We need a better defense — and tougher offense — to combat Russia’s hacks
Cyber attacks are now front and center for the American public. In the past two months, we’ve seen an attack on an East Coast pipeline, resulting in lines at gas stations in the South, fears that an attack on a food producer might lead to shortages of beef, and more recently, an attack on a security provider that put more than a thousand small businesses at risk of having their operations brought to a halt.
In many ways, what we are seeing is escalation into what amounts to a “pandemic” in the cyber domain. It is critical that the government and industry unite to address this threat and make clear to our adversaries that the United States no longer will be an easy target for such attacks.
Ransomware is not new. Over the past year alone we’ve seen police departments, schools and hospitals grind to a standstill as ransomware attacks have increased in frequency and scale. We’ve likewise seen large amounts of sensitive information leaked as attackers leverage their access to government and private sector systems to gain an advantage. And yet, the past few months have been different. The nature of these new attacks now threatens the daily lives of Americans as the businesses they rely upon are targeted for attack.
Our government has begun to take action in several areas. The White House issued an executive order to better protect federal systems and the contractors that support them. Congress is debating the need for more reporting and potential regulatory action. Senior Justice Department officials have talked about the need to treat ransomware like terrorism. And President Biden twice has raised the issue of attacks coming from Russia with President Vladimir Putin.
Yet the attacks have continued — and have gotten worse. Our adversaries appear to be testing our resolve, but we are not prepared to respond as a nation.
There are two key sets of actions we need to take in order to get ahead of these threats. First, we have to fix our defense. Today, even though our adversaries target multiple providers and industries through supply chain attacks and ransomware offered as a service, we still tend to defend in isolation. While many organizations share information about the threats they see, they do so typically after the fact — and only after considering liability, regulatory and reputational risks. Just like the intelligence community after 9/11, we must fundamentally change this dynamic, going from a need-to-know approach to a need-to-share method.
Indeed, the reality is that most small- to medium-sized businesses won’t be able to afford the kind of security services and personnel it takes to effectively defend themselves. As such, shifting from a defensive approach that is focused on individual companies and organizations, to an approach where multiple organizations work together, across the public and private sectors, collaborating in real-time to divide and conquer against the threat, is nothing short of critical.
But improving our defenses alone is simply not enough. As a nation, we must get much tougher on those who threaten our modern infrastructure. While we know that the most recent ransomware attacks were undertaken by criminal hacker gangs motivated primarily by financial rewards, we also know that many of these gangs have close ties to their respective national governments. For example, the REvil group, which was involved in both the meatpacking and small business attacks in recent weeks, has significant ties to Russia. And notwithstanding President Putin’s protestations to the contrary, more often than not, such hacker gangs operate not just with the knowledge and tacit approval of the government, but often at the Russian government’s explicit request.
To combat this threat, we must make clear to our adversaries what our “red lines” are, and if they are crossed, we must take swift action to respond publicly. For far too long our adversaries have perceived weakness on our part and now seek to capitalize on it. It is time for bold, decisive action to extract costs from our enemies.
Given the potentially existential threats facing our nation in the cyber domain, it is critical that government and industry prioritize both a better defense and a tougher offense. As America’s reliance on cyber networks and systems grows, the need to protect it properly likewise grows. We no longer can afford to wait for the next major attack before we respond; altogether too much is at stake. Now is the time to act.
Gen. (Ret.) Keith B. Alexander is the former director of the National Security Agency and founding commander of United States Cyber Command. He currently serves as chairman, president and co-CEO of IronNet Cybersecurity, a start-up technology company focused on network traffic analytics and collective defense. He also serves, among other things, as a member of the advisory board of the National Security Institute (NSI) at George Mason University Law School.
Jamil N. Jaffer is the former chief counsel and senior adviser to the Senate Foreign Relations Committee and served in senior national security roles on Capitol Hill and in the Bush Justice Department and White House. He is senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity and is the founder and executive director of NSI, where he is an assistant professor of law. Follow him on Twitter @jamil_n_jaffer.