As the world hunkered down in an attempt to slow the spread of COVID-19, the critical discussion of the United States' ability to fend off cyberattacks took front and center with the publication earlier this month of a long-awaited report.
The so-called US Cyberspace Solarium Commission, a bicameral and bipartisan effort inspired by an Eisenhower Administration commission formed to tackle Cold War era issues, dropped its 122-page report, mandated by the 2019 Defense Authorization Act, and the conclusions were grave, if not surprising.
"The US government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace," the report concluded. "We must get faster and smarter, improving the government's ability to organize concurrent, continuous and collaborative efforts to build resilience, respond to cyberthreats, and preserve military options that signal a capability and willingness to impose costs on adversaries."
The commission, which conducted hundreds of interviews and numerous stress tests during its investigation, recommends a new approach to national cybersecurity efforts it's dubbed "layered cyber deterrence." In order to reduce the probability and impact of future cyberattacks, layered cyber-deterrence would seek to accomplish this in three ways: by shaping behavior in cyberspace; by denying benefits to adversaries by shoring up the resilience of critical networks; and by imposing costs against those threat actors.
The report then goes on to make more than 80 recommendations grouped into six pillars. These pillars are as follows:
– Reforming the US government's cyber-structure and organization;
– Strengthening norms and non-military tools;
– Promoting national resilience;
– Reshaping the cyber-ecosystem;
– Operationalizing cybersecurity collaboration with the private sector; and
– Preserving and employing the military instrument of national power.
Hidden in all of this posturing language is an important message: Our national cyber-defenses are a disaster.
As if on queue, that message was driven home by events on the front lines, namely a cyberattack on the Department of Health and Human Services just days after the commission's report was published. While no data was compromised, and it appears the goal was simply to slow down HHS's systems, the idea that the nation's top health agency could be hacked in the middle of contending with the COVID-19 pandemic is an ironic development that should land heavily on Washington.
Seriously, if we're not adequately protecting our digital healthcare infrastructure now, then when?
The report throws out some controversial suggestions, such as the incorporation of the concept of "defend forward," which is essentially akin to performing military reconnaissance missions to gain insight into what the enemy is planning. It's a suggestion that a New York Times piece pointed out would create a self-conflicting aspect of federal cyber-policy.
"The United States has condemned foreign operations aimed at intruding in American networks to influence elections or penetrate energy grids," the Times piece stated. "But at the same time, the report calls for an acceleration of the American strategy of persistent engagement, in which Cyber Command and the National Security Agency go deep inside Russian, Chinese, Iranian and North Korean networks, among others, to see attacks massing or to take pre-emptive action to deter an adversary’s operations."
Potential hypocrisy aside, no one would argue with the larger notion that shoring up the nation's cyber-defenses is good idea. In fact, perhaps a more considered and thorough cyber-defense policy would have helped minimize the emerging threat presented by having so many federal workers being asked to work from home during the COVID-19 outbreak.
But there's a huge cloud that hangs over the discussion of shoring up federal cyber-defenses: Namely, the lingering question of complicity with certain kinds of attacks. Specifically, I'm talking about the ongoing speculation surrounding Russian hacking into our election systems in 2016.
Another Times report, this one from last year, detailed how White House Chief of Staff Mick Mulvaney told Kirstjen Nielsen, former head of the Department of Homeland Security, not to mention to President Trump her concerns about preparing for further attacks during the 2020 election. Mulvaney reportedly said that Trump equated any public discussion of Russian hacking into election systems with questions about the legitimacy of his presidency.
Let's face it: As long as our president isn't 100 percent behind cyber-deterrence, any policy is likely doomed to have holes in it. Here's hoping that reason prevails, and that the Cyberspace Solarium Commission's work is one day looked upon as a key moment in the evolution of our nation's cybersecurity posture.