Pipeline attack was a warning: Stop cyber threats, or suffer a disaster
We saw and felt the potentially massive impact that a nation-state cyber attack can have on our economic and national security over the past week. Gas prices shot up nationally when people hoarded fuel following what appears to be a financially motivated ransomware attack on a major oil pipeline operator. And this all happened when the operator actually acted affirmatively to get ahead of the threat, by shutting down the pipeline to protect it.
It takes little creativity to assess what might have happened had the attackers focused on actually creating major economic chaos — or, worse, harming our nation by taking critical infrastructure offline in the lead-up to an actual armed conflict.
Today we are on the brink of a digital arms race, where our nation-state adversaries and their proxies use cyber capabilities — including hacks and attacks — as an element of national power, often to gain tactical and strategic advantage in other domains. Nations and other sophisticated actors in the cyber domain pursue a variety of purposes, including the gathering of intelligence, financial gain and extortion, and the very real implications of these attacks are becoming clearer to everyone.
We must get ahead of these threats — which cross over between government and industry — and figure out how to stop more of them before they happen.
The sheer scale and scope of cyber hacks and attacks are one of the most pressing crises of our generation. Cyber incidents of all types continue to grow significantly in sophistication, size and quantity. Our current cyber defense strategy simply is not working, as evidenced by the very real costs imposed on the government by the SolarStorm and Microsoft Exchange hacks, as well as the impact that attacks such as the Colonial Pipeline and NotPetya hacks have had on the private sector.
SolarStorm and MS Exchange alone provided nation-state hackers in Russia and China with massive, sustained access to government networks and the ability to access terabytes of potentially sensitive data. Indeed, it appears some of these attackers may still be buried deep in government systems, with the ability not just to collect data but to potentially threaten more aggressive action.
Likewise, it is worth understanding the potential scope of the threat to our private sector. While it may be easy to see the impact on gas prices of a targeted attack on an oil pipeline, it may not be as straightforward to understand how an attack by one nation on another might have massive implications for drug companies, container shippers or consumer products manufacturers. Yet it’s true: The 2017 NotPetya attacks by Russia against Ukraine not only had significant real-world effects in the latter country, they also resulted in $10 billion of damage worldwide, causing massive collateral damage to American and European companies.
The threat only becomes more pressing as we think about attackers not just going after the systems themselves but also the data they contain. Most of us already know about the massive intellectual property theft that has cost our nation trillions of dollars and has helped countries such as China to accelerate their efforts to compete with us economically around the globe. What many of us may not realize, however, is that the more pernicious threat to our nation is the potential for the destruction or modification of critical data. Just imagine if the Russians had used their access to the Food and Drug Administration (FDA) or the Centers for Disease Control and Prevention (CDC) through a SolarStorm-type hack not just to steal data but to modify vaccine efficacy and safety data. Such an effort — even just the threat of it — might well decimate Americans’ confidence in the very vaccines that have the potential to return us to some measure of normalcy.
Even more troubling about the ongoing arms race in cyberspace is the fact that during the COVID-19 pandemic we have seen our adversaries become more aggressive. Rather than slowing their efforts, we’ve seen criminal and nation-state hackers up their game, seeking to take advantage of this moment. It hasn’t just been in cyberspace — we’ve seen China become increasingly aggressive in Hong Kong and the South China Sea, as well as with Taiwan, Japan and its own Uyghur population. The Chinese have complemented this new posture with increasingly more public cyber efforts against the U.S. in an effort to take us off the board in the region, exploiting what they see as our relative weakness. Russia has done the same, getting more aggressive in Eastern Europe, in the Middle East, and in deploying capabilities in the near-Arctic regions, while using our own cyber infrastructure to manipulate our politics at home.
We no longer can ignore the strategic implications of this situation. The ongoing effects are obviously problematic from both an economic and a national security perspective. Moreover, in the scenario where an actual conflict erupts, capabilities likely would be deployed to take significant parts of our infrastructure — civilian and military — off the table for a significant time.
To address this very real threat, we must evolve our strategy along four principal lines of effort.
First, we must improve our ability to detect adversaries in our commercial and government networks through the use of behavioral analytics. The Biden administration’s new executive order makes exactly this point, highlighting the importance of aggressively hunting adversaries and identifying anomalous behavior in a zero-trust environment.
Second, we must establish a collective defense fabric between companies, across industries and with the government, as laid out in last year’s Cyberspace Solarium Commission report, including through the creation of a joint collaborative environment where these organizations not only share cyber threat information in real time but act on it jointly.
Third, we must empower these efforts by undertaking joint training programs and creating interoperable systems between the public and private sectors.
Finally, our government must ensure that key federal agencies have the resources and authorities needed to identify threats overseas, follow them as they cross our borders, and establish and enforce a serious deterrence policy to stem the flow of nation-state attacks.
These efforts are no longer optional. We know these attacks will continue and almost certainly will have a significant impact on our economy and on our national defense. We cannot ignore the wake-up calls we’ve had over the past year. We must act now.
Gen. (Ret.) Keith B. Alexander is the former director of the National Security Agency and founding commander of United States Cyber Command. He currently serves as chairman, president and co-CEO of IronNet Cybersecurity, a start-up technology company focused on network traffic analytics and collective defense. He also serves, among other things, as a member of the advisory board of the National Security Institute (NSI) at GMU Law School.
Jamil N. Jaffer is the former chief counsel and senior adviser to the Senate Foreign Relations Committee and served in senior national security roles on Capitol Hill and in the Bush Justice Department and White House. He is senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity and is the founder and executive director of NSI, where he is an assistant professor of law.