Will another ‘whole-of-nation’ cybersecurity initiative save us?
If the U.S. falls victim to hostile cyberattacks that disable its defenses, scramble the digital brains of its critical infrastructure and turn its cities and towns into dystopian nightmares, it won’t be for lack of high-profile federal commissions issuing high-profile plans.
It will be because the plans never got implemented.
So the obvious question, with yet another high-profile plan issued a couple of weeks ago by the Cyberspace Solarium Commission, is: Will the results of this one be any different?
They probably could be if the government’s focus turned more toward the basics, like better software security. And the possible good news is that this report makes that one of its priorities.
Robert Morgus, director of research and analysis for the commission, writing on the Lawfare blog, said “deterrence by denial” is one of three key elements of the “layered” defense the report recommends.
Quoting political scientist Joseph Nye, one of the “contributing experts” to the report, Morgus said deterrence by denial “must make the cost of aggression ‘unprofitable by rendering the target harder to take, harder to keep, or both.’”
And one way to make a target harder to take is to “build security in” to the software that runs it.
Ignoring the basics
So far, basics like that have been more of an incidental than a primary goal. It was less than 18 months ago, in November 2018, that the National Security Telecommunications Advisory Committee (NSTAC) issued a proposed “Cybersecurity Moonshot,” described as a “whole-of-nation” effort to “Make the Internet safe and secure for the functioning of Government and critical services for the American people by 2028.”
Today, the direct link to that report no longer works.
Instead, we have yet another report calling for yet another “whole-of-nation” effort to improve the nation’s cyber defenses. The Solarium report contains more than 75 recommendations in 122 pages, ballooning to 174 pages once all the appendices and glossaries are included.
The commission, led by Sen. Angus King (I-Maine) and U.S. Rep. Mike Gallagher (R-Wisc.), is blunt about the current state of things. The report opens with “A warning from tomorrow” by Peter Singer and August Cole, co-authors of “Ghost Fleet,” a 2016 novel about a world war in the age of cyber.
They describe the nation’s capital reduced to a toxic wasteland — flooded and polluted from hacks into treatment plants, utilities and a train crash in Baltimore, its survivors huddling in tents while others have been slaughtered from above by hacked air taxis and delivery drones turned into missiles.
King and Gallagher then observe: “The reality is that we are dangerously insecure in cyber. Your entire life — your paycheck, your health care, your electricity — increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised.”
Not that this kind of stark warning is anything new. High government officials have warned of a “cyber Pearl Harbor”attack since 2002.
Retired ABC TV “Nightline” anchor Ted Koppel wrote “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” in 2015.
And cryptographer, blogger and author Bruce Schneier’s latest book is called “Click Here to Kill Everybody,” a title he has acknowledged is clickbait, but that he contends is only marginal hyperbole since “everything is a computer.”
And all recent U.S. presidents — Clinton, Bush and Obama — have issued one or more reports calling for “whole-of-nation” efforts to improve U.S. cyber defenses and capability.
The two under President Trump invoke the memories of U.S. presidents from the 1950s and ’60s. The “moonshot” echoed President John F. Kennedy’s 1961 challenge to put a man on the moon before the end of that decade. “Solarium” hearkens back to President Dwight D. Eisenhower’s Project Solarium, a 1953 national strategy and foreign policy exercise aimed at creating the most effective strategy for responding to Soviet expansionism.
Try something different?
So, is there anything that will make this latest one substantively different from all the rest?
King and Gallagher call their report a “new cyber strategy,” with a call for “layered cyber deterrence,” all conducted with “speed and agility” — a phrase they invoke frequently, and something they acknowledge is not government’s strong suit.
“Government is not optimized to be quick or agile,” they wrote—perhaps the greatest understatement of the entire report—and is the primary reason that none of the previous reports has been fully implemented.
Indeed, this latest report mentions the Moonshot initiative, but notes that both the 2019 and proposed 2020 federal budgets “failed to appropriate funds commensurate with the needs” of its recommendations.
It also proposes a “defend forward” strategy, which it says would be the cyber version of the Cold War policy of putting U.S. military presence close to hostile nation-states. Rather than responding to cyberattacks, the nation must shift to ”proactively observing, pursuing, and countering adversary operations and imposing costs to change adversary behavior,” it said.
Which seems to have been left intentionally vague — exactly how do the report’s authors propose that should be done? But it also sounds a lot like what has previously been called “active defense” and, before that, “hacking back,” a concept that generates ferocious debate among experts, many of whom say since attribution can be easily spoofed and that military capability is essentially irrelevant in the digital world, going on offense could make things much worse.
But it isn’t new either. Leon Panetta, defense secretary under President Obama, said in 2012, “We won’t succeed in preventing a cyberattack through improved defenses alone. If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.”
About the only clarity on the concept is that the authors say it is intended to stop short of overt military action.
Layers of bureaucracy
The report acknowledges that one major barrier to accomplishing the stated goal is the same barrier that inhibits just about everything government attempts: bureaucracy.
At present, the federal entities charged with improving cybersecurity include the Cybersecurity and Infrastructure Security Agency, the National Cyber Investigative Joint Task Force, the Cyber Threat Intelligence Integration Center, U.S. Cyber Command, and the National Security Agency’s Cybersecurity Directorate.
It acknowledges that “the creation of more organizations, congressional committees, and study groups makes it difficult to achieve the unity of effort required to conduct layered cyber deterrence.”
Indeed, Congress is infected with the same bloat as the executive branch. “Responsibility for cybersecurity is currently dispersed throughout numerous committees and subcommittees, hamstringing legislative authority, muddling oversight, and impeding Congress’s ability to act with the speed and vision necessary,” it said.
And yet, like other plans and reports, it recommends yet more executive branch positions (National Cyber Director) and more congressional committees (House and Senate “select committees on cybersecurity”).
It also calls for:
- Cooperation among friendly nation-states to set international cyber “norms.”
- Collaboration with the private sector, given that most critical infrastructure is in private hands.
- Better training and recruitment of the cyber workforce.
- Improved incident response.
- Improved election security, including the use of paper ballots.
Make it harder for hackers
But then it does, starting on page 75, call for “building security in” to technology products, through the creation of a National Cybersecurity Certification and Labeling Authority, to create incentives for developers to “use security as a product differentiator.”
It calls for some negative incentives as well — a law that would hold “final goods assemblers of software, hardware, and firmware liable for damages from incidents that exploit known and unpatched vulnerabilities.”
It recommends capping insurance payouts “for incidents that involve unpatched systems.”
In short, the expressed goal is to make it harder — much harder — for hackers, with software that is not as vulnerable as regular headlines demonstrate it clearly is today.
Jacob Olcott, vice president of communications and strategic partnerships at BitSight, and former counsel to former Sen. Jay Rockefeller (D-W.V.), has been openly skeptical of past plans.
He said one significant element of this plan is its call for the creation of a Bureau of Cyber Statistics, which would collect, process, analyze, and disseminate essential data on cybersecurity, cyber incidents, and the cyber ecosystem.
But that goal is, he noted, also constrained by bureaucracy. “The report acknowledges a major roadblock to achieving this goal — that both the U.S. government and broader marketplace ‘lack sufficient clarity about the nature and scope of these attacks to develop nuanced and effective policy responses.’”
That, he said, is because while the Department of Justice collects data on cybercrime, it is “woefully out of date.” The FBI collects data on the costs of cybercrime, “but only on cases that it deals with.”
“And while many industry titans in the cybersecurity sector assemble vast amounts of data about the true state of cybersecurity in the U.S., they are not obligated to disclose it,” he said.
But none of those bureaucratic hurdles has to block the improvement of software security.
That will take time and money, of course. But the tools are available, to help with risk analysis, finding and analyzing the software components of applications, networks and systems, and testing for bugs at multiple times during the entire software development life cycle (SDLC).
As Michael Fabian, principal consultant at Synopsys, remarked about the 2018 Moonshot report, “Information security across the board needs to do fewer ‘transformational’ things and more ‘fundamental’ things.”
“If you recall, the overwhelming message in the last few Verizon Data Breach Incident Reports is that 90% of breaches could have been prevented by the most basic of cybersecurity controls and that 90% of breaches are a result of vulnerabilities more than a year old. More than a year!”
But even those basics appear to be a challenge. As Morgus put it, “The U.S. government currently lacks the resourcing to conduct robust, national-level assessments of risk and interdependencies that could inform risk reduction efforts.”
Which leaves the question open: Will this initiative eliminate at least some of the risk of the dystopia that Singer and Cole imagine?
The answer so far looks to be: Don’t hold your breath.