To even the most perceptive observer, it would seem that the US government has made significant headway when it comes to cyber defense.
Since the beginning of the current administration, both Congress and the executive branch have put forth important policy changes to bolster the country’s cyber war assets. The first major step forward to establish the centrality of cyber came in August when President Trump created US Cyber Command at the Pentagon to oversee and organize all of America’s cyber capabilities. This was followed by other important moves such as the founding of the National Protection and Programs Directorate (NPPD) in charge of domestic cyber defense and the signing of an executive order promoting the protection of the private sector’s data grid. On Congress’s end, lawmakers have produced several bills aimed at protecting America’s digital infrastructure.
With all of this progress in such a relatively short span of time, one would wonder what all the commotion was at a recent Senate Armed Services Subcommittee on Cybersecurity hearing, during which senators heard testimony from a slew of officials on just how vulnerable the United States is in the cyber sphere.
The truth is, the subcommittee hearing was not coming to detract from any of the advances made in addressing cyber defense. The hearing was rather a chance for military brass to explain to policymakers the fundamental shift that has taken place in regards to defense in the wake of cyber war development, and that America must get with the times.
States have always looked for ways of outsourcing their warfighting, weather by enlisting and arming proxy nations, or the outright hiring of mercenary armies. The last century saw a great global conflict played out almost entirely through proxy fighting in the form of the Cold War. Today the intermediaries of nations seeking to wreak havoc on each other takes the form not of the traditional “kinetic” army but rather the elusive hacker group.
The industry of state-backed hackers has made a name for itself with high-profile incidents, from the 2014 Sony breach attributed to the North Korean sponsored Lazarus group to the more recent Russian troll campaign orchestrated by organizations connected to the Kremlin. While many state-sponsored hacker groups have already established themselves as serious global threats, there is now a clear trend in which states are starting to use their illicit hacking activities to project their power and use cyber attacks to leverage influence on major geopolitical issues.
Two recent examples come to mind.
First is the ongoing cyber threat posed by Iran. Iranian hackers have been going after Western nations for the better part of the past decade. The level of Iran’s cyber aggression has a clear correlation to the level of pressure being exerted on it by the international community. Taking this into account, it should come as no surprise that as President Trump continues to send signals that he intends to end the Iran nuclear deal (the recent firing of Secretary of State Tillerson perhaps being the latest of those signals), more indications of Iran plotting to strike America’s digital grid are surfacing.
Cybersecurity professionals from the private sector have recently detected Iranian hackers breaking into networks of defense contractors, aviation firms, oil and gas companies, technology companies and telecommunications providers, a clear indication that hackers have become more bold and more skilled. “They’re good enough that they’re able to break into a lot of organizations,” said Charles Carmakal, vice president at the cyber incident response firm Mandiant. “There’s definitely a lot of fear by the intelligence agencies and lots of security companies about what Iran is going to do.”
Another case in point involves the Russian hacker group Sofacy, often referred to as Fancy Bears. Sofacy has been implicated in numerous hacks against the US government including attacks targeting the White House, the CIA, and famously, the email hack of the Democratic National Committee. While Sofacy has long been both a danger and a nuisance, the group is now beginning to branch out into targeting a slew of international targets in various regions including the Middle East and Asia. As a recent report from cyber defense company Kaspersky Labs shows, tracking Sofacy attacks over the recent period shows a “shift in targeting” to include countries like China and other “central Asia” nations.
The expansion of these hacker groups and others like them shows the need for an important shift in strategic thinking when it comes to global conflict. This was certainly the message being sent by participants in the Cyber Subcommittee hearing. Many military officials warned that the nation’s defense force is lagging behind other countries that are actively ramping up their cyber capabilities. The fear being expressed was that the United States will be unprepared to face capable cyber adversaries. As Air Force cyber commander Major General Chris Weggeman put it, the US must become “the challenger instead of the challenged…I fear for American democratic institutions if we don’t attack.”
The admiral was highlighting an important point. Cyber is becoming a primary arena in which America will be challenged from a defense perspective. It is not enough to focus on shoring-up vulnerabilities in the grid. Rather the US must develop cyber deterrents in the same way it does for real-world warfare. The point most telling of America’s lack of cyber war preparedness was also pointed out during Admiral Nelson’s presentation: currently the US has government-wide policy laying out how to respond to a foreign cyberattack. Nelson cited several cases in which nation-states—not just Russia, but North Korea and others as well—carried out attacks against the US or American organizations that incurred little or no response.
And this is not only an opinion held in the military.
Policymakers as well have been pushing for a coherent set of rules that govern America’s responses to cyberattack. The recently introduced Defending Elections from Threats by Establishing Redlines Act of 2018, or DETER for short, was designed to achieve just that. The bill imposes harsh sanctions on foreign entities that attempt to influence elections in the United States. The bill includes sanctions specifically aimed at Russia, including severe economic penalties and travel bans on “any senior foreign political figure or oligarch in the Russian Federation.”
The issue of developing a framework of response to cyber attack may very soon have some practical implications. With the midterm elections nearly on the horizon, it is vital that America is able to engage in their democratic process from a place of strength, knowing the government has a firm policy to address foreign cyber aggression. The federal government has been busy at work addressing vulnerabilities and offering states and local authorities assistance to bolster their own information infrastructure, which is great. But deterrence and response policies have yet to foment.
Looking forward, there are still some substantial challenges to bolstering the US cyber defense apparatus. These range from the broader strategic issues brought up by many at the recent hearing to more logistical concerns. The biggest by far is one that affects many areas of governmental groups, namely, attracting quality personnel who have the ability to advance the interests of the organizations for the long term. Simply put, the US government is struggling to attract, recruit, and retain talented cyber professionals. As Vice Admiral Michael Gilday of the US Navy pointed out at the hearing, the best and the brightest are offered noncompetitive salaries for entering government service, averaging $37,000 per year. This lags far behind the base pay of the private sector. Many participants in the subcommittee hearing stated that they were testing ways to give credit and financial bonuses to reward good work.
To end on a positive note, no one can say progress has not been made on the cyber front, a complex and multifaceted effort that affects the whole of the United States government. Small and gradual steps, if taken persistently, tend to lead to more clarity on the strategic directions necessary for big-picture success. A bit of this clarity was expressed at the Senate Subcommittee gathering. With any luck, the advances made until now with cyber defense will continue to bring about more improvements to America’s national safety.
