By Nils Peterson
Problem and Background
In the late 1980s and early 1990s cyber hacking gained prominence in policy circles as a wide-ranging phenomenon including teenage and state sponsored hackers (Cavelty and Mauer, 181). In the early 2000s it became clear that every cyberattack did not constitute an act of war, analogous to how every shooting is not definitionally part of warfare (Cavelty and Mauer, 185).
Digital technology continues to increase in prevalence across the United States in the present era. This opens up opportunities for governments to track individuals via their online media accounts and hack into individuals’ devices. Over a seven year period China’s People’s Liberation Army illegally gained access to hundreds of terabytes of information, over eighty percent related to the United States (Cho and Chung, 305).
Beginning in late 2020, the United States federal government was informed via Microsoft that its networks had been compromised. The source of this hack came from a government contractor named SolarWinds whose products hackers surreptitiously used to distribute malware. While the full range of the attack remains unknown, estimated recovery time could take up to eighteen months (O’Neill). With an attack of this scale, current United States cyber policy clearly can not effectively wield power across its federal agencies to deter cyber-attacks on governmental entities.
Policy Recommendations
The United States federal government should create an advisory position to the President of the United States tasked solely with interdepartmental cybersecurity deterrence efforts. This organization should not be a catch-all department for cybersecurity problems since this would be bureaucratically inefficient and also detach the mission critical cyber aspects from other agencies (Spaulding and Eoyang). Furthermore, if such a catch-all department existed then coordinating efforts to respond to a cyberhacker would be made more difficult than if each agency had its own cyber divisions which coordinated with each other during these moments.
Establishing a National Cyber Advisor (NCA), however, to the President of the United States would be more appropriate than a catch-all department. This position and corresponding thirty person staff would work across governmental agencies to produce coordinated cybersecurity deterrence efforts. The line between interagency coordination and additional bureaucratic hurdles remains thin. Keeping staff sizing to thirty persons would ensure the NCA’s focus remains on interagency cooperation within existing policy frameworks (Peters and Garcia). The NCA’s mission of creating trans-departmental communication without having to actively combat hackers itself further limits inefficiencies. In the event of a cyber-attack, existing cyber security personnel throughout the federal government would respond with current protocols. After an initial response it would fall to the NCA to coordinate cybersecurity responses among the engaged agencies. This structure ensures the NCA remains in high level strategic discussions regarding the damage done by the attack without actively doing the on-the-ground work of the federal agencies. Inefficiencies remain minimized within the NCA while coordinating trans-agency communication when responding to the cyber-attack.
The United States federal government must improve federal interagency coordination with the private sector by increasing joint defensive cyber-attacks. Defensive in this context means that private companies will not engage in propagating malware proactively. The federal government and private companies like Microsoft already engage in joint action to combat robot network malware that allows for remote control of a user’s computer (Eichensehr, 479-480). Private companies and the government should go further and engage in defensive cyber-attack simulations that address coordinated response in the event that a hack is discovered.This would entail annual government probing of private companies’ security, with the latter’s consent.
Increased government-private sector cooperation is imperative because cyber-attacks may impact private sector contractors and subsequently make their way onto government computers. French officials recently identified the state-sponsored Russian hackers,“Sandworm,” the same group who previously shut down Ukraine’s power grid via cyber-attack, as responsible for hacks on French companies that began in 2017 (Greenberg). If one of these companies had been a government contractor, an employee could have sent an infected file to a French government computer and began to unwittingly infect the entire government network. This situation could also occur to the United States federal government on a scale rivaling the ongoing damage done by the SolarWinds hack.
Conclusion
Cyber-attacks show no sign of abating as a threat to United States federal government entities. To combat this threat the federal government should establish a National Cyber Advisor who would coordinate cybersecurity deterrence efforts between federal agencies. The NCA limits bureaucratic inefficiencies while still giving each federal agency the cyber capabilities it needs to respond in a timely fashion to a threat. Furthermore, increased government-private partnership should be implemented in the form of various consensual governmental probes of private companies’ security deficiencies. These measures will aid the United States in developing a robust system of cybersecurity deterrence to avoid future disasters like the SolarWinds hack.
Bibliography
Cavelty, Myriam Dunn, and Victor Mauer, editors. The Routledge Handbook of Security Studies. Routledge, 2010.
Cho, Yoonyoung, and Jongpil Chung. “Bring the State Back In: Conflict and Cooperation Among States in Cybersecurity.” Pacific Focus, vol. 32, no. 2, Aug. 2017, pp. 290–314., doi:10.1111/pafo.12096.
Eichensehr, Kristen E. “Public-Private Cybersecurity.” Texas Law Review, vol. 95, no. 3, Feb. 2017, pp. 467–538.
Greenberg, Andy. “France Ties Russia’s Sandworm to a Multiyear Hacking Spree.” Wired, 15 Feb. 2021, https://www.wired.com/story/sandworm-centreon-russia-hack/ .
O’Neill, Patrick Howell. “Recovering from the SolarWinds Hack Could Take 18 Months.” MIT Technology Review, MIT Technology Review, 2 Mar. 2021, https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/
Peters, Allison, and Michael Garcia. “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here? .” Third Way, 12 Nov. 2020, https://www.thirdway.org/report/a-roadmap-to-strengthen-us-cyber-enforcement-where-do-we-go-from-here
Spaulding, Suzanne, and Mieke Eoyang. “Bad Idea: Creating a U.S. Department of Cybersecurity.” Defense360, Center for Strategic and International Studies, 13 Dec. 2018, https://defense360.csis.org/bad-idea-creating-a-u-s-department-of-cybersecurity/.