An epidemic of cyberattacks against the American government, citizens and businesses has raged for years, but experts say the U.S. government has been slow to respond, while remaining skeptical that proposed solutions would be effective in stopping international cyberthreats.
The only major cybersecurity law passed during the past decade was the Cybersecurity Information Sharing Act of 2015, which created rules encouraging the private sector to share information about cyberattacks with the government, but did not make disclosure mandatory.
Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies told MarketWatch that congressional gridlock kept the Obama administration from passing a bipartisan law that would enable the federal government to require private companies to report cyberattacks.
“The idea of regulation used to be that you couldn’t bring it up,” he said. “The Chamber of Commerce and and everyone else lined up to explain why it was bad. At the end of the day, Mitch McConnell decided that he didn’t want to regulate,” referring to the then Republican Senate majority leader from Kentucky. During the Trump administration, “we pretty much sat out the last four years, it’s painful to say that, but that’s how it is,” he added.
President Joe Biden’s administration, however, is attempting to make up for lost time with an executive order signed in May that would beef up U.S. government cyber security defenses and leverage the power of the federal procurement process to raise the security of software products.
“There’s has really been a missed opportunity to use federal procurement to drive a secure market,” Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House said during a virtual conference at CSIS last month.
She added that the government is developing software standards that private providers must meet in order to sell to the government under the theory that higher quality software would become the industry standard, given the vast amount of software the government purchases annually. Neuberger argued that it wouldn’t be cost effective for software providers to offer two products: a superior one to the government and a substandard one to the private sector.
“When you’re building software in a world where you have sophisticated nation-state attackers constantly hunting for vulnerabilities in that software, build it in more secure ways,” Neuberger said.
Following last year’s Solar Winds attack, which went unnoticed for months and threatened 18,000 companies and government agencies, and the Colonial Pipeline hack that led to widespread gasoline shortages in the U.S. Northeast, there finally seems to be an appetite for bipartisan legislation that would enable better oversight of critical infrastructure, according to Mark Gamis a senior vice president at Booz Allen Hamilton who advises federal clients on cyber operations.
He pointed to reports of a proposal drafted by Democratic Sen. Mark Warner of Virginia and Republican senators Marco Rubio of Florida and Susan Collins of Maine that would require federal contractors and owners of critical infrastructure to report cyber incidents to federal authorities within 24 hours.
“That’s important because the federal government has tremendous resources to bring to bear to help our with an incident, and in any sort of emergent situation, time is of the essence,” he said, adding that the bipartisan nature of the bill indicates the GOP is now ready to get on board with mandatory reporting.
Cybersecurity advocates have long argued that greater collaboration between government and business is essential to mitigate the effects of cybercrime.
“Governments and companies have different sources of information, insight and intelligence, wrote Paul Me, a lead partner for Cyber Risk at the consultancy Oliver Wyman in an op-ed for the World Economic Forum. “Pooling them in a timely manner will create a clearer and more current picture of cyberthreats.”
CSIS’ Jim Lewis, warned, however, that at its core the problem must be viewed through the lense of geopolitics, because the most sophisticated cyberattacks largely come from state actors or criminal groups in adversarial nations, including China, Iran and Russia. U.S. intelligence officials have said both the Solar Winds and Colonial Pipeline attack were done by Russian proxies.
“The Russians have a thriving cybercrime market and make billions of dollars a year,” Lewis said. “So why would they give that up, especially because the Kremlin enjoys the U.S. getting hit over the head?”
Lewis said that the Biden-Putin summit earlier this month was a success insofar as Biden set boundaries on acceptable behavior, with the president demanding that 16 critical infrastructure sectors, including energy and water, should be off-limits to cyberattacks. The question of how the U.S. would retaliate following a hack on one of these sectors, however, remains unanswered.
“The Russians have basically said that ‘you have so many sanctions on us, one more won’t make a difference,” Lewis said, adding that the U.S. must get creative about an cyber-offensive approach to punish adversaries for their behavior, including shutting down cloud computing services that power the Russian internet.
“These are hard issues because the two things that the government needs to do is regulate U.S. companies while engaging with both allies and opponents on the international stage,” Lewis added. “Maybe that’s too much for the government, but if it’s too much in the government, we just need to get used to being whacked.”