11 May 2018

Are We Really Ready for a Cyberattack?

Max Brooks

Last month, the U.S. and U.K. governments released a joint “Technical Alert” on the dangers of “Russian state-sponsored cyber actors.” While timely and targeted, this alert shouldn’t be a surprise to anyone. We’ve witnessed enough cyberattacks in recent years to understand that the digital domain is humanity’s new battlefield. And while the West is ramping up its defenses, its efforts aren’t guided by an overall doctrine. That’s right: There is no master plan. What we need now, before a more serious cyberattack, is a doctrine along the lines of our National Response Framework. This document is, in its own words, “a guide to how the nation responds to all types of disasters and emergencies.” Resources, roles, responsibilities, you name it. From the Oval Office down to local governments. It even includes Native American Tribal Councils. No, seriously, look it up -- because you can. This isn’t a secret, eyes-only doomsday plan. The National Response Framework is open to the public because it needs to be. There can’t be any room for misinterpretation or confusion.


Although cyberattacks do fall under the umbrella of the NRF, they’re noted only in a vague and flimsy annex that leaves far too many questions unanswered. What kinds of attacks, for example, fall under the heading of “Incident of National Significance”? Hacked heating-oil companies in winter? Traffic lights at rush hour? What if an attack targets something seemingly innocuous, such as the billing department of a medical-insurance company that could delay someone’s life-saving medication? These and a thousand other conundrums need straightening out, along with everyone’s designated course of action.

A National Cyber Response Framework should outline three basic principles.

First: government responsibility. Who answers to whom? We need to know exactly what organ of government (NSA, FBI, the Defense Department’s Cyber Command, and so on) is responsible for what element of our security and response. Offense versus defense. Civilian versus military. Foreign versus domestic. We need to clear up overlap and formalize the chain of command. We can’t allow the nebulous morass of pre-Sept. 11 intelligence-sharing to repeat itself in cyberspace.

Second: private-sector responsibility. The NRF Annex concedes that “the authority of the Federal Government to exert control over activities in cyberspace is limited.” As for how the government should work with private companies in the event of an attack, the document uses phrases such as “information-sharing” and “promote ongoing dialogue.” Imagine if that had been the attitude toward the airline industry after the Sept. 11 attacks. If Mark Zuckerberg’s recent testimony on Capitol Hill taught us anything, it’s that our vaunted tech giants can be rewired to turn against us. Not only do American corporations need to be dragged kicking and screaming to help protect the country that protects them, but every other U.S. company, large and small, needs to be bear some responsibility for their own security. A new cyber doctrine should delineate an unquestionable line between public assistance and private-sector self-defense. If not, government resources will be too exhausted chasing the little attacks to respond to the big one.

Third: personal responsibility. No defense strategy is complete without the participation of common citizens. All of us have a role to play, down to my 13-year-old son and all his networked devices. Just as the Greatest Generation trained for air raids and darkened their homes with blackout curtains, we need to do our part. Last month’s alert did have some helpful tips, but, honestly, who read them? And who’s going to take the time to read them when new warnings seem to be coming out all the time? An easily accessible National Cyber Response Framework could outline our individual responsibilities while reducing our collective anxiety. 

It’s great that we’ve finally woken up to the dangers of cyberattacks, and it’s even better that we’re starting to develop defensive tools. Now those tools need to be synchronized under a single plan. Failure to do so leaves us continually vulnerable, and encourages bolder attacks. And when those attacks come, we can’t allow our own chaos to give aid and comfort to the enemy.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:

No comments: