All opinion articles are the opinion of the author and not necessarily of American Military News. If you are interested in submitting an Op-Ed, please email [email protected]
Recently, we wrote a summation of the Cybersecurity Solarium Commission’s report to Congress. There is much to admire in the Commission’s report, and we applaud and support the vast majority of the Commission’s recommendations. It is an important step to better secure cyberspace.
We do, however, wish to suggest the following to strengthen the report’s recommendations:
Expand the Definition of Critical Infrastructure. As used in the Commission’s report, and in cybersecurity circles generally, critical infrastructure is understood to mean the critical systems upon which our nation relies: power plants, water treatment facilities, airports, financial services, communications networks, election infrastructure, etc. This definition is not nearly broad enough. As seen during the COVID 19 lockdowns, critical infrastructure now extends to the apps, networks, and cyber ecosystems upon which we reply not only in our personal and business lives, but the traditional critical infrastructure providers increasingly reply on them as well. Our collective cybersecurity encompasses not only government and corporate networks, but on the individual Wi-Fi connections and cyber hygiene of every American.
Unity of Purpose. Current cybersecurity efforts are disjointed and spread throughout the bureaucracy, and oversight is spread among a cornucopia of Congressional committees. The Commission’s report recommends the appointment of a National Cyber Director, and the bureaucracy that comes with it, within the Executive Office of the President, along with the creation of Select Cybersecurity Committees in the House and Senate to better provide oversight.
We do not feel that there needs to be a new National Cyber Director as envisioned by the Commission. We believe that the position should be combined into a Deputy National Security Advisor and National Cyber Director, who can coordinate the cyber functions among the various agencies while ensuring that they are all pulling in the same direction. This would encompass the CISO currently at OMB, as well as the Director of CISA at DHS. In addition to coordinating the government’s defensive and offensive cyber functions, the new position would actively engage the business community, which owns the vast majority of our nation’s critical infrastructure, as well as educating the general public about the importance of cybersecurity.
We further recommend that a pillar of the nation’s National Security Strategy (NSS) be devoted to cybersecurity and protecting the nation’s cyber ecosystem. In the current NSS, there are essentially three pages devoted to cybersecurity.
As for the committees in Congress, we know that there are pros and cons for the creation of Select Cybersecurity Committees, but we think that if the position of National Cyber Director remains at the NSC, there is less of a need for the establishment of new committee structures.
More Robust Push-Back. The report advocates a “declaratory policy” of outlining how the US will push back against those who hack our critical infrastructure. Some critics of the report have said the proposed strategy is overly militarized at the expense of diplomacy and law enforcement actions that impose costs and consequences on those responsible for cyber attacks. We find merit in this. We agree that our cyber adversaries have had little to fear from the US in cyberspace, and propose these specific remedies to combat them:
- Define what we really mean. We have to date viewed cyber attacks, not even by a nation-state or a state-sponsored entity, as a nuisance rather than a form of warfare. Our posture has been that this is either “probing” our networks, or espionage. We believe we must be more precise. Surreptitious collection of information to support the production of intelligence products is espionage. Other activities that bear intent to act on an objective, both economic and non-economic—whether directly state sponsored, or vicariously enabled via asymmetric non-enforcement of laws governing criminal activity—are not purely espionage, but are rather on a continuum of war.
- Real consequences for cyber attacks. States or state-sponsored entities that attack the United States via cyberspace need to bear the label of criminal safe-haven states, and economic sanctions should be enacted to deter this behavior. To do so, we will need to introduce new, robust financial controls. We also need modern analytics in the banking industry and at Treasury to identify clear patterns of criminal activity and then actively disrupt these processes.
- Criminal networks, “hacktivists,” and hobbyists need to be actively confronted. This has long been a problem, but as the economic impact of COVID-19 endures, there will be an incoming wave of educated, motivated, smart people in many countries throughout the world that will be seeking new sources of income; this economic fallout combined with the commoditization of malware and phishing tools, is going to lead to further proliferation of criminal activity targeting US networks.
- Engage allies and friends. Our allies experience the same cyber attacks we do. We must work with them in a coordinated fashion to target, take down and prosecute those who launch cyber attacks, whether they are individuals or nation-states. At the same time, we need to ensure agreed-upon norms for behavior in cyberspace. This will involve governments, corporations, and individuals.
The cyber ecosystem now pervades every aspect of our lives. It is fragile and prone to attack. The Cybersecurity Solarium Commission has done us a great service in beginning to focus the attention of policy- and decision-makers to ensure that it is secure and contributes to our future prosperity.
Michael Krull is President & CEO of CRA, Inc., and an adjunct professor teaching politics and public policy at Georgetown University. He also participates as a lecturer for the Georgetown Global Education Institute, which brings senior government leaders from the Pacific Rim to the United States for short-term study tours.
Jeremy Turner is a cyber security researcher, dedicated and addicted to finding and solving new challenges in the cyber security world. His experience spans public, private, defense and intelligence organizations, both in the US and with many partners abroad. Currently, he is working to solve cyber risk by building advanced analytic tradecraft at San Francisco-based Coalition Inc.