Mark Testoni
It is said that the best way to lose the next war is to keep fighting the last one. The citadels of the medieval ages were an effective defense until gunpowder and cannons changed siege warfare forever. Battlefield superiority based on raw troop numbers ceded to the power of artillery and the machine gun.
During World War I, tanks were the innovation that literally rolled over fortifications built using 19th-century technology. Throughout military history, innovators enjoyed the spoils of war while those who took too long to adapt were left crushed and defeated.
Cyberwarfare is no different, with conventional weapons yielding to technologies that are just as deadly to our economic and national security. Despite our military superiority and advances on the cyber front, America is still fighting a digital enemy using analog ways of thinking.
This must change, and it begins with the government making some difficult choices about how to wield its offensive powers against an enemy hidden in the shadows, how to partner with the private sector and what it will take to protect the nation against hostile actors that threaten our very way of life.
Colonial Pipeline was one step forward, two steps back
In the aftermath of the ransomware attack against Colonial Pipeline, the Russia-linked hacking group known as DarkSide reportedly shuttered and the Federal Bureau of Investigation recovered part of the $4.4 million ransom that was paid. These are positive developments and an indicator that our government is taking these types of attacks seriously. But it does not change the fact that cyberterrorists, acting with impunity in a hostile foreign country using a technique that has been known for years, managed to shut down the country’s largest oil pipeline and walk away with millions of dollars in ransom payments. They will likely never face justice, Russia will not face any real consequences and these attacks will no doubt continue.
The reality is that while companies can get smarter about cyber defenses and users can get more vigilant in their cyber hygiene practices, only the government has the power to bring this behavior to a halt.
Countries that permit cybercriminals to operate within their borders should be made to hand them over or be subject to crippling economic sanctions. Those found providing sanctuary or other assistance to such individuals or groups should face material support charges like anyone who assists a designated terrorist organization.
Regulators should insist that cryptocurrency exchanges and wallets help track down illicit transactions and parties or be cut off from the U.S. financial system. Law enforcement, the military and the intelligence community should be aggressively working to make it so difficult, so unsafe and so unprofitable for cyberterrorists to operate that they would not dare attempt another attack against American industry or critical infrastructure.
Government must facilitate cooperation with private actors
Our biggest vulnerability and missed opportunity is the inability of public and private entities to form a unified front against cyberwar. It is essential from both a defensive and offensive perspective that the government and private sectors share cyber risk and incident information in real time. This is not currently happening.
Companies are too scared that in revealing vulnerabilities they will be sued, investigated and further victimized by the very government that is supposed to help them defend against attack. The federal government still has no answer for the problems of overclassification of information, overlapping bureaucracies and cultural barriers that provide no incentive to proactively engage with private industry to share information and technologies.
The answer is not to strong-arm companies into coming to the table and expect one-way information flow. Private actors should be able to come forward voluntarily and share information without having to fear plaintiff litigation and regulatory action. Self-disclosed cyber data made in real time should be kept confidential and used to defend and fight back, not to further punish the victim. That is no basis for a mutual partnership.
And if federal agencies, the military or the intelligence community have intelligence about future attacks and how to prevent them, they should not sit on it until long after it will do any good. There are ways to share information with private industry that are safe, timely and mutually beneficial.
Cooperation should also go beyond the exchange of cyber event information. The private sector and academia account for a massive amount of advancement in the cyber space, with total research and development spending split roughly 90%-10% between the private and public sector over the past two decades.
Our private sector — with technology companies employing the best and brightest spanning from Silicon Valley to Austin, Texas, to the technology corridor of Northern Virginia — has a tremendous amount to offer to the government yet remains a largely untapped resource. The same innovations driving private-sector profit should be used to strengthen national security.
China has already figured this out, and if we cannot find a way to leverage private-sector innovation and young talent in the United States, we will fall behind. If there has ever been a call to action where the Biden administration, Democrats and Republicans in Congress can set politics aside and embrace bipartisan solutions, this is it.
Look to the military-defense industry model
Thankfully, there is a model public-private dynamic that in many ways is working. Weapons systems today are almost exclusively manufactured by the Defense Industrial Base, and when deployed to the battlefield there is constant two-way communication with warfighters about vulnerabilities, threats and opportunities to improve effectiveness. This relationship was not forged overnight and is far from perfect. But after decades of efforts, secure collaboration platforms were developed, security clearance standards were established and trust was formed.
We must do the same between cyber authorities in the federal government and actors throughout the private sector. Financial institutions, energy companies, retailers, manufacturers and pharmaceuticals must be able to engage the government to share real-time cyber data in both directions. If the federal government learns of a threat group or technique, it should not only take the offensive to shut it down but also push that information securely and quickly to the private sector.
It is not practical for the FBI, the Department of Homeland Security or the military to assume the burden of defending private networks against cyberattacks, but the government can and should be a shoulder-to-shoulder partner in the effort. We must adopt a relationship that recognizes this is both a joint battle and burden, and we do not have years to get it right.
Call to action
When you look at the history of war, the advantage has always gone to those who innovate first. With respect to cyberwarfare, the solution does not lie solely in advanced technologies like artificial intelligence, quantum computing or blockchain. The most powerful development in today’s war against cyberterrorism might be as simple as what we all learned in preschool: the value of sharing and cooperation.
The government, the technology industry and the broader private sector must come together not only to maintain our competitive edge and embrace advances like cloud computing, autonomous vehicles and 5G, but to ensure that we defend and preserve our way of life. We have been successful in building public and private partnerships in the past and can evolve from an analog relationship to a digital one. But the government must take the reins and lead the way.
Comment