Taking the Fight to U.S. Adversaries With an Offensive Cyber Strategy
Cybersecurity has moved from an information technology (IT)-level discussion to a boardroom-level and now a kitchen table discussion.
Our world is changing, and the more connected we become to our environments, the more vulnerable we are as individuals, agencies and subsequently as a nation. Recent revelations have proven that bad actors and nation states have infiltrated parts of our critical infrastructure, communications systems, and public and private sector organizations.
President Donald Trump's administration officials have noted that the nation has traditionally played defense when it comes to cybersecurity—a stance that ultimately falls short when the country is continually subject to millions of attacks each day. They are stating that a more aggressive cybersecurity stance is critical and that we have the people and resources within our intelligence and defense sector to do that. If we were attacked militarily by an adversary, we would respond accordingly rather than focusing on why our defenses failed.
This approach has clear support from several Republican senators, who sent a letter to the president and cyber, defense, national security and intelligence cabinet leaders, stating, “We possess the most powerful offensive cyber systems in the world, and when an adversary attacks our people, government and critical infrastructure, there must be an appropriate response.”
The administration will continue to face cyber attacks against the nation that are growing in size, frequency and complexity. Government leaders must establish clear lines of demarcation and responsibilities for cyber offensive operations between agencies to ensure harmonization between policies and the activities of various agencies. This alignment and focus would enhance the country’s cybersecurity posture away from one that merely plays defense.
For example, the United States has not mapped out clear “red lines” to tell our adversaries that specific types of actions, such as a cyber attack impacting critical infrastructure elements like our electric grid, will immediately trigger a retaliatory response.
We are already seeing a proliferation of smaller incursions, particularly from China, that could be activated later in time that could take down key components of U.S. critical infrastructure or even result in bodily harm. Establishing clear red lines would serve as a deterrent.
U.S. Cyber Command should collaborate with agencies to define the lines of demarcation. The command could work with the Transportation Security Administration, for instance, to determine the lines of demarcation for attacks against U.S. transportation infrastructure or with the Environmental Protection Agency regarding attacks on water supplies.
So many incredibly talented individuals, agencies and mechanisms operate within the federal government that there tends to be overlap between areas of responsibility. That creates confusion around compliance to directives that come from the White House, the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency and other oversight organizations. An offensive cybersecurity posture requires consistent guidelines, regulations and directives across the entire federal government that can then cascade down to state and local government.
Harmonization must be enabled by Congress; and recent bipartisan legislation reflects this priority. Senate Bill 4630, Streamlining Federal Cybersecurity Regulations Act, introduced in the last Congress, included provisions to address areas of responsibility and where the government could harmonize its roles.
Harmonization would also help the private sector develop the best tools to address gaps and concerns for offensive cybersecurity tools across the federal government. Without harmonization, the solutions developed by private companies tend to be narrower and consequently may have a more limited impact.
Harmonization would also help the private sector develop the best tools to address gaps and concerns for offensive cybersecurity tools across the federal government.
A move to a more proactive strategy would require users to have access to the appropriate intelligence to determine if an offensive action is warranted. Further, this intelligence should be based on the most accurate and up-to-date threat data.
In the event of a cyber attack by an adversary, the military and other agencies will have to do more than just assess the technical fallout of the attack. This will require improving the level of visibility and threat intelligence available to government officials so they can appropriately initiate offensive cyber operations.
That means government cyber teams must, to the extent possible, understand the government environments and the impacts attackers’ tools, techniques and processes would have on those environments.
By understanding vulnerabilities and their potential impact, we can better determine what the most appropriate response should be. From there, we can begin to adopt a more offensive approach and take the necessary action to prevent further attacks.
The private sector can play a role as well, helping federal agencies respond by providing advanced tools and human resources but with legal protections and guarantees of some level of anonymity to ensure businesses do not suffer as a result of their assistance with these offensive activities.
The United States has an opportunity to rethink its approach to cybersecurity. But first, we need a comprehensive understanding of the environments and systems deployed at government agencies and the levels of risk they present. Once we have this intelligence in hand, we’ll be positioned to proactively oppose our adversaries. Let’s not rely on legacy models, contracts and skill sets. We can act today to prepare for a more secure tomorrow.
