60 · MT 3/2022 Letter from America Marty Kauchak The US Isn’t Ready for the Coming Cyberattacks At the time of writing, Russia and the Ukraine were bringing to bear an array of weapons from their conventional orders of battle against each other in their six-week old war. Yet, there is another battle lurking – in the cybersphere, extending well beyond the UkraineRussia border. US President Joe Biden has issued several warnings to his nation since Russia invaded Ukraine in February, by asserting Russia is gearing up for cyber attacks on US businesses and other parts of American society. One could argue that the US shouldn’t take Russia’s cyber warfare capabilities too seriously – given the Pentagon’s earlier belief that ‘The Bear”’ had a very powerful and effective conventional military force, but which appears to have fallen short of its objectives in Ukraine. Yet, the alleged involvement of Russia, and to lesser extent China, Iran and other state and non-state actors to commit cyber ‘mischief’ by disrupting US elections, the continuity of utilities’ service and other activities through the last decade, should give serious pause to leaders across the political spectrum – and their private sector counterparts. Credit is due to the Biden administration for quickly moving out in its first four months in office to strengthen US cyber capabilities. The nation’s first National Cyber Director took office, and will serve as a principal advisor to the president on cybersecurity policy and strategy, and cybersecurity engagement with industry and international stakeholders. Further, Biden signed the long-debated Strengthening American Cybersecurity Act into law, making it a legal requirement for operators of critical national infrastructure to disclose cyber attacks to the government. Aside from these important actions, there is little else on the administration’s cyber policy horizon – which will be the nation’s loss, as the stark reality is the US has too many targets to defend them all. The lineup of potential cyber victims includes organisations vital to Americans’ daily life: banks and utilities to name a few. And then there is the Pentagon, and its roster of defence contractors, fire and police departments and other emergency services, and other public sector entities – all of which have been recent victims to hackers from Russia and elsewhere. The 2022-era and beyond cyber threat is a ‘whole-of-government’ matter, involving national security, economic security, public health or safety, and combinations thereof, facing threats from increasingly sophisticated and agile actors. To that extent, US cyber security must be elevated to provide a national response capability, a regulator as such, to defend citizens, companies and government organizations – in sum, America – against current and future attacks. Templates for centralised, functioning capabilities to fight foreign cyberthreats may be gleaned from US allies and friends. The Australian Cyber Security Centre offers one example, as it leads government efforts to improve cyber security. Much closer to home, the Canadian Centre for Cyber Security is Canada’s authority on cyber security. Compare and contrast these models with America’s best practices, which have multiple agencies across the spectrum of government, handling cyber regulation and threats. In one recent case, the Department of Homeland Security’s Transportation Security Agency announced new cyber security requirements for pipelines and railroads. In another instance, the Federal Communications Commission issued its proposals for telecommunications companies. These disparate, representative efforts are unlikely to reduce security threats and closely related cybercrime across America. The decentralised model of American government, and mainstream America’s strengthening mood to chafe at any mention of increased government regulation and oversight – especially after its two-year (plus) Covid pandemic experiences –combine to make the establishment of a national regulator for cyber security most daunting. Another obstacle on the proposed path toward centralised cyberdefence efforts and regulations resides in the US Congress. By one estimate, there are about 80 committees and subcommittees on Capitol Hill which have jurisdiction and oversight over various aspects of cyberregulation. For the US and, by extension, the Biden administration, it’s time for nothing less than once-in-a generation decisions to deter and detect evolving cyber threats. The least resource-intensive, non-controversial option is for the nation’s citizenry, and public and private sector organisations, to continue forward with incremental, low-level, albeit necessary strategies. While government offices and companies can follow current, mandated reporting requirements after cybercrimes and more malicious hacking events, individual users can concurrently consider themselves ‘golden’ by using multi-factor authentication to make it harder for attackers to get onto their system, as well as deploying modern security tools on computers and devices to continuously look for and mitigate threats – for starters. However, the US needs a strategic, stronger approach to defending itself in cyberspace. While a more capable US Cyber Command should be considered as one of America’s tools to deter and react, when necessary, to counterattack, the US urgently needs a centralised approach to combine cybersecurity functions into one federal agency, one that collaborates with private industry and other organisations to complete missions through the spectrum for cyberwarfare – from intelligence collection, to threat assessment and reporting, up through cyber counterattack. Unless America wants to worry about having water every time a spigot is turned on, or having bank accounts that have not been hacked and depleted – for starters – the time is now to rethink its approach to defending the nation in cyberspace. Marty Kauchak is MilTech’s North American Bureau Chief
RkJQdWJsaXNoZXIy MTM5Mjg=