The recent spate of apparently eastern European cyberattacks on important U.S. commercial interests—from SolarWinds to Colonial Pipeline—should force all of us to step back and review how we organize our world. Many crucial points of modern life are simply too vulnerable to being shut down at the whim of a political adversary.
Some of this problem arises from both the complexity of our system and the interconnectivity at its core. Which of these industries would hurt our nation if it was shut down for a month – banks, oil or gas, the power grid to homes and businesses, hospitals and healthcare, schools and colleges, cellular systems, food services, entertainment, and internet services? Any one of them would cause a panic. And this doesn’t even factor in the value of state and local government. You may hate your state’s Department of Motor Vehicles, but think how much we all would miss if it wasn’t operating at all.
Each of these enterprises is built on the same underlying digital infrastructure and commonly architected servers and end-user devices. Nearly all of them rely on a handful of international vendors to provide the hardware and software running their operations. So all of them are vulnerable to hacks, break-ins, malice, mischief, and shut-downs that target these systems. The software will always be vulnerable. For example, today’s Microsoft Patch Tuesday for May contained fixes for three zero-day vulnerabilities.
But another problem arises from the inherent gap in resources between the commercial enterprises and the governments that threaten them. A company has only a commercially reasonable amount of resources to spend on security. For example, a for-profit hospital needs to be spending the bulk of its money on patient care and improving health outcomes, not on digital protection. A non-profit hospital may have less money to spend on everything. A restaurant has small margins after spending on food preparation and safety, staff salaries, and rent, and it cannot afford to put endless resources into data security. Protection funds are severely limited, as digital protections are not the core functions of these operations.
The People’s Republic of China, the Russian Federation, and the Islamic Republic of Iran, conversely, have a commercially unreasonable amount of resources to spend on attacking any U.S. business they choose. They target our power grid, pipeline infrastructure, financial system, or even movie studios. Foreign governments use commercial hacking as part of their political policy, creating an unfair advantage over commercial enterprises in the open societies of the Western World.
The government can help reduce this advantage, but under our system, the government’s options are limited. I don’t believe that many U.S. taxpayers would support the federal government simply funneling cash payments directly to businesses, even in the critical infrastructure spaces of finance, connectivity, health care, and power production. First, this is not how our economic system works and it would be difficult to account for the fact that money currently spent on security wouldn’t be pushed back to the general fund or used in stock buy-back programs. Second, there is not an amount of money that would ever make our companies completely secure – complete security is unattainable – so we would never know how much marginal difference we were buying (and new hacks would be even more frustrating). Third, private companies would chafe at the bureaucratic oversight that would necessarily accompany such a program.
So what can the government do to help? Our federal government is already helping businesses fight advanced persistent (government-sponsored) threats in some ways. For example, the National Institute of Standards in Technology (NIST) has led an effort to research and establish workable digital security standards. Even if a business does not comply with NIST standards, it may benefit from the way NIST thinking has spread in its industry and is being applied by auditors and demanded by customers. The Homeland Security Department is helping by sharing expertise with companies, through Infraguard and industry-specific public-private meetings. Federal law enforcement is keeping track of many of the threats to our companies, and sharing both warnings to corporate targets before likely attacks and relevant information following hacking or ransomware attacks that can help the affected business make more effective decisions. These are excellent beginnings to a helpful program, but I believe that all of these efforts need to be increased.
The Biden administration is looking to go further, using the purchasing power of the federal government and its influence over software contractors. The New York Times reports that the new rules “would require federal agencies to take a ‘zero trust’ approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government. Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.”
One of the things the federal government could do to help U.S. business and overall data security is to clarify the rules of engagement when an aggressive country conducts attacks on another country’s businesses. In other words, if a foreign power set off a bomb in the middle of Miami or attacked a Delta Airlines jet flying on an approved route anywhere in the world, the United States would retaliate in a measured fashion. An act of violence against American interests is a hostile act. It will be met with force. But the same rules do not seem to apply to hostile acts taken against American interests in cyberspace.
I can understand why a President would hesitate to respond to cyber-violence with physical violence. That kind of escalation can lead to terrible outcomes. However, the U.S. has many tools at its disposal, from financial penalties and diplomatic isolation to responding in kind to an adversary’s cyberattacks. I also understand that one of the problems with cyber-retaliation is that such activity alerts the subject country to its vulnerabilities, and shows the tools that the U.S. has created to effectuate the attack. We prefer to keep our cyber arsenal as secret as possible. Yet, if we don’t establish a plan to inflict pain on anyone harming our cyber interests, we aren’t doing enough to discourage attacks.
The U.S. government is already stepping into the gap between what our companies can afford for cyber defenses and what nation-state attackers can afford as weapons. More thought and policy are needed before this gap results in a serious economic loss followed by social upheaval.