach at any given time. A governance framework effective in providing a method for coordination and deconfliction across partners, most likely with intelligence support, and clearly articulated roles and responsibilities will allow the partner best positioned to respond to act on behalf of the collective in a coordinated manner. This increase in gray noise will have its pros and cons. It may be easier for IC CNO/CNA activities to blend into the environment, for example, but may increase instances of mistaken attribution to innocent third parties. These are the complexities that a governance framework will aim to address and iterate on.
Modernizing our laws so that they provide us the capability to respond while protecting civil rights and privacy is a critical component of moving forward. It is incumbent on us to modernize the laws and regulatory framework to address the current and future threats to our democracy caused by the exponential growth and democratization of technology. This will not be easy in the area of cyberspace. There is much controversy surrounding the concept of hacking back and active defense. Questions surrounding accountability, attribution, and the retribution surface and are not easy to answer.
We have done this before by building a framework to help us navigate the most difficult challenges including how to manage the ethical use of nuclear power. Bottom line, the U.S. has not achieved anything close to deterrence in cyberspace. In spite of recent efforts to counter criminal hacking groups and bring them to justice, hackers are still targeting our nation’s critical infrastructure and private sector with impunity. Our elections, corporations, as well as state, local and federal governments are in our adversaries’ crosshairs.
We need leadership from Congress, partnership with the White House, and a bipartisan commitment to build a cyber security strategy which enables our nation to defend, deter and defend against these attacks, which so threaten our national security. This is not as our government mentors were fond of saying, like some fine wine getting better with age. Our elected officials from both sides of the aisle need to step out smartly and with the alacrity these threats demand.