Cyber intrusions are endangering American security, even more than most Americans know. We cannot become accustomed to accepting this risk as the cost for the marvelous machinery of the Internet. We can be more secure as a nation and internationally if the Biden Administration takes bold leadership in two areas: First, to shift our policy posture from end-user defense to coordinated detection and response; and second, to begin new initiatives that would align business incentives with national security priorities and further define and implement international cyber ‘rules of the road.’
Everyone knows the internet is not secure – and the burden has fallen on users. Cyber is the new weapon of mass disruption but can also become a weapon of mass destruction.
Today with computer devices not just in our hands but also on/in our bodies as well as in our homes and cars, individuals are increasingly vulnerable to dangerous cyber intrusions – from eavesdropping to actual tampering. Traditional understandings of an expectation of privacy are increasingly antiquated. Businesses and government are continually at risk, with access to systems and accuracy of data too often left to chance.
The challenge is real, growing and crossing nearly every domain and level of American life and governance:
- Individual Americans, even the more technically savvy, are often unaware of their vulnerability and the solutions. Despite the FBI warning in 2018 of Russian intrusions into routers, how many people could actually identify their router to reset it? Even the simplest hygiene can be too complicated for most.
- Critical infrastructure in public and private hands is under attack. TheUS Department of Homeland Security alerted everyone in 2018 and 2019 to Russian intrusion into US critical infrastructure’s industrial control systems and Chinese infiltration of managed service providers, on whom many businesses rely for IT services. In 2018, the US Department of Homeland Security designated election systems part of America’s critical infrastructure.
- States are in a particularly tough spot. State and local governments are similarly having to spend much money and time to protect their IT and OT systems and in some cases pay ransoms; 2019 was a banner year for ransomware attacks according to a Deloitte report. State governments need to focus more on managing this threat but are already financially challenged due to the pandemic and rarely have the expertise to match sophisticated state actors. The federal government has tried to help, including by providing funds to update local election systems. While some election vulnerabilities persist and not all updates are complete, federal officials helpfully asserted that the 2020 election was secure and the courts have agreed that voting was accurate.
- Bigger issues are not just around the corner – they are here. The potential for GPS disruption, weapon system infiltration, and electric grid compromise are no longer wild fantasies, while the chaos of the COVID crisis has presented new opportunities to threat actors. State-affiliated groups are targeting vaccine researchers and related enterprises, and already-stressed hospitals face increased attack. Nation-states and individuals have successfully executed brazen attacks on federal government offices that continue today.
Spending is not matched to the risk. Past presidents’ cyber strategies have presented important but incremental shifts in approach. Cyber funding for federal government agencies is not insignificant, a little less than $19 billion annually, but half of that goes to the Defense Department. Given the variety of public infrastructure and private entities already under cyberattack, this is insufficient. Yet we will spend $50 billion annually on US nuclear forces, well beyond what is necessary to maintain an effective deterrent. In other words, there is a clear mismatch between risks and budget priorities. But it is not all about money; strategic approach matters.
Current incentives do not punish irresponsible actors. For most companies selling hardware and software, it is “buyer beware.” Few repercussions accrue not only to the vendors of insecure products and services, but also to those retailers and service providers who pass on those insecurities through their interactions with customers and supply chains. A whole system of insecurities is embedded – and accepted – in the cyber world with criminals and States undeterred.
The US is at a disadvantage when others use state cyber resources for corporate espionage. Of course, the US is not innocent of initiating cyber incursions itself; the National Security Agency has been ahead of others in cyber capabilities. Yet the US government does not engage in the type of corporate cyber espionage that China does, stealing intellectual capital and passing them to preferred companies. That is a policy the US is rightly unlikely to embrace. Unfortunately, this asymmetry means that the US writ-large, with its advanced systems and high dependence on IT, has both a broader attack surface and much of it is effectively outside the protection of government. Relying on inconsistent and uncoordinated private sector investment to keep all the holes plugged is unsustainable — especially when there are few business incentives for success. The case for a more robust federal role is clear.
The broad U.S. approach to cyber security is defensive at a time when offensive tools are stronger. Today, we try to prevent effective attacks by relying on end-users to decrease their vulnerability. The problem with this approach is that repeated experience and research show end-user education is insufficient, and systems across businesses and governments are not agile enough to keep up with new patches and evolving threats. It is a purely defensive approach which burdens the novice and advantages the offense. Furthermore, there is no clear way to measure when an organization has spent “enough” on cyber security. Security is complex, involving systems of potentially vulnerable hardware, software, and people, with some of those vulnerabilities built in – carelessly or intentionally.
There are strong and coherent proposals waiting for presidential leadership.
- In Congress: The Solarium Commission, a Congressional body established in 2019 to find consensus around approaches to managing cyberspace risks, presented its recommendations earlier this year, including a large basket of legislation. It has recommended, among many other good proposals, that final goods assemblers – the software and hardware firms and assemblers – be held liable for negligent actions and that a National Cybersecurity Certification and a Labeling Authority be established.
- In States: California is the first state to set any performance standards for internet goods and services providers. Its 2018 Consumer Privacy Act and a 2020 ballot initiative went beyond some of the new European data protection requirements, requiring all businesses with California customers to let those customers prevent the saving and sharing of their information. If one’s information is not sold or shared, it is less available for compromise. In addition, California requires some minimum “reasonable” requirements of so-called “smart” devices. Similar laws should be considered at the federal level.
- In the United Nations: While the US and Russia have taken different approaches to this issue, France, Egypt and 45 other States have proposed a “Program of Action” to start implementing already-agreed norms on State-behavior in the context of international security. Other UN efforts, including the ad hoc committee to look at criminal cybercrime, need strong US support.
Others, from international commissions to tech companies to academia and NGOs, are full of advice. Given the urgency of the cyber risks and limited resources, sorting and assessing existing recommendations and prioritizing support are critical.
The President should:
Develop a framework for assessing national cyber risks, then fund strategies to managing them. Such a national risk assessment should reveal that the current National Cyber Strategy embraces approaches that may be necessary but rapidly becoming insufficient. Critical questions remain unanswered: How much is risk reduced by the strategy and is the residual risk acceptable? How can those remaining risks be better managed? This will likely require diverting funds from other defense-related investments so we can address the current soft war of cyber as it relates to past and future kinetic wars.
Lead a shift toward a posture of detection and response. Ultimately, preventing all attacks is impossible given current technology. Deterring an attack with good defense can help, but the necessary and fundamental posture change is towards detection and response to attacks. It was a hopeful sign that prevention is not even part of the NIST Cybersecurity Framework first developed under the Obama administration and updated under Trump — that mindset must be solidified in policy and practice.
Shift the responsibility away from end users and onto more capable entities. The next administration will need to have difficult conversations with the private sector about shifting some responsibility and liability from the users of internet goods and services to the providers. We will need to develop guidelines for trust in businesses, including those foreign-owned, and begin to set basic standards for security and approaches across a range of sectors, from social media platforms to equipment and software providers. This will be the work of years; the sooner we start the better.
Elevate the international discussion over cyber norms. The President needs to raise the priority of international discussions on cyber norms. Too often, our leaders and policies presume cyber intrusions are a cost of doing business rather than the trespass and theft that they are. The president could do much to change this perspective. The US should seek better international collaboration to define norms and applications of international law and seek coordinated approaches, stronger laws, and increased enforcement actions. Of note as well is the open question of what counts as an act of war in cyberspace. The US will have to work with allies and adversaries to develop approaches, issue joint policy statements and then, working with many stakeholders, act forcefully against threat actors.
Don’t put cyber on the backburner; it is an urgent problem. The Biden-Harris administration’s initial priorities in “Build Back Better” are necessary and immediate. But cyber issues cannot be backburnered for long. Even in the short term, they will have to be addressed as the incoming administration’s infrastructure development priorities include, for example, providing broadband across the US.