To the surprise of many, Russia has not launched any large-scale cyberattacks against the United States or its NATO allies since invading Ukraine on February 24. But as Western sanctions kick in, Russia’s imports plummet and its GDP threatens to fall 30 percent this year, according to the Institute of International Finance — the United States must be prepared for a cornered Russian bear to be around beats.
Homeland defense typically falls to the federal government, and federal agencies have launched a robust “state-of-the-government” cybersecurity strategy focused on undermining adversaries, fostering network resilience, and sharing cyber threat intelligence with infrastructure operators. However, protecting the critical infrastructure that keeps American society running requires a broader, societal cybersecurity effort involving state governments, businesses, and ordinary citizens.
A decade ago, the concept of cyberattacks on civilian critical infrastructure, particularly health and safety-related facilities, seemed far-fetched. But while the Geneva Conventions may prohibit bombing a hospital, no treaty prohibits a cyber attack on it.
The Russian government has previously attacked civilian infrastructure. As early as 2015, Russian hackers shut down 30 substations in Ukraine and, the FBI and Department of Homeland Security (DHS) warned, began targeting US nuclear plans and other utilities.
Most of the critical infrastructure in the US is run by private companies that cannot defend themselves against nation states without government support. Strengthening the security and resilience of America’s critical infrastructure requires a whole-of-society approach that includes federal and state agencies, the armed forces, infrastructure operators and US citizens.
The first step is to proactively attack the adversary, using legal powers that only the federal government possesses. As part of the Department of Defense’s aggressive “Forward Defense” strategy, the US Cyber Command combats threats early and at the source. For example, in the weeks leading up to the 2020 election, Russian cyber operators were undermined by Cyber Command operations that targeted their systems and sabotage their hacking tools. The military should continue its covert cyber operations and the deployment of cyber-hunting teams to Ukraine and neighboring countries to strengthen partners’ defenses against Russian cyber-attacks.
Second, more government agencies, including at the state level, need to get involved. Some states are training civilians to help officials respond to cyber incidents through initiatives such as Michigan’s Cyber Civilian Corps. State National Guard units, whose personnel bring technical skills from their day-to-day work, have expertise and legal authority to support cyber missions. For example, the Ohio National Guard established a cyber reserve in 2019 to respond to cyberattacks on voting systems, infrastructure operators, and state and local governments. Congress has considered legislation that would create such cyber civil support teams in every state and territorial National Guard.
Third, both the public and private sectors must improve cyber resilience. This is a challenge given the large number of actors who need to coordinate activities. As Sen Angus King (I-Maine) commented after reading the Cyberspace Solarium Commission report: “We have different authorities. Nobody is really responsible. There’s no real structure for how we’re going to address the cyber threat.” The President should authorize National Cyber Director Chris Inglis to take on that coordinating role.
Building resilience requires government and industry to share information about cyber threats in real-time. The government shares information and defense guidance with the private sector through multiple channels, including the National Security Agency’s Cybersecurity Coordination Center and the DHS’s Joint Cyber Defense Collaborative. The DHS Cybersecurity and Infrastructure Security Agency and other agencies share information with industry-specific information sharing and analysis centers, which they pass on to companies.
The Cybersecurity Information Sharing Act of 2015 authorizes companies to share data with the government, although such transparency is hampered by concerns that customers will sue for data loss and regulators will impose penalties for network breaches. Congress should consider new legal limits on such liabilities to encourage the openness needed to deter attacks.
Fourth, private individuals also play a role. Individuals must take basic cyber hygiene measures to prevent hackers from using their internet-connected devices to attack corporate websites or critical infrastructure. To ensure consumers are given authoritative guidance on what to do, CISA – the government’s lead cybersecurity agency – should expand its mission to include outreach at the household level.
Countering foreign aggression in cyberspace requires coordination and rapid information sharing between intelligence agencies, the military, corporations, infrastructure managers, and individual Americans. In the connected world we live in, such a societal effort is necessary to ensure we can keep the lights on across America, even during a cyberattack.
Isaac Porche is Associate Director of the Applied research laboratory at Penn State University and a member of the board of directors Intelligence and National Security Alliance (INSA), which promotes public-private collaboration on cybersecurity and other national security challenges. Follow him on Twitter @IsaacPorche.