In a speech at the 250th Marine Corps Birthday Ball earlier this week, Vice President JD Vance noted that technological change has fundamentally altered the nature of conflict between nation-states. “The battlefield has changed incredibly and profoundly. We’ve got technology that would have been inconceivable even when I was a kid — we’ve got cybersecurity, satellites in space, we’ve got artificial intelligence, and all this incredible technology.”
Also, this week, Nasrin Rezai, Chief Information Security Officer for Verizon, one of America’s largest and most sophisticated companies, articulated what this changed battlefield means to the private sectors when she told Politico “We’re really dealing with an extremely sophisticated nation-state threat actor that will do anything and everything at any price to get a foothold into our critical infrastructure.”
It is increasingly apparent that nation-state entities continue to attack U.S. industry with considerable success. Nation-state adversaries are not only sophisticated but also possess virtually unlimited technical resources and budgets. No private company, no matter how well it does the “basics,” can withstand these attacks indefinitely. Our approach to cybersecurity needs to be fundamentally reformed.
The traditional understanding of national defense as a function confined to our military must be redirected to embrace the modern nature of nation-state attacks in the digital age. What constitutes the national defense “base” has expanded to include private industry more broadly than previously conceived. Laws designed to address our national defense needs should more broadly incorporate the integrated functions of the private sector than the traditional model.
At the very least, the government needs to eliminate the barriers it has erected that impede industry from effectively contributing to the common defense. Ideally, we would begin to put the much-talked-about public-private partnership on a measurable course, grounded in data that supports effective measures. Factually, much of this can be done without vast economic investment from the government.
The traditional approach to cybersecurity policy, which expects private companies to defend themselves against nation-state attacks by complying with a confusing mix of antiquated and unproven regulations, is also fundamentally flawed and often counterproductive. Congress needs to break away from jurisdictional structures that inhibit the creation of effective cyber policy and enact policy grounded in proven, effective practices that better enable critical infrastructure to manage nation-state attacks.
This week, the Internet Security Alliance will begin releasing a series of succinct reports documenting that nation-states have already compromised virtually every part of our critical infrastructure. It is well known in the cybersecurity community that certain aspects of our critical infrastructure, including telecommunications, utilities, and water systems, have been successfully compromised by China and other nation-states. However, it is less well known that similar attacks have already occurred – many, many times – across our transportation services, healthcare networks, manufacturing base, and virtually every other sector.
One wonders what meager percentage of the US population is aware that China, Iran, Russia, North Korea, and other adversary nations have already attacked our country so profoundly. How many Americans know that the theft of credit cards and other personally identifiable information — as serious as these impacts are — pales in comparison to the real and potential damage the nation-state attacks are having on our ability to provide basic services and operationalize our military when needed?
Of course, several government officials are aware of the extent of the cyber threat. While we are grateful for their work, it must be noted that our government’s response to the real and severe cyberattacks has, to date, been anemic. A notable example is that the 2015 Cybersecurity Information Sharing Act, perhaps the most effective and popular law the US Congress has ever passed regarding cybersecurity, lapsed last month. Congress had 10 years to renew it, yet it still lapsed. And that’s the tip of the iceberg.
In fairness, there is some prospect that the Information Sharing Act may be — maybe—reauthorized. However, even the most likely of “achieving” a 10-year, clean reauthorization is an embarrassment. The Act, which definitely needs to be reauthorized, is 10 years old. The threat environment has changed significantly over the last decade. Assuming that all we need to do is change the dates in the 10-year-old Act and leave it alone for another 10 years is indicative of a severe underestimation of the need to modernize that Act—and do much more.
Fortunately, there are opportunities in the current Congress to enact policy and legislation, such as through the National Defense Authorization Act, that could have a significant and meaningful impact on our national cyber defense fairly quickly—and without incurring substantial costs.
Providing the basis for these proposals is the core purpose of the Reports we will release over the next few weeks.
