Cybersecurity — the rest of the iceberg
I began coding for the first time in the mid-1970s in the U.S. Naval Academy as a midshipman using cardboard punch cards to write the simple languages of Basic and FORTRAN.
The idea of teaching young officers coding at the time stemmed from the belief that eventually the U.S. Navy would be using high-powered computers in our warships. Computing was then just beginning to impact the business sector broadly as well. Even in those long-ago days, it seemed to me that if this “computer” thing was really going to take off, it was going to require the participation of not just the military, but the commercial sector as well. Obviously, at that time the internet was just a gleam in Al Gore’s eye. No one could then have imagined how intertwined our military, economy and society would become with the internet of things.
As we enter 2021, almost half-a-century later, we know that a world in which 50 billion devices are connected to the internet is a world of extraordinary convenience, limitless knowledge and computational power — but also a world with a vast threat surface. We therefore must make sure the nation is prepared for cyberattacks, and protecting the frontlines will clearly require private-public cooperation. To do this most effectively, we must move the nascent public-private partnership model beyond basic information-sharing to true operational collaboration, with the government and the private sector working shoulder-to-shoulder. Only then can we understand, prevent, defend against and indeed preempt attackers. The recent bipartisan and highly-regarded Cyberspace Solarium Commission study has powerfully and recently validated this private-public approach.
The threat is real and growing. Over the last 20 years, cyber threats have become a major concern for every government, and activities conducted by hackers have morphed into rampant cyber-criminal enterprises threatening financial accounts and other critical infrastructure here in the United States and abroad. Hostile state actors and international dissident hackers target information in email accounts to cause embarrassment and seek to influence all manner of audiences. Cyber theft is a trillion-dollar business. Cyber espionage has become a major element of international competition, with Chinese cyber espionage executing the greatest transfer of wealth in history, according to some observers.
Fortunately, we’ve yet to see the full systemic risk of cyberattack come to fruition. While disruptive attacks have occurred, generally and most effectively conducted by nation-states, they have to date been targeted at single institutions. Indeed, thus far, the attackers have seemed more intent on signaling than significant political coercion or long-term damage. Even the extended series of Iranian-sponsored denial of service attacks against U.S. financial institutions in the 2012-2013 timeframe never caused major disruption, and did not leverage the disruptive capabilities available now. But the warning flags are snapping in the breeze, as we would say in the Navy.
Faced with these challenges, the largest banks in the United States came together and formed the Financial Services Analysis and Resilience Center (FSARC) in 2016, where I served as a senior advisor. The idea — a very good one — was to bring their significant resources together collectively, then strengthen collaboration with the federal government to protect the financial sector. Since October 2016, FSARC has changed the game in how its members work together and also with the government in defending the financial system against cyberattacks. Over the past few years, the financial sector has moved from relatively simple information-sharing to real operational collaboration. This has been based on joint identification of systemic risks and focused projects to mitigate those risks — including a great deal of positive interaction with the intelligence community and the U.S. Department of Treasury. This has, for example, led to the establishment of an “early warning system” for emerging cyber risks.
But the cyber caution light is still blinking red, and not just in the United States but in our alliance structures internationally as well. I saw that most recently as the supreme allied commander at NATO, and later as dean of The Fletcher School of Law and Diplomacy at Tufts University, where we built a cybersecurity Master’s degree program. In response to that blinking caution light, the FSARC has just broadened its mission and changed its name to simply the Analysis and Resilience Center for Systemic Risk (ARC), where I serve as senior advisor. In its new incarnation, it will seek to work not only with the financial services sector, but with other critical areas as well. This will initially include energy (gas and electric). Over time, it will hopefully come to include communications, water distribution and management, critical transportation networks, the national medical system and other sectors. Each of the individual sectors (financial, energy, others over time) will feed information into the Joint Intelligence and Analysis fusion cell. This entity will have cross-sector operational collaboration with industry partners and the U.S. government.
The ARC’s broadening mission is timely for President-elect Joe Biden. As he and his advisors reinvigorate — and elevate — U.S. cyber policy, it will illuminate critical intelligence gaps in understanding systemic threats to critical infrastructure emanating from adversarial cyber actors. The ARC is uniquely positioned to partner with the U.S. government to bring the power and scale of private sector operators of critical national infrastructure to bolstering the nation’s defenses.
Cybersecurity can only be achieved by a massive effort — like the power of an iceberg. But the government effort is only the tiny part of the iceberg that sticks up above the surface of the sea. The enormous mass of the iceberg is the private sector — it is largely unseen, but constitutes the real scale of the capability to defend the nation’s critical infrastructure in cyberspace. Creating the ARC is a necessary and timely decision to harness “the rest of the iceberg,” and over time will significantly improve the nation’s cyber defenses.
Admiral James Stavridis was the 16th supreme allied commander at NATO and the 12th dean of The Fletcher School of Law and Diplomacy at Tufts University. A nationally recognized expert on cybersecurity, he teaches the subject at Deloitte University and frequently speaks on national security in cyberspace. He is a senior advisor to the ARC.