An aerial view of the U.S. Cyber Command’s joint operations center on the NSA campus is seen in Fort Meade, Maryland on May 25, 2020.
BRENDAN SMIALOWSKI | AFP | Getty Images
Like the Sony Pictures email hack in North Korea in 2014 or the Equifax data breach in 2017, the SolarWinds data breach by several U.S. federal agencies has put cybersecurity back on the agenda. But it would be a mistake to treat this as a one-time episode. Cyber attacks on nation states are increasing and not slowing down. Their effects are becoming more devastating, costly, and widespread – and we still haven’t scratched the surface of the kind of chaos these adversaries can truly unleash. The United States government is one of the best cybersecurity practitioners in the world, and as SolarWinds shows, if a single attacker gets through, the consequences can be devastating.
With a new administration in office, now is the time to thoroughly rethink everything cyber-related. Probably the best, most effective, and possibly easiest thing the Biden administration can do on this front? Unleash the cybersecurity talent we already have.
In June 2015, the government’s Human Resources Management Office (OPM) announced a violation. The impact was massive: the personnel files of over 21 million federal employees, contractors, and anyone who had ever received a security clearance were stolen. The culprit was found to be the Chinese government, which mined the stolen records to create a database of identities that could be armed for spear phishing attacks.
Like SolarWinds, the OPM violation represented a massive weakness and an important lever for nation-state attackers. Regardless of how robust your external cyber defenses may be, the best way to infiltrate a target is to hit it from within. This is why supply chain attacks like those at SolarWinds are so effective. If you can compromise a contractor who works with the federal government, it is a backdoor to government networks that bypasses the defense of federal agencies. Nation-state attackers have proven adept at masquerading as someone else’s identity as authenticated users, or using parallel tokens to bypass two-factor authentication.
National cyber priority no.1
Given this landscape of geopolitical cyberattacks, which has only intensified during both parties’ administration, how should the Biden government approach national cyber policy? A new task force? New legislation? Emphasis on cyber diplomacy and creation of cyberwarfare rules of engagement? Maybe a new cabinet role – maybe a national cybersecurity coordinator or a cybersecurity secretary?
These are all sound recommendations, some of which are already being made by Congress. But the first, most important and perhaps the easiest thing the Biden administration can do for cyber politics is to let go of the talent that is already available to it.
While stories like SolarWinds lead some to believe that the US is lagging far behind the rest of the world when it comes to cybersecurity, it just isn’t. For every SolarWinds violation, there are a thousand that the government has rejected. But there is a lot of untapped cyber potential within the existing employees and agencies. The Cybersecurity and Infrastructure Agency (CISA) has never been more important than it is now and should be at the forefront of the White House’s national security portfolio in Biden.
We already have all the talent we need. Let’s unleash them.
Previous administrations have relied on appointed “cyber tsars” who nominally have control over the coordination of national cyber policy. The fact is, however, that these cyber tsars have never been given real power, and their appointments are often symbolic gestures, like checking boxes on a checklist. The real powers have been more permeated by agencies like the NSA, which have cyber defense and warfare capabilities but no central vision overseeing them all.
This is where CISA comes in. An authorized and prioritized CISA can combine all these efforts to develop a comprehensive national cyber strategy. This type of coordination between the agencies is necessary to ensure that all potential attack surfaces are covered. For example, imagine a nation-state cyberattack on our infrastructure – power grids, nuclear power plants, hospitals. It’s a remarkably simple thing, and just the kind of vulnerability that can’t be fixed without a body like CISA pointing everyone in the right direction.
Agencies like CISA employ remarkable levels of cyber talent who simply have not been given the resources they deserve and need. One reason countries like China and Russia have been such prolific cyber adversaries is because they put real money into their cyber espionage efforts. The Chinese government’s hacking army is allocated a larger budget than many nations provide to their entire military. If you give an army of computer science graduates a big budget and shared vision, their missions will be successful. The Biden White House must prioritize CISA in the same way.
CISA alone cannot solve this problem. Leveraging the support of partners in the private sector, for example, will remain an important part of any national cyber strategy. However, in order to create a comprehensive cyber plan that envisages scenarios ranging from attacks in the supply chain to attacks by the nation states on the US infrastructure and prepares accordingly with reasonable foresight and investment, the White House must invest the necessary resources in agencies such as CISA. We don’t need another symbolic cyber tsar; We already have all the talent we need. Let’s unleash them.
– By Dan Schiappa, EVP and Chief Product Officer at Sophos. Schiappa also chairs the Dean’s Advisory Board of the University of Central Florida, where he oversees various aspects of the school’s elite cybersecurity program. He is also a member of the CNBC Technology Executive Council.
Comments are closed.