SolarWinds hack shows we need a ‘whole of society’ national cyber strategy
By now you have probably heard of the SolarWinds hack, reportedly attributed to a Russian hacking group (Cozy Bear or APT29), that used a compromised vendor platform to exploit networks across the U.S. government and possibly the private sector. Sadly, there is a poignant parallel to the current COVID-19 crisis. Individuals can take extensive precautions to protect themselves, but if others are lax, ultimately it puts everyone at risk.
The same is true for cyber. As showcased by the SolarWinds hack, the cybersecurity of government agencies, Fortune 500 companies, and other businesses and institutions is directly tied to downstream providers. This means that even a “whole of government” approach is not sufficient: The U.S. desperately needs a national cyber strategy aligned with a “whole of society” approach.
Fortunately, there is already a roadmap for much of this work via the Congressional Cyberspace Solarium Commission, and it is critical that Congress and the incoming Biden-Harris administration do everything possible to implement the commission’s recommendations. This includes creating, nominating and confirming a National Cyber Director, as well as providing further resources and powers to the Cyber & Infrastructure Security Agency (some of which is included in the 2021 National Defense Authorization Act).
Furthermore, it is critical that as part of the Biden-Harris administration’s commitment to prioritize cybersecurity there must be a focus on securing America’s digital supply chain. The hallmark of the U.S. economy is the open market which enables innovation — that cannot and should not change, but it should be balanced with national security priorities. To do this, the Biden-Harris administration can:
- ensure that products in the federal, state, and critical infrastructure pipelines have a clearly documented hardware and software supply chain;
- expand the use of Small Business Innovative Research funding and ‘Other Transaction’ agreements — via government organizations like Department of Homeland Security’s Science and Technology (S&T) Directorate, AFWERX, AFVentures, Army Futures Command, among others — to grow the domestic production of components critical for current and future technical innovation;
- invest in cyber literacy and education programs, especially for small- and medium-size businesses, and
- explore ways to incentivize the baking of security into development, via the implementation of DevSecOps best practices, across the private sector.
Internationally, as the Biden-Harris administration weighs how to ramp up deterrence efforts to better protect the nation from acts of cyber espionage and cyber aggression, the administration must also leverage soft power to further American interests vis-à-vis the digital supply chain. This includes promoting international supply chain transparency norms such as a bill of materials for all products and exports, as well as identifying development/economic mechanisms (such as most-favored nation status) to incentivize allied nations to invest in securing their companies and supply chains.
Make no mistake, this will not be easy: It will require White House leadership, Congressional legislation and appropriations, cross-agency and cross-sector buy-in, public education, diplomatic initiatives, and a fundamental re-think on the relationship between technology, innovation and security. Yet, for the sake of its national and economic security it is critical the U.S. get it right. Failure to do so risks future compromises the likes of SolarWinds, as cyber has shown itself to be a valuable tool of statecraft that can be calibrated to fall below the red line of an act of war.
If foreign adversaries like Russia and China are able to continue to gain access to U.S. data, intellectual property and/or information regarding government decision-making, it will harm the long-term ability of the United States to compete economically, diplomatically and militarily.
It is paramount the Biden-Harris administration work domestically and internationally to secure the digital supply chain by employing a national strategy rooted in a “whole of society” approach. As evidenced by the COVID19 crisis: a national strategy is critical, the absence of one is devastating.
Camille Stewart is a Cyber Fellow at Harvard Kennedy School’s Belfer Center for Science and International Affairs and co-founder of Diversity in National Security Network. She served as senior policy adviser for cyber infrastructure & resilience policy at the Department of Homeland Security under President Obama. She serves on the Board of Directors of Girl Security. Follow her on Twitter @CamilleEsq
Daniel (Dani) Charles is the CEO and co-founder of Charles Bernard Ventures, where he supports private and public initiatives at the nexus of technology, innovation and security. Charles was previously a Cybersecurity Fellow at New America. Follow him on Twitter @Dacharl