Cybersecurity expert: 'The United States lacks an organized response' to foreign cyberattacks and malware
President Joe Biden’s administration has been attempting to fortify the nation’s digital defenses as Russian President Vladimir Putin escalates his unprovoked assault on Ukraine. Government officials and business leaders are anticipating that Moscow will try to breach and potentially disable critical information infrastructure as a retaliatory response to crippling economic sanctions.
According to Glenn S. Gerstell, a senior adviser at the Center for Strategic and International Studies and the former general counsel of the National Security Agency and Central Security Service, “the United States lacks an organized response” to foreign cyberattacks and malware intrusions.
First, Gerstell began, the Department of Homeland Security, which Biden has tasked with shoring up public and private networks, “doesn’t have the legal authority to order the private sector to follow its lead. More broadly, the federal government, even if warned by companies like Microsoft of incoming cyberattacks, doesn’t have the necessary infrastructure in place to protect American businesses from many of these attacks.”
Second, Gerstell continued, “the decentralized nature of the American government does not lend itself to fighting foreign cyberthreats. Government agencies handle cyberregulation and threats in the sectors they oversee — an inefficient and ineffective way to address an issue that cuts across our entire economy.”
He lamented that “America should already be cyberattack-proof, but coordinating these efforts across the country has been an uphill battle.”
Throughout his career, Gerstell recalled that he “witnessed daily the scope and sophistication of such maliciousness from Russia, China, Iran, and North Korea. All of them leverage the various sectors of power at their disposal — including commercial and state-owned enterprises as well as spy agencies — to come out against U.S. businesses and citizens in full force.”
Unfortunately, however, “the United States lacks an organized response,” wrote Gerstell. “The weekly reports of ransomware attacks and data breaches make it clear that we’re losing this battle. That’s why America’s leaders must rethink the current cyberdefense system and rally around a centralized regulator to defend both citizens and the private sector against current and future attacks.”
The biggest hindrance to mounting a coordinated and effective nationwide response to network breaches and malware infections, Gerstell said, is “the decentralized nature of the American government” which “does not lend itself to fighting foreign cyberthreats.”
This is evident when looking at proposals that the federal government has put forth to protect its vulnerable networks as well as those owned and managed by the private sector.
“Government agencies handle cyberregulation and threats in the sectors they oversee — an inefficient and ineffective way to address an issue that cuts across our entire economy… and on Capitol Hill, there are approximately 80 committees and subcommittees that claim jurisdiction over various aspects of cyberregulation,” wrote Gerstell.
Bureaucratic complexities and partisan politics have stymied attempts to unify the cyberdefenses of public and private enterprises, Gerstell explained.
Thus, “it’s time to move past partisanship and standard objections to regulation,” he opined. “From a private-sector perspective, the case for a centralized effort makes sense as well. Almost every industry runs its computers on one of three operating systems: Windows, macOS, and Linux. In many cases, they also use the same business software — a defense contractor’s payroll system isn’t much different from a pharmacy’s. That means vulnerabilities are similar across industries, and will therefore require similar solutions. A centralized government response center, then, makes sense.”
At the very least, establishing a centralized approach would provide an opportunity to “have standards uniformly applied, yet specifically tailored where necessary to the needs of a particular sector,” said Gerstell, noting that it “should be possible to design cross-industry regulation effective enough to safeguard the public without crimping innovation.”
Dozens of nations, including those in the European Union, have already begun to explore these methods.
“Some of America’s closest allies — Britain, Canada, and Australia — have also moved to consolidate their cybersecurity functions into one agency that works with the private sector, while retaining specialized functions for intelligence collection and law enforcement,” Gerstell pointed out.
He recommended that the US start paying attention.
“These moves shouldn’t be dismissed,” Gerstell stressed. “While it is too early to fully assess the success of these new consolidating measures, the United States is clearly behind the curve: Britain has just adopted its second multiyear national cyberstrategy, while the United States struggles to come up with its first.”
Recently, there have been initiatives in the US aimed at codifying cyberregulations to shield public agencies and municipal utilities from electronic incursions.
For example, the Securities and Exchange Commission “worked with investment banks and stock exchanges in its early years to fashion an entirely new disclosure framework for public companies in every industry,” Gerstell wrote. “As a result, a public company’s prompt disclosure of market-moving news (good or bad) is now taken for granted — just as insider trading and covering up corporate developments were routine practices in the days before the securities laws.”
Similarly, the Environmental Protection Agency “urged the nation’s 52,000 private and municipal water supply systems to bolster defenses against a potential Russian cyberattack that could disrupt or contaminate our drinking water.”
In order for these programs to have their intended impacts, Gerstell believes that “a central regulator would greatly simplify this process. It could ensure that the managers of each water system were fully aware of the critical details of a possible Russian attack. It could immediately disseminate critical information regarding the attack. And it could educate potential victims on how to minimize the spread of the attack.”
Admittedly, “none of this will be easy or put in place quickly,” Gerstell stated. “The Cyberspace Solarium Commission, established in 2019 to develop a bipartisan consensus on a strategic approach to defending the United States in cyberspace, recently reported that even some of its less extensive recommendations might require a ‘future emergency’ to ‘create the political impetus needed to overcome existing barriers.’”
That gloomy warning underscores the urgency for finding a solution.
‘Russia’s war on Ukraine might be that ‘future emergency,’” Gerstell concluded. “If we don’t want to have to worry about Russian hackers contaminating our drinking water every time we turn on the faucet, now is the time to rethink our approach.”
- Cyberattack strikes Russian space agency in response to invasion ... ›
- Scholar of Russian cyber ops explains how the Biden administration ... ›
- Russian cyberattacks could do 'significant damage' to American ... ›