“There is nothing to be learned from the second kick of a mule.”
The old Mark Twain adage comes to mind as the United States grapples with its second major cyber kick in recent months.
The SolarWinds cyberespionage breach and the Hafnium zero-day attacks on Microsoft’s exchange servers should spark government officials, Congress, and the private sector to move expeditiously to address threats from these Chinese- and Russian-backed hackers.
A good place to start is to address inadequate information-sharing arrangements. It is no secret that China and Russia, along with other bad actors such as North Korea and Iran, have sought to undermine Western democracies by using our open-society and free markets against us. They devote massive resources to finding vulnerabilities within both our hardware and software supply chains. In the case of the SolarWinds hack, a compromised Orion software update has caused multiple government agencies and private businesses to scramble since December to figure out the depths to which this massive cyberespionage campaign has infiltrated. Less than three months later, Chinese-backed hackers have now attacked the Microsoft Exchange servers by targeting “leased virtual private servers in the U.S.” According to ESET Research, this operation has exploited flaws in, at minimum, “more than 5,000 unique servers in over 115 countries.” Additional reports suggest that the ultimate number of servers affected “could be higher than 250,000.”
A joint notice from the FBI and Homeland Security’s Cybersecurity and Infrastructure Security Agency states that the cyberactors have “targeted local governments, academic institutions, nongovernmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.”
So, what questions do policymakers need to be asking now to avoid a third mule kick?
Washington’s typical solution, to throw cash at a problem and add new layers of bureaucracy to oversee it, won’t get the job done. What’s needed is a thorough review of the government’s cybersecurity approach and its relationship with critical private sector partners. The latest National Defense Authorization Act included more than two dozen, such as expanding CISA’s ability to hunt for cyberthreats, from the Cyberspace Solarium Commission. Congress should consider acting on three more commission recommendations.
First, lawmakers should reexamine CISA’s authorities to ensure the agency has all it needs to approach our cyberchallenges aggressively. Second, Congress should take up existing bipartisan and bicameral legislative proposals to incentivize private companies to share information about cyberbreaches while allowing for liability protections and the safeguarding of proprietary information. Third, Congress and the administration should heed the commission’s recent recommendation to consider codifying in law the concept of “systemically important critical infrastructure” and specifically defining software-based infrastructure.
CISA’s model relies on significant collaboration with the private sector for cybersecurity and critical infrastructure. That’s as it should be. Private industry owns about 90% of the nation’s critical infrastructure. The intelligence community, especially the National Security Agency, has unique tools and a deep understanding of our foreign adversaries' intentions on cyber matters. Those assets could be better utilized by sharing threat intelligence with their counterparts in the private sector, without damaging sources and methods. Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, is steeped with knowledge from her time at the NSA and should expedite policy changes to break down cybersilos, where necessary, within the government. Exploring ways to have the NSA’s authorities and broader resources more involved with identifying these internal, soft-underbelly threats could put us in the position to mitigate cyberthreats and prevent further exploitation.
As technological innovations continue to change the U.S. and global economies, our adversaries seek to even the playing field by mere keystrokes—allowing them to manipulate vast amounts of American consumer and private data. Neither the government nor the private sector can continue to view cyber hygiene efforts as simply a check-the-box exercise for their employees, consumers, and stakeholders. American borders do not exist in today’s cybersecurity environment, and it will take decisive and well-informed changes to our defense posture to win today’s cybersecurity battles.
This piece originally appeared in the Washington Examiner