Pages

16 February 2021

Does the U.S. Need a Cyberdefense Czar?

By Kara Swisher

But that happened this week when Senators Mark Warner, a Democrat, and Marco Rubio, a Republican — the two leaders of the Intelligence Committee — issued a joint statement calling the United States response to the recent huge breach of government and corporate networks by Russians “disjointed and disorganized.”

They are right.

The cyberattack was discovered in December in the midst of the political crisis around former President Donald Trump’s unwillingness to accept the election results. Hackers working for Russia’s S.V.R. intelligence agency had slipped malware into the code of the widely used SolarWinds software. Once the company sent out updates to users, the hack burrowed deeply into places like the Departments of Defense, State and Justice, as well as big tech companies like FireEye and Microsoft.

Noting that the “federal government’s response so far has lacked the leadership and coordination warranted by a significant cyberevent” and that “we have little confidence we are on the shortest path to recovery,” Mr. Warner and Mr. Rubio suggested that President Biden create a single high-level position to deal with this cyberthreat. The senators said the new position should have “the authority to coordinate the response, set priorities, and direct resources to where they are needed.”

The National Security Council issued a statement in response, which the administration underscored on Wednesday, saying that the well-regarded cybersecurity expert Anne Neuberger was recently named deputy national security adviser for cyber and emerging technology — and she’s been tasked with the job of cleaning up the SolarWinds mess.

But the idea of creating a permanent cyberdefense position with broader authority should be considered. In fact, several smart observers of cyberpolicy have made the same suggestion to me recently. The U.S. defenses in place to ferret out near-constant cyberattacks — which come from domestic and foreign sources, in a variety of malevolent flavors — are hopelessly siloed, in ways that make it difficult to fight off the barrage.

It was a point well illustrated by the size of the group that Mr. Warner and Mr. Rubio sent the missive to. On the list were: the F.B.I. director, Christopher Wray; the director of national intelligence, Avril Haines; the National Security Agency director, Gen. Paul Nakasone; and the Cybersecurity and Infrastructure Security Agency acting director, Brandon Wales, who replaced Chris Krebs after he was fired by Mr. Trump for telling the truth about the election results.

While Mr. Krebs did a good job helping to protect the election, he and others missed the SolarWinds data breach, and its damage is still being assessed (the hack gave the attackers access to some 18,000 entities). The goal of the attack appears to have been simple espionage by the Russians: to glean information and maintain constant access to various networks.

That’s the vanilla of hacking, really. There are lots of other hackers out there, including many at home and in China and other nations. And there are more elaborate and dangerous threats, including ransomware attacks — in which hackers encrypt critical internal information and hold it hostage until a payment is made — on places like hospitals and, perhaps most dire of all, malicious interference in critical infrastructure.

We saw such an attack last week with a hack aimed at poisoning the water system in Tampa. Fla.

“It started with a cursor moving on its own, sliding across a computer screen at the water treatment plant in Oldsmar, Fla. Someone had taken remote control of a plant operator’s machine — and in just a few minutes, they increased the level of sodium hydroxide in the city’s drinking water by a factor of 100. After spiking the caustic substance to unsafe levels, the hacker immediately left the system,” NPR reported.

The Times reporter Nicole Perlroth, author of a new book about the cyberarms race with the ominous title “This Is How They Tell Me the World Ends,” predicted such an attack, and worse, in a recent interview with me. Her thinking: While we are good on cyberoffense, our cyberdefenses have been considerably weaker, made more vulnerable because we have the most to steal.

And while we Americans rule the world from a physical military perspective, having aced countries like Russia in the Cold War, our competitors and foes have been able to level the playing field in the digital arena. It makes sense: If you can’t beat them, purloin them (and their data).

While Ms. Perlroth’s book points the finger at a number of strategic errors the United States has made over the decades — including enabling a gray market in cyberweapons and the use of such destructive tools by the United States (remember Stuxnet? — well, you should) — she said to me that Washington has lacked a good deterrent strategy, adding that “the problem is we’ve over-tilted on finding other people’s secrets without protecting our own.”

How best to do that will be a big debate in Washington over the next year, as the Biden administration tries to clean up the SolarWinds debacle.

Is new legislation needed to require more interagency coordination in response to attacks that are both domestic and global? Should companies be compelled to report cyberattacks against them, if only discreetly, to government agencies? And do we need a single person, or possibly an agency, to deal with all of our cybersecurity problems, which will only get worse as we become even more jacked into the system, or is that both too creepy and potentially threatening to the privacy of American citizens?

I have no good answers.

In Mr. Trump’s impeachment trial this week the Senate is addressing the appalling physical attack on the Capitol by American insurrectionists. Senators are discussing how the perpetrators managed to get in the building and who pushed their hot buttons.

That’s a good thing. But when that’s done, it’ll be long past time to figure out how to stop the enemies of the state who slip in more quietly, with the potential to do even more damage.

No comments:

Post a Comment