The weekend’s massive “ransomware” attack exposed the glaring vulnerabilities in our cybersecurity readiness.
On May 12, the world witnessed a day that won’t exactly live in infamy but certainly should have a concentrating effect as we collectively grapple with the challenges of cybersecurity. Using a tool set that was “released into the wild” from the National Security Agency, a sophisticated group of hackers launched a “ransomware” scam that eventually penetrated more than 150 nations. It hit the United Kingdom particularly hard in the medical services sector, shutting down the computational ability of dozens of hospitals. Global shipping giant FedEx, Nissan, and many Russian entities were also significantly affected.
Overall, a combination of private and public agencies swung into action, albeit not quickly enough to prevent significant damage. Microsoft moved patches to protect the vulnerable Windows XP systems. As global agencies and companies sluggishly reacted, we had a pretty good look at what the early stages of a global cyber-apocalypse might look like. Can we turn this into a wake-up call? What should we be doing about it?
Here in the United States, despite billions of dollars invested by both the government and the private sector, we are still behind the curve in preparing for major cyberattacks. Part of the problem is the enormous size of the threat surface, which includes the massive Department of Defense (including our nuclear forces); the rest of the U.S. government; our huge financial sector; a particularly vulnerable and somewhat antiquated electric power grid; various other infrastructures (transport, water, gas); medical institutions and records; and of course our own personal data. During testimony before Congress (coincidentally held the day before the cyberattack), retired Gen. Michael Hayden, former Director of National Intelligence James Clapper, and I all agreed that we are standing into danger.
First, we need to get the federal government better organized. Currently, there are three principal leads for cybersecurity: the NSA, the Department of Homeland Security, and the FBI. While some surface coordination exists, these are essentially stovepipes. Six separate centers for cybersecurity are scattered across the government, none of which really has the lead. And perhaps most worrisome, there is no single voice in the president’s cabinet for cybersecurity. Think about it: We have secretaries for agriculture, the interior (whatever that is), and transportation — but none for cybersecurity.
A better structure would definitively make one agency, perhaps the Department of Homeland Security, in charge of cyberissues. That secretary could then be the voice of cybersecurity in the cabinet. Another idea would be to give a coordinating role in cyberissues to the director of national intelligence, making that official the director of national intelligence and cybersecurity. Creating an entire new bureaucracy is expensive and time-consuming, but someone needs to be in charge — and quickly.
Second, we should strongly consider creating a Cyber Force. A hundred years ago, our nation began to appreciate the need for a separate Air Force; in today’s world, we should think about a cyber-equivalent. Easier said than done. Today’s services (including, ironically, the U.S. Air Force) will all object, arguing that the service ethos and culture should be grounded in an existing organization. Perhaps a good model would be the U.S. Coast Guard, which, alone among the armed forces, has both law enforcement and war-fighting authorities. A Cyber Force should start small, with some 5,000-10,000 personnel headquartered in Silicon Valley, and fall under the operational command of U.S. Cyber Command. Today we have a “pick-up team” from the four extant military services, and the people assigned often do a single “one-off” tour and return to other duties. We need a dedicated, trained, motivated, and independent Cyber Force.
A third important move would be to split up the NSA and U.S. Cyber Command. They are currently essentially merged under the command of a single individual, Adm. Mike Rogers. The span of control is too big and the missions too different (NSA does espionage, and Cyber Command does war fighting) to have them under one individual, even one as talented as Rogers. While they will obviously collaborate constantly, U.S. Cyber Command needs to be a fully independent military combatant command. The Department of Defense has made some progress on this idea but needs to fully pull the switch.
Fourth, we need to recognize that, in the end, cybersecurity will only be achieved as a result of strong private-public cooperation. Government agencies need to work closely with private firms — both cybersecurity companies and regular commercial entities. Again, there has been some nascent outreach from both sides, but barriers exist. Congress can play an important role here by passing legislation that provides or backs up cyberinsurance, reduces liability for information sharing, and establishes formal private-public bodies, much as is done in other sectors (such as banking and real estate).
A fifth idea is very broad and again will require the government, private sector, and the U.S. public to work together — and that is cyber-education. More than 70 percent of successful cyberattacks occur because of the failure of users to execute simple cyberhygiene: changing passwords, avoiding the use of thumb drives from unknown sources, failing to detect simple spear-phishing attacks, using encryption sensibly, etc. By educating the public at all levels (from elementary school on), we can enormously reduce the vulnerabilities we face.
Sixth and finally, we need better doctrine, policy, and strategy — to include a theory of deterrence in the context of offensive cyberoperations. As cybertools for attack continue to improve and outpace defenses, we will clearly need to create deterrent regimes to deal with nation-state attacks. Similarly, cybercrime must be addressed by policy and broadly viewed like piracy to be addressed by collective international action. We also need doctrine to actually define what constitutes a cyberattack. We must do more rigorous study and analysis in this space.
There is a great deal more that must be done, but above all we need to realize that in every sense we stand today “on the beach at Kitty Hawk,” in terms of our resiliency and readiness to protect ourselves in the cybersphere. This past weekend’s global attack was a harbinger. We have to improve our readiness to respond when the real cyber-Pearl Harbor threatens.
Photo credit: ANDREW CABALLERO-REYNOLDS/AFP/Getty Images