EXPERT POINT/OPINION — After the cyber attacks in early 2021 colonial pipeline leading to widespread gas shortages on the US East Coast, the US government (USG) has taken specific steps to ensure that ransomware attacks on critical infrastructure must be treated as national security issues. In October 2021, the US government deployed additional resources at the Department of Defense and brought in foreign partners and the private sector to fight one of the most destructive ransomware gangs, REvil.
The entire approach of the US government is based on close cooperation with the private sector and multi-country efforts to modernize the protections and disrupt the infrastructure and actions of malicious cyber-attacks and ransomware groups. This is a recognition that the confrontation with cyber adversaries is not directly kinetic, but the hybrid nature of the “war”.
Unlike previous iterations of the war, the methods used by the enemy today to undermine stability in the United States are economic in nature. The attacker targets, among other things, the private sector and steals intellectual property, attacks our supply chain and disrupts, often critical infrastructure, 80% of which is owned by private companies.
At the beginning of 2021 New Yorker reports that 90% of US companies have been hacked. In September 2021 Fox News reported that the number of organizations affected by ransomware attacks jumped 102% compared to the start of 2020. The performance of the cyber insurance industry has grown to the point where companies are now treating the issue as a business operation issue: Are they spending millions on protection? and insurance, or spending millions on ransom payments?
A strong defense is important but not enough: no football team has ever won a match by playing in the defensive third of their field. Likewise, a strategy based on the expectation of submission will not win. One thing is clear: the risk of inaction and maintaining the status quo is untenable in light of the explosive cases of hacking of the US private sector and the detrimental consequences for our economy as a whole.
The exponential growth of hacker attacks against the US private sector raises the question of how we should respond. If it was a terrorist attack, the rules of combat would be clear. But cyberspace is an unregulated playing field that can be exploited by attackers. Too often the assumption is made that there is a rule-based order in cyberspace, but the truth is that there is none. The story that imposing our values in determining the way forward somehow destabilizes the world hacker order is false.
In fact, since technology is independent, and human motivation and intent determine how technology is used, the US and its like-minded foreign partners must impose their values when shaping the rules of engagement. It is our responsibility to set the tone and impose our values in order to create a structure acceptable to the US. We must remember that China and Russia outnumber us—the values that drive the use of technology to move forward must replicate our core values of respect for civil liberties and human rights.
Cipher Brief Subscriber+ members receive exclusive expert briefings from members of our expert network. Switch to Subscription + today.
All the topics that are at the center of the discussion boil down to one thing: the winner in this hybrid “war” in cyberspace will be the one who outwits his opponent. Breaking down the barriers between the public and private domain and academia will provide ample opportunity to leverage best-in-class technologies, capabilities and approaches at any given time. A governance structure that is effective in providing a method of coordinating and resolving conflicts between partners, likely with intelligence support, as well as clearly defined roles and responsibilities, will allow the best positioned partner to respond and act on behalf of the team in a coordinated manner. This increase in gray noise will have its pros and cons. For example, IC CNO/CNA activities may be easier to fit into the environment, but this may increase the incidence of false attribution to innocent third parties. These are complexities that the governance structure will seek to address and repeat.
Modernizing our laws to enable us to respond to protect civil rights and privacy is a critical component of moving forward. We have an obligation to modernize our laws and regulations to counter the current and future threats to our democracy caused by the exponential growth and democratization of technology. This will not be easy in the field of cyberspace. There is a lot of controversy around the concept of hacking and active protection. Questions about accountability, attribution, and retribution come to the surface and are not easy to answer.
Join the Cyber Initiatives Group at the first summit of 2022 with a director including General Keith Alexander, Hon. Susan Gordon, Dmitry Alperovich, General David Petraeus, CISA Founding Director Chris Krebs and others. Registration for this virtual event on February 9th is free. Get ready to think differently.
We’ve done this before, creating a framework that will help us deal with the toughest issues, including how to manage the ethical use of nuclear energy. As a result, the US has achieved nothing close to deterrence in cyberspace. Despite recent efforts to counter and bring criminal hacker groups to justice, hackers continue to attack our nation’s critical infrastructure and private sector with impunity. Our elections, corporations, and state, local, and federal governments are targeted by our adversaries.
We need congressional leadership, partnership with the White House, and a bipartisan commitment to developing a cybersecurity strategy that will enable our nation to defend, deter, and defend against these attacks that threaten our national security so much. It’s not like our government mentors liked to say that good wine only gets better with age. Our elected officials on both sides of the aisle must act wisely and with the readiness these threats require.
Listen to The Cipher Brief’s Open Source Podcast, a collection of open source everyday stories that impact national security, with your hosts Brad Christian and Suzanne Kelly. Subscribe wherever you listen to podcasts.
Learn more about expert findings, perspectives and national security analysis in The Cipher Brief