It’s well past time for strategic defenses and counterpunches on cybersecurity
No future American president should ever be placed in Joe Biden’s unenviable position in Geneva this past week, meeting with an adversary capable of exploiting critical U.S. vulnerabilities in cyberspace for all the world to see. During the past year, the United States has shown itself largely impotent in trying to deter a Russian cyber offensive of escalating brazenness and sophistication, to include interference in elections, the largest-ever cyber infiltration of U.S. government computer systems with the SolarWinds hack, and recent ransomware attacks on critical U.S. infrastructure by Russian criminal groups that enjoy sanctuary courtesy of the Kremlin. Without an effective defense in place, our president is left with only threats of retaliation as leverage. We need a strategic defense initiative for cyber to change that equation.
The United States must treat this as a true “Sputnik” moment, recalling the Soviet Union’s launch of the first satellite in 1957 that heralded the Cold War race for space superiority. Vladimir Putin’s Russia will continue to press an asymmetric advantage in this equally critical national security domain until successfully deterred by stronger and more layered U.S. cyber defenses, combined with more potent and persuasive U.S. cyber counterpunches. As with the original Sputnik moment, the response requires a whole-of-nation effort to be successful, including government, the private sector, and an educated public ready for the challenge.
The good news is that the Biden administration and Congress have indicated that they grasp the gravity of the threat. A bipartisan Congressional majority, in the recent National Defense Authorization Act (NDAA), established a new “cyber czar” position at the White House with important powers to coordinate cybersecurity actions across key national security agencies and departments.
President Biden nominated Chris Inglis as the first-ever national cyber director — an experienced leader who capped a three-decade career at the National Security Agency (NSA) by serving as its deputy director. Inglis was a member of the Cyberspace Solarium Commission, which issued its landmark report last year with more than 75 recommendations for overhauling national cybersecurity.
The Solarium report lays out a layered deterrence posture, starting with a U.S. diplomatic effort to establish new international norms and standards for behavior in cyberspace and to collectively call out and counter actions that trample those norms. It also recommends U.S. government counterattacks that impose proportional costs on malicious actors in cyberspace. Inglis has noted that such countermeasures include “legal, financial, diplomatic and cyber powers that, applied in combination, assure compelling and unavoidable consequences for transgressors.”
Another layer of deterrence called for in the Solarium report is a far closer and more assertive collaboration between the U.S. government and the private sector to secure critical networks and identify and quickly respond to malicious activity in cyberspace. The lack of such resilience in critical U.S. infrastructure was exposed in the recent ransomware attack on the Colonial pipeline by the Russia-based criminal hacker group DarkSide. That largest ever cyberattack on an American energy system disrupted gasoline and jet fuel deliveries to the East Coast, causing major gas shortages, steep price hikes and panic-buying.
The Biden administration made an important step towards greater resilience by issuing an executive order in May that uses carrots and sticks to forge a closer cybersecurity collaboration between the federal government and private sector. The order removes barriers to the sharing of threat information, imposes stronger cybersecurity standards for companies doing business with the federal government, and establishes baseline security standards for developing software sold to the government, relevant to the SolarWinds attack, perhaps the largest ever infiltration of government computer networks.
A critical element of the whole-of nation approach will be education. As Inglis identified in his recent Senate confirmation hearing, promoting cyber awareness in the K-12 school systems will enhance the pipeline of cyber talent needed to power this national strategy. A significant bolstering of the sense of cyber-hygiene and best cyber security practices among the American public will also be a key factor to the success of this initiative.
To date the U.S. government has responded to escalating Russia-based cyberattacks on U.S. elections, government networks and critical infrastructure with a series of diplomatic expulsions and economic sanctions on Russian individuals and companies. At this week’s summit with Putin, U.S. officials proposed 16 critical sectors that should be “off limits” to cyberwarfare attack, and Biden warned that if Russia violates those limits “we will respond…in a cyber way.”
And yet still Moscow seems undeterred. Until America gets serious about building a credible, whole-of-nation cyber defense and plugging digital vulnerabilities — and counterpunches in a way that finally gets the Kremlin’s attention — decades of history suggest that there is no reason to expect Putin to surrender what he sees as an asymmetric advantage over a richer and more conventionally powerful foe. Our national goal should be to change the dynamic of the next U.S.-Russia summit in our favor with a broadly effective defense against cyber-intrusions firmly in place.
Glenn Nye is the president and CEO of the Center for the Study of the Presidency & Congress (CSPC). James Kitfield is a CSPC senior fellow.