Cybersecurity needs a whole-of-society effort

To the surprise of many, Russia has not launched large-scale cyber attacks against the United States or its NATO allies since invading Ukraine on Feb. 24.  But as Western sanctions begin to bite — Russia’s imports are plummeting and its GDP is poised to fall 30 percent this year, according to the Institute of International Finance — the United States must be prepared for a cornered Russian bear to lash out.

Defending the homeland normally falls to the federal government, and federal agencies have launched a robust “whole-of-government” cybersecurity strategy focused on undermining adversaries, promoting network resiliency and sharing cyber threat information with infrastructure operators. However, a broader whole-of-society cybersecurity effort — involving state governments, corporations and ordinary citizens — is required to safeguard the critical infrastructure that keeps American society functioning.

A decade ago, the concept of cyber attacks on civilian critical infrastructure, particularly facilities related to health and safety, seemed far-fetched. But whereas the Geneva Conventions may prohibit the bombing of a hospital, no treaty prohibits a cyber assault on it.

The Russian government has attacked civilian infrastructure before. As far back as 2015, Russian hackers took down 30 power substations in Ukraine and, the FBI and Department of Homeland Security (DHS) warned, began targeting U.S. nuclear plans and other utilities.

Most U.S. critical infrastructure is operated by private companies that cannot defend against nation-states without government assistance. Bolstering the security and resiliency of American critical infrastructure requires a whole-of-society approach that includes federal and state agencies, the armed forces, infrastructure operators and U.S. citizens.

The first step is to proactively engage the adversary by using legal authorities that only the federal government possesses. Under the Defense Department’s aggressive strategy to “defend forward,” U.S. Cyber Command counters threats early and at their source. For example, Russian cyber operators were undermined in the weeks before the 2020 election by Cyber Command operations that targeted their systems and sabotaged their hacking tools. The military should continue clandestine cyber operations and the deployment of cyber “hunt forward” teams to Ukraine and to neighboring countries to bolster partners’ defenses against Russian cyber attacks.

Second, more government entities, including at the state level, must engage. Some states are training civilians to help officials respond to cyber incidents through initiatives such as Michigan’s Cyber Civilian Corps. State National Guard units — whose personnel bring tech skills from their day jobs — have expertise and legal authority to support cyber missions. The Ohio National Guard, for example, created a Cyber Reserve in 2019 to respond to cyber attacks on election systems, infrastructure operators, and state and municipal governments. Congress has considered legislation that would create such cyber civil support teams in every state and territorial National Guard.

Third, both the public and private sectors must enhance cyber resiliency. Doing so is challenging given the range of actors who must coordinate activities. As Sen Angus King (I-Maine) commented after reading the Cyberspace Solarium Commission’s report, “We’ve got diverse authorities. No one is really in charge. There’s no real structure to how we confront the cyber threat.” The president should empower National Cyber Director Chris Inglis to play this coordinating role.

Building resiliency requires government and industry to share cyber threat intelligence in real-time. The government shares intelligence and defensive guidance with the private sector through several channels, including the National Security Agency’s Cybersecurity Coordination Center and DHS’s Joint Cyber Defense Collaborative. The DHS Cybersecurity and Infrastructure Security Agency and other agencies share intelligence with industry-specific Information Sharing and Analysis Centers, which disseminate it to companies.

The 2015 Cybersecurity Information Sharing Act authorizes companies to share data with the government, though such transparency is hindered by concerns that customers will sue over data losses and regulators will impose punishments for network breaches. Congress should consider new statutory limits on such liabilities to encourage the openness needed to defend against attacks.

Fourth, even private citizens have a role. Individuals must take basic cyber hygiene steps so hackers can’t co-opt their internet-connected devices to attack corporate websites or critical infrastructure. To ensure that consumers have authoritative guidance on what to do, CISA — the government’s lead cybersecurity agency — should add household-level outreach to its mission.

Countering foreign aggression in cyberspace requires coordination and rapid information-sharing among intelligence agencies, the military, businesses, infrastructure operators, and individual Americans. In the wired world in which we live, such a whole-of-society effort is necessary to ensure that, even during a cyber attack, we can keep the lights on across America. 

Isaac Porche is deputy director of the Applied Research Laboratory at Penn State University and a board member of the Intelligence and National Security Alliance (INSA), which promotes public-private collaboration on cybersecurity and other national security challenges. Follow him on Twitter @IsaacPorche.