COVID-19 Is Forcing Hard Cybersecurity Choices

By the time the U.S. Cybersecurity Solarium Commission released its long-awaited report this past March, the times were already changing, and quickly. The Commission has since released an addendum (“Cybersecurity Lessons from the Pandemic”) but it is clear that in these financially constrained times the country needs to ruthlessly prioritize the original… Read More

By the time the U.S. Cybersecurity Solarium Commission released its long-awaited report this past March, the times were already changing, and quickly. The Commission has since released an addendum (“Cybersecurity Lessons from the Pandemic”) but it is clear that in these financially constrained times the country needs to ruthlessly prioritize the original report’s 84 recommendations.

The Commission, which I advised briefly as an outside advisor, argues that the United States should invest in deterrence to impose costs on adversaries and deny attacks from succeeding. That’s true, and priority areas for improving our national deterrence include strengthening the U.S. military’s “defend forward” posture and improving public-private partnerships to blunt attacks. As a third step, we should make hard choices to cut  older or unnecessary national security programs so that the country can protect key investments.

Why are these the most important priorities?

Let’s take the “defend forward” posture first. The Commission rightly argues that deterrence hasn’t worked in the “gray zone” — where competition is less intense than outright conflict. The Russian government’s campaign against the 2016 presidential election is a case in point; the United States sanctioned Russia in response, but the Russian government continued to penetrate the electric grid. But in 2018, the United States signaled it would take a more forceful posture and “defend forward” by increasing the American presence on adversary networks. Before the Congressional elections that year, U.S. officials first warned the Russian government and then denied internet access to its Internet Research Agency.

This was the first time the United States used the “defend forward” doctrine publicly. And although the Commission recommended assessing DoD’s force structure to defend U.S. interests in cyberspace, we may not need to spend any more on forces if the current team can punch when it matters. Time will tell.

Second, better public-private coordination can deliver more security without investment in new personnel or new technology, the Commission argues. For example, in 2018, as U.S. officials issued warnings, Facebook and Microsoft removed hostile actors from their own platforms. While the government must assume the burden of risk in national security planning, the two communities can deepen their partnership; the report recommends a planning cell to bring the two communities together to plan combined voluntary operations.

Third, a safe strategic bet is to look for reductions in other areas and fence cybersecurity funding. During the 2012 budgetary drawdown, defense spending was protected or increased for cyber, space, special operations forces, science and technology, and research and development — programs that give the U.S. a competitive advantage. At the time, the military was shrinking after Afghanistan and Iraq; it was a hard call to allocate forces to cyber. It will be hard now as budgets decrease nationally, but redundant programs can be found: there are already plans to cut outdated aircraft; another option is DoD’s bloated IT budget.

Where should investments continue? Deterrence works by matching a good offense with a good defense, and Congress should continue to focus on doing whatever it can to help secure critical infrastructure. Practically speaking, the Commission recommends that organizations invest in cybersecurity testing to validate their security works. Why? A recent Verizon study found that 82 percent of successful breaches should have been stopped by existing security controls but weren’t. When cybersecurity fails, you don’t get a “check engine” light on your dashboard; they fail silently. If you don’t exercise your security capabilities, your teams and technologies won’t be ready when needed. Rather than trying to close vulnerabilities in every piece of software in your organization—an inefficient practice—economically, organizations will get more of a bang for their buck if they test, train, and exercise against known threats.

There are a range of other no-cost improvements that the government can make for national cybersecurity. The biggest? Promote a key leader, as the Commission argues in the main study and affirms again in the white paper. The Obama administration made progress in cybersecurity thanks to the talents of a few leaders who affected change. The coronavirus shows us the importance of having experts at the helm to manage a crisis. We don’t want untested leaders in charge during a major cyberattack; to prepare for the election, national security leaders in the White House should reinstate a cybersecurity coordinator now.

During a moment of national transition, the Cybersecurity Solarium Commission presents Congress with solid recommendations. The country is in a moment of profound transition, and in many ways it will emerge more just, resilient, and strong thanks to the commitment of citizens across the United States. In the middle of this transition, however, adversaries will try to manipulate our data, disrupt democratic discourse and the election, and tip the country off balance. We need to make progress in cybersecurity concurrent with the broader areas of social economic policy that the present demands.

Rather than trying to achieve every Commission recommendation, this year Congress should build on past strengths and invest in quick value initiatives. Continuing to empower U.S. Cyber Command, building innovative public-private partnerships, and testing existing investments will help. The best way to make good? Put strong leaders in charge to work on the projects that matter most.

The piece originally appear in DefenseOne on June 15, 2020. 

Think Bad, Do Good Podcast

For more on cybersecurity optimization and hard budget choices, please see Episode 2 of AttackIQ’s new podcast, “Think Bad, Do Good” – “How to Acheive Cybersecurity Effectiveness,” a conversation with the Chertoff Group’s Adam Isles and Kurt Alaybeyoglu, hosted by Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy at AttackIQ.

How can you optimize your cybersecurity investments to achieve maximum effectiveness? Listen to two of the world’s leading practitioners of cybersecurity and hear about their experiences managing major incidents from the top of DHS and operating in the U.S. Air Force’s cyber warfare wing.