Stavridis Warns of Russia and China Cyber Attacks
Potential adversaries target energy and finance as they seek to undermine the United States.
The United States is woefully underprepared to protect cyberspace against the worst-case scenarios threatening the country, says the former supreme allied commander of NATO. Adm. James Stavridis, USN (Ret.), operating executive for the Carlyle Group, warns that long-term solutions must be paired with near-term actions to prevent a host of cyber threats from crippling the United States militarily and economically.
The admiral cites two key threats facing the country, particularly its defense industrial infrastructure. One is “the cyber capability that is embedded in Russia and China,” he states. The return of great power competition is manifesting itself in a variety of venues, but these two countries possess powerful offensive cyber capabilities.
“We ought to be very concerned in particular about our electric grid and our financial system, both of which are targets of China and Russia,” he declares.
The second threat is the vulnerability of data. Adm. Stavridis maintains that data is still highly at risk, and better means of encryption must be developed. Otherwise, that data—which will be the essential driver for artificial intelligence and machine learning—is in danger. This effort must include preparing for the onset of quantum computing and what it means to securing data.
“In cyber, and cybersecurity, we have the greatest mismatch between level of threat and level of preparation,” Adm. Stavridis declares. He continues that of all the items the United States is concerned about—Russia, China, the resurgence of great power competition, Iran, North Korea, pandemics—the United States is fairly well-prepared to deal with. But in cyber, the country is far less prepared.
Traditional firewalls between the military and civilian society have crumbled in cyberspace, and the growing threat there poses a significant threat in both areas, he says. The solution probably involves standardized measures applied across cyberspace, along with coordinated efforts at all levels of government and industry.
“Cyber has a relentlessly expanding threat surface—because of the Internet of Things, because of so many different devices popping online every single second,” he continues. Some estimates suggest that 25 billion devices already are on the Internet, and that number will continue to grow dramatically. Society today, particularly its economic activities, is intermingled with the defense threat through this cyber connectivity, he adds.
The defense industrial base is one such example. Many of its technologies are dual-use with presences in both the civilian and military sectors, the admiral points out. The cyber threat directed through commercial and civilian surfaces can reach into the defense industrial base, the center of which hosts the core fundamentals of national security. With the defense industrial base at risk, the nation’s defense is significantly at risk, he adds.
The U.S. Defense Department is working to develop Cybersecurity Maturity Model Certification (CMMC), which will be implemented in stages over a five-year timeframe. Adm. Stavridis offers that a set of basic standards can be implemented early to enable metrically proven approaches ranging from defense against phishing attacks to rapid application of patches. Many of these capabilities already are active in some places, but they need to be standardized across the entire defense industrial base, he says.
This becomes even more essential given the thrust by the Defense Department to attract more small businesses with innovative solutions. Adm. Stavridis advocates that the government provide more support and resources to help small businesses that are vulnerable to cyber attacks. “At some level, government has to be helpful,” he says. This includes state and local governments, which have a high degree of economic incentive to keep their small businesses growing locally.
One significant vulnerability is the interface between information technology and operational technology. Companies and organizations are plagued by this difficulty, the admiral notes, and the solution may be more cultural than technological. “You have to pierce the veil. You have to have your [information technology] folks embedded with—and co-located with—elements of the operational technology side,” he offers.
Another point to be remedied is that operational technology always has been represented in “the C-suite,” but that often is not the case with the information technology side. The chief information security officer should be placed in a peer relationship with the chief operating officer. “Having someone at the highest level who functions as an advocate for the information technology side is very important,” Adm. Stavridis states.
Adm. James Stavridis is a board member of the cybersecurity firm, Preveil.