March 11, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

As Commander-In-Chief, the President is the ultimate strategic player in defending the country. Merriam-Webster defines warfare as military operations between enemies, also an activity undertaken by a political unit (such as a nation) to weaken or destroy another

By these definitions the US has suffered multiple cyber-attacks that could easily fall into the category of warfare. Certainly, the Chinese attacks stealing the plans for the F-35 fighter, as directed by the Communist Party were designed to weaken the US.  The 2016 attacks on the US electoral system conducted by “Fancy Bear” under the direction of the GRU – Russian Military’s Intelligence Unit s– similarly were designed to weaken the US. The Office of Personal Management was compromised including the theft of highly sensitive personal data putting US operatives and their families at risk. More recently in 2020, the Russian and Chinese governments have attempted to steal US intellectual property designing a vaccine for the COVID-19 virus.  And of course, the Solar Winds/Orion systemic attacks simultaneous affected numerous government and civilian organizations. There are numerous other less high-profile examples.

When such attacks we a novelty perhaps it was appropriate to go behind closed doors and rely on our government to come up with some clever method of retaliation that would generate deterrence.  But these types of attacks have been going on for over a decade, and it’s not really clear anyone knows what to do about it.  Moreover, it’s not just government systems and personnel who are being impacted.  These are attacks that create harm beyond the government to private citizens.  Perhaps its time to re-think (or perhaps begin to think) of what to do about this. Obviously, the deterrent factor of having the world’s largest, best funded and best equipped military has not proven effective regarding cyber-attacks.

Aside from clearly criminal cyber-attacks referenced in pervious section, the nature of nation state warfare has changed, and we have not yet determined how our military should change in this new era. As noted in earlier posts more skilled criminal actors are now selling their services to the less skilled which expands the pool of attackers with “industrial-grade” weapons capability. In our last post we noted that we noted there is “conceptual confusion” surrounding the military’s role in cyber defense  and  little consensus on what role the Department of Defense role should be for this mission. Similarly, a recent GAO report identified key challenges and shortcomings in DoD’s current approach in cyberspace highlighting a lack of definition in the DoD organizational roles and responsibilities for providing civil support during a cyber incident of national significance.[i]

The Pentagon must go beyond these recognized gaps and recognize a new role as a supporting command to the non-state actors. The details of how these complicated issues ought to be resolved are beyond the capacity of this volume, however  a practical and efficient way for our law enforcement and military organizations to protect the US from cyber from nation-state, or state affiliated attack is long overdue.

Among the issues such a review should address  is a redefinition of the role of military the meaning of terms like  “significant attack” and “critical infrastructure,” so that clear jurisdictional and actionable guidelines are created that enable greater synergies on how to assist and operate with the private sector to prepare, protect, and respond to cyber-attacks.

Virtually no commercial level cyber defense is a match for cyber-attacks launched against them by nation state actors. The global costs from state attacks from cyber criminals run into the trillions. and we have already documented the near zero rate of successful criminal prosecutions in cybercrime cases.

Perhaps most curious is that there seems to be no concentrated effort to develop “solutions” to this problem – even if “solution” is defined as allowing only 95% of cyber criminals to escape prosecution – that alone would be a massive improvement. The national digital security strategy needs to map out a program to effectively address cybercrime.

          It has been suggested that a Commission be established to investigate the attack on the US Capitol on January 6. However, the partisan atmosphere inside the beltway appears to make such a Commission unfeasibly.  However, there is no partisan divide  on cybercrime. Perhaps these digital attacks could be addressed in a well-structured Commission.

As part of the overall digital transformation strategy, the President should appoint a separate Commission charged with developing a practical plan for improving prosecution of major cyber criminals in a sustainable format.  This separate Commission should consist of 16 individuals – 4 former law enforcement officials, 4 former military officials, 4 representatives of industry (no more than one from and sector) and 4 representing victims of cybercrime.  None of the civilian representatives should have government experience.

The Commission should include in their deliberations how military and law enforcement may collaborate more effectively to pursue cyber criminals, how domestic and international law ought to be changed to effectuate the strategy and how to develop an international political consensus to make the plan workable. 

Join the Rethink Cybersecurity Community click here