The US will publish its long-awaited cybersecurity strategy before the end of the year. Here’s what it should do.
When Russian government hackers compromised US software company SolarWinds two years ago, the attack underlined the central cybersecurity challenge: the public interest is vital but almost all infrastructure is private. This interdependence underlines why the government and the private sector must team up.
A 2020 report of the US Cyberspace Solarium Commission serves as a benchmark. It recommends “layered cyber deterrence” designed to raise the cost of cyber warfare for the attacker, while reducing the potential benefits of a breach. Public-private partnerships are needed to strengthen the private sector’s ability to detect and deter cyberattacks. Governments should back up these defenses by keeping open a threat of retaliation and constructing deterrent military capabilities.
The costs of cyber warfare must be raised to the point where all parties find it unacceptable. This strategy mimics the successful nuclear deterrence of the Cold War.
Critical government cyber institutions need to be beefed up. One is CISA, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Its EINSTEIN tool monitors the federal government networks for malware “signatures,” benefiting from access to signatures from both the private sector and U.S. intelligence.
In the SolarWinds case, though, the signature was new and went unrecognized.
EINSTEIN’s second line of defense notices unusual behavior on the networks, but that capability is limited. While the tool recognizes a thousand pings in an hour as an anomaly, it ignores the unusual size or other attributes of an update.
EINSTEIN needs to be modernized. So, too, does the CTIIC, the Cyber Threat Intelligence Integration Center, which connects intelligence to the private sector. It is underfunded.
Two immediate imperatives require legislation. SolarWinds underscores the need for increased transparency and accountability in IT supply chains. Companies must know and report where the software and updates come from, preferably not from Belarus as with SolarWinds. A good place to start is with government contractors since security suppliers are already held accountable. Beyond defense, frequent digital audits should be imposed on all government agencies and contractors.
Security breaches must be reported. While some requirements exist for companies to inform the Securities and Exchange Commission, they must be tightened to avoid that prisoner’s dilemma in which rational individual choices (not reporting so as not to advertise hacks to competitors) lead to irrational societal outcomes (too little defense). It would make sense to tighten reporting requirements with an organization such as the National Transportation Safety Board and allow authorities to investigate major breaches.
The creation of the new Office of the National Cyber Director offers an opportunity to improve cooperation across the public/private divide. If options in cyber defense range from prevention, to deterrence, attribution, remediation, and retaliation, the first two options may amount to much the same thing because attackers will strike where defenses are weak. So, too, the private sector will show little interest unless companies know enough to help law enforcement prosecute.
For the government, deterrence represents a complicated work in progress. International law regards attacks that do physical damage as a casus belli. In the wake of the 2021 hack of Colonial Pipeline, the US went on the offensive against ransomware attackers. The Department of Transportation issued an emergency declaration to create a virtual “pipeline” using other transport routes to carry a fraction of what the Colonial Pipeline would deliver. Most retaliation is likely to remain “naming and shaming” plus indictments of hackers, even if they cannot be extradited to face charges.
While bolstering domestic defenses, it is past time to work on the international dimension of cyber. The 2015 agreement between the United State and China to avoid conducting cyber espionage for commercial purposes shows some agreement is possible. The agreement reduced Chinese cyber operations until Sino-American relations turned poisonous. At some level, China, Russia, and the US realize that an uncontrolled escalation of cyber warfare is undesirable.
High levels of suspicion and a dearth of goodwill between the US, China, and Russia block new deals. The anonymous nature of cyber operations excludes the possibilities of effective verification, let alone enforcement.
Under these circumstances, the United States should start with like-minded partners to frame the rules of the road. One recent report recommends building on existing agreements, such as the US-Mexico-Canada Agreement. The goal should be to ensure the free flow of data across borders, outlaw data localization, and ban requirements to share source codes, algorithms, or other intellectual property.
Gregory F. Treverton is co-founder and chairman at the Global TechnoPolitics Forum. He stepped down as chairman of the U.S. National Intelligence Council in January 2017. He is a senior adviser with the Transnational Threats Project at the Center for Strategic and International Studies (CSIS) and is a professor of the practice of international relations and spatial sciences at the University of Southern California.
Pari Esfandiari is the co-founder and president at the Global TechnoPolitics Forum. She is a member of the advisory board at APCO Worldwide and served on the at-large advisory committee (ALAC) at ICANN. She is a nonresident senior fellow at the Atlantic Council’s GeoTech Center. She is a serial entrepreneur, internet pioneer, and an avid environmentalist.