Gilman Louie on what this current administration must address in order to meet the growing cyber challenges of the 21st century. This article was originally published on The Cipher Brief.
U.S. failure to fully develop and implement a comprehensive cyber security strategy created the perfect opportunity for Russia to attack the Democratic National Committee computer network, and enabled them to meddle and interfere with the U.S. presidential election.
Years of bickering by federal agencies – over which agency was in charge, who had which jurisdictions, who was going to pay, what information could be shared, what should be the role of the private sector, privacy and liability concerns, and who should be accountable – has left the United States with numerous cyber vulnerabilities, so that any country, non-state actor, or trained individual with reasonable skills can attack this country with little to no consequence.
Our country has failed to take the necessary actions to protect and secure its digital infrastructure and assets. Over 80 percent of U.S. businesses are hacked every year; some of our most valuable military technologies, data, and intellectual property have been stolen; and 21.5 million personnel records, including numerous caches of security clearance information, have been hacked. This is not the result of technology failing, but of failed policies and leadership.
These failures have created a window for emboldened hackers. Countries, as well as non-state actors, no longer attempt to cover their tracks. The lack of sufficient consequences, combined with increasing profitability, has made attacks on high value targets in the United States something to brag about.
While there have been numerous cyber commissions, working groups, task forces, studies, and plans – such as the Cybersecurity National Action Plan of 2016, Commission on Enhancing National Security, Comprehensive National Cybersecurity Initiative, National Cyber Incident Response Plan, and National Strategy to Secure Cyberspace – as well as thousands of recommendations over the past 15 years, our country is more vulnerable today to cyber attacks, espionage, influence, ransom, and theft than it was 15 years ago.
This month, the Center for Strategic and International Studies Cyber Policy Task Force released a cybersecurity agenda for the 45th president This task force grew out of years of frustration over the lack of an effective national effort to protect cyberspace, and the growing concerns around cyber risks and vulnerabilities. Comprised of the leading cybersecurity experts from industry, academia, and government, the task force’s goal is to help the Administration establish a robust and effective plan that will create a secure and stable digital environment that supports continued economic growth while protecting personal freedoms and national security.
The task force laid out five vital recommendations that the new Trump administration must address in order to meet the growing cyber challenges of the 21st century:
1. Create a new international strategy that accounts for a very different and dangerous global security environment.
2. Make a greater effort to reduce and control cybercrime.
3. Accelerate efforts to secure critical infrastructure and services, and improve “cyber hygiene” across economic sectors.
4. Identify where federal involvement in resource issues – such as research or workforce development – is necessary, and where such efforts are best left to the private sector.
5. Consider how to organize the United States to defend cyberspace. It must either strengthen DHS cyber authorities and capabilities or create a new cybersecurity agency.
A key aspect is how the new administration will deal with foreign adversaries. The report points out that the key to a robust cybersecurity system lies with changing the behavior of hostile states. We must establish new norms for responsible state and company behavior, build cybercrime-fighting cooperation, and shape opponent behavior through interaction and consequences. Changing the behavior of our cyber opponents will require a more serious and sustained effort than anything we have seen to date.
The report also points out that the line between attack and espionage has blurred as America’s principle cyber opponents – Russia, China, Iran, and North Korea – now use cyber actions against domestic U.S. targets for coercive effects. While these highly damaging cyber actions fall below the threshold for the use of force derived from international law and practice, they do fall into the categories of covert action and cybercrimes. In many cases, these actions are designed to damage the political independence of the United States. While most nation-states recognize that cyber espionage is “standard behavior” by intelligence services throughout the world, it does not mean that the United States should continue to allow these activities to persist. Our response to these actions must be proportional, swift, and effective. The report clearly makes the case that “one great power does not let another ‘disrespect’ it without penalty, unless that power is in decline.”
The task force further points out that we need to expand deterrence measures and create effective consequences for cyber attacks. But deterrence cannot rely solely on the use of – or threat to use – military force. We need security countermeasures that enable the United States to retaliate in a way that does not necessarily involve the use of force. The most effective deterrent actions to date have been the threat or use of sanctions and indictments. A great example was the case of dealing with China. The threat of sanctions and indictments led the Chinese to agree to end corporate espionage.
On cybercrime prevention, the task force recommends that the administration take a more assertive approach. Currently, the United States depends on international cooperation in order to have effective prosecution. The current mechanisms for this cooperation are outdated and have limited effectiveness. Over the past 15 years, 50 countries have signed the Budapest Convention on Cybercrime, which provides a legal framework for prosecuting cybercrime. Unfortunately, key nations such as Russia, China, India, and Brazil have refused to sign. The taskforce recommends that the new administration break the Budapest Convention stalemate by penalizing countries that refuse to cooperate with law enforcement. Nations that don’t cooperate could be blacklisted. The new administration should develop a portfolio of punitive responses for malicious cyber action and we must also find a new negotiating vehicle that preserves the benefits of the convention but re-engages Brazil, India, and perhaps China by giving them a voice in how cybercrimes should be handled.
We need to raise the cost for attackers through proportional responses, and by making attacks more difficult to execute. We must also develop measures that impede the monetization of stolen data and credentials, develop techniques that either paralyze the attacker’s infrastructure or divert their resources to defense, accelerate the use of multifactor authentication to reduce anonymity and improve attribution, find better ways to counter and disrupt botnets, and improve cyber hygiene through the creation of standards and performance metrics.
The Trump administration vowed to strengthen the government’s cybersecurity capabilities and to make it a top priority. Trump has appointed Rudy Giuliani as his cybersecurity advisor, is in the process of establishing a cybersecurity committee, and has promised a cybersecurity report in the first 90 days of taking office. One of the most important considerations is which agency should be put in charge, what authorities and resources it should be given, and how will it execute its mission.
While the Department of Defense and the FBI play vital roles in defending the country against cyber attacks, the agency that plays the leading cyber role should not be either a military or law enforcement agency – it should be under civilian control. The best approach is to strengthen DHS by taking three critical steps: define and focus the DHS cyber mission; create the National Cybersecurity Agency as an independent, operational component at DHS; and strengthen other key agencies such as the State Department, FBI, Commerce Department and the Intelligence Community.
Information sharing is a critical component of any cybersecurity strategy. It goes beyond just sharing across federal government agencies or sharing with state and local authorities, and requires stronger coordination with the private sector. The Cyber Threat Information Integration Center, established under the Director of National Intelligence needs an expanded role similar to that of the National Counterterrorism Center. The CTIIC should support the White House on strategic operational planning, enable intelligence sharing, develop and maintain plans for countering cyber threats, and red team scenarios while developing plans to address their findings.
The new administration should learn an important lesson from all prior attempts to develop a comprehensive national cyber strategy: time is the enemy. New disruptive technologies and rapid innovations on the Internet can rapidly outdate even the best of plans. Strategy must be developed and implemented quickly – and be replaced just as quickly when circumstances warrant it.
Cyberspace has become the central global infrastructure. It continues to grow in importance as every year billions of new devices become Internet-enabled, machine intelligence gets imbedded, big data and data analytics expand around us, and our physical world becomes more and more dependent on it. Unfortunately, cyberspace is not secure and the risk continues to grow. Our opponents currently have the advantage, yet we can take that advantage away if we are truly committed to doing so. It will be painful, difficult, expensive, and disruptive to dramatically improve our nation’s security, but the cost of not doing it will be orders of magnitude greater.
The Trump administration must live up to its promise to make cybersecurity a high priority and to develop and act on a plan within the first 90 days of taking office. Quite frankly, the country does not need yet another cyber study or commission. What we need leadership, vision and action.
Gilman Louie served on the CSIS Cyber Policy Task Force.
