“Houston, we have a problem.”
The massive hack of our nation’s government and industry by the Russians, revealed late last year but still being investigated and corrected, reminds us of those famous (albeit slightly modified) words from the ill-fated Apollo 13 mission. Our nation’s computer systems have been essentially owned by our enemies for the better part of a year, and it appears these hackers are so deep in our networks that it will be difficult to root them out any time soon. While they may not have penetrated classified networks, at least so far as we are aware, it seems clear that the depth of penetration they did achieve is likely to have bad consequences for our national security.
Moreover, even though it does not appear that the Russian hackers manipulated or destroyed data, or “bricked” systems, the fact that they could hold us at risk to do so means this hack still could get much worse and turn into an actual — and far more serious — cyber attack.
This is bad enough on its own, to be sure, but it also highlights a larger problem: We are fundamentally unprepared to defend our nation in cyberspace. In many ways, this incident should be a wakeup call for all of us in the public and private sector. We must get significantly better, and must do so now.
Although some organizations did detect key aspects of the threat, at a macro level, both government and industry fundamentally missed the enormity of this hack for months while it was ongoing. Even more concerning, many organizations remain hamstrung in their ability to find these hackers now, even as we know they are on the inside, hiding in the increasing complexity of our networks. Likewise, as a nation, we have yet to do an effective job of gathering intelligence on cyber threats, sharing it at scale in actionable form, and collaborating across the public and private sector to defend ourselves, even as we know we are under continuing threat. While we have long talked about the need to do more on cyber defense, we simply haven’t given our people the resources, tools and authority to do the job.
Nearly a decade ago, then-Defense Secretary Leon Panetta said it was the responsibility and mission of the Defense Department to defend the nation in cyberspace. Yet today, while we have made significant progress in creating the U.S. Cyber Command and giving it authority to defend forward and persistently engage our enemies in cyberspace, our nation’s defenders are still unable to see the full picture of threats coming at us in the cyber domain. Worse still, they are limited in their ability to stop them once here, even if they could see them. If we really want the government to defend our nation in cyberspace — and this recent hack suggests we should do more on this front — we need to give our national defenders the people, capability, resources and legal authority to do just that.
Specifically, we should clarify who does what in the government, with the Department of Homeland Security leading on civilian government infrastructure and national resiliency and incident response, the FBI taking the helm on law enforcement and domestic threat response, and Cyber Command having authority over nation-state threats and overseas responses. We need to ensure that each agency has the resources and authorities to take the lead in their respective areas and to collaborate with one another — without restriction — to effectively execute those missions.
In addition, we must ensure that the shifts we made post-9/11 to allow our intelligence community to collect on the threats posed by terrorists likewise apply — in an effective, usable manner — to tackling the reality that cyber hackers use our own infrastructure against us every day. And we must realize that we simply can’t hire our way out of this problem: Given the exponential speed at which the threat is growing, there just aren’t enough qualified cyber defenders to protect us today, at least not without better tools. That means both the public and private sectors need to invest in technologies that scale and adapt to the threat we face, making our defenders better, while also ensuring we are training a strong, diverse workforce of defenders for the next generation.
In a broader sense, we must recognize that we have yet to make the fundamental paradigm shift to collective defense that the Cyberspace Solarium Commission and others long have advocated. We know a strong offense always wins and, in the cyber domain, we know it is the height of folly to expect private companies to go up alone against nation-states, with their virtually unlimited resources and manpower. Even though we are being targeted by our enemies, we continue to defend in silos, with each company and government agency focused principally on its own defense.
Collective defense is what is needed. No longer can we reasonably expect a single company to effectively defend itself against nation-state actors like Russia. We must work together, across companies, sectors and with the government, to identify threats at scale and speed. If we are to truly succeed in this effort, we must build on the progress made by Congress in 2015 to permit the broad sharing of cyber threat information, and we must now incentivize the public and private sectors to collaborate on knocking them down.
The government should be given a mandate and the resources to collect on public and private cyber threats globally, to share that information rapidly and in actionable form, and to collaborate with the private sector, empowering it to stop threats dead in their tracks. Likewise, we should further incentivize the private sector to do the same, providing them additional protection against lawsuits and government regulation when they share cyber threat information and collaborate. This can all be done effectively and at scale without sacrificing the civil liberties and privacy of Americans, by appropriately anonymizing the information being shared and leaving it to the information-holders to disclose more as needed to protect themselves or the broader community.
We must make this latest incident a true turning point — an opportunity to begin a new day for our nation in cyber defense, one that sees us truly unite in protecting ourselves (and our allies) against this evolving scourge, as we have done so many times in history. This is what we Americans are particularly good at: identifying a problem and working together to solve it. Now is the time to make that happen.
Gen. (Ret) Keith B. Alexander is the former director of the National Security Agency and founding commander of United States Cyber Command. He currently serves as chairman, president and co-CEO of IronNet Cybersecurity, a start-up technology company focused on network traffic analytics and collective defense.
Jamil N. Jaffer is the former chief counsel and senior adviser to the Senate Foreign Relations Committee and served in senior national security roles in the Bush Justice Department and White House. He currently serves as senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. Follow him on Twitter @jamil_n_jaffer.