January 27, 2021 | The Washington Times

Apocalypse Next

Planning for the day after a catastrophic cyberattack
January 27, 2021 | The Washington Times

Apocalypse Next

Planning for the day after a catastrophic cyberattack

With a little imagination, the attacks of Sept. 11, 2001 might have been prevented. Islamist suicide terrorists had used cars, trucks, and boats to deliver bombs. Why not jet planes? The proper authorities could have taken precautions. But they didn’t.

With a little imagination, the pandemic that originated in China in 2019 might not have been so devastating. The Spanish flu killed millions in 1918. Wasn’t a similar outbreak likely within a century or so – either due to natural causes, carelessness, or mischief? The proper authorities could have stocked adequate supplies of personal protective equipment, and formulated plans to mitigate the economic damage that such a health crisis would ignite. But they didn’t.

What new storms are visible on the horizon? We’ve had decades of hacking by foreign intelligence agencies. A recent massive breach was accomplished through the infection of software distributed to a list of U.S. government agencies and major corporations by SolarWinds, a private firm. So, what should the proper authorities now be imagining?

How about the possibility that Russia (prime suspect in the SolarWinds hack), China, the Islamic Republic of Iran, or North Korea (all of which have carried out multiple and seriously damaging breaches in the past) might wage full-out cyberwar?

What that would mean: attacks intended to shut down financial systems, electricity, water supplies, transportation, communications – perhaps even the entire U.S. economy. Should that happen, what’s the plan?

Good news: The proper authorities now at least have a way to put one into action. The National Defense Authorization Act (NDAA) that became law on January 1 includes 25 legislative measures recommended to Congress by the Cyberspace Solarium Commission (CSC), a bipartisan panel established two years ago to develop a “strategic approach to defending America in cyberspace against cyberattacks of significant consequences.”

You may be wondering about the commission’s odd name. On the top floor of the White House is a solarium in which President Eisenhower and several of his top advisors secretly discussed how to defend against the Soviet Union whose World War II alliance with the U.S. had abruptly ended, and which had exploded an atomic bomb in 1949.

An additional question they pondered: If all else fails, and there should be a nuclear attack against America, what would happen “the day after”? What would be necessary to keep the government functioning? In 1953, Project Solarium produced a policy paper that became a key component of America’s national security strategy for the Cold War, a conflict that appeared endless and, indeed, would continue for decades.

The Cyber Solarium Commission, co-chaired by Sen. Angus King and Rep. Mike Gallagher, was tasked by Congress with developing policies that can lead to capabilities to prevent cyberattacks – or at least diminish their impact.

Of course, even the best-laid plans often go awry. And just getting the government up and running again, though vital, would be insufficient in this cyber-connected-and-dependant age. With that in mind, Samantha Ravich, a CSC commissioner, and scholar at the Foundation for Defense of Democracies (FDD), introduced a concept she called Continuity of the Economy (COTE): the development of policies to speed economic recovery following a cataclysmic cyberattack.

What that would require, she wrote in a 2019 Defense One article, is that the proper authorities be in possession of a detailed plan to restore both government operations and priority private-sector functions. To achieve that, in turn, it will be necessary to determine in advance what “seed data” must be “preserved in a protected and verified format, with a process to assure no corruption or manipulation.”

In addition, mechanisms must be devised to revive “functional interaction among specific infrastructure sectors – how electricity supports telecommunications, which supports transportation, which supports oil and gas, which feeds the electricity grid, etc. – and how these interactions directly support key functions of the economy.”

She emphasized: “COTE must be created before the lights go out. Not the day after.”

Having such a plan in place, Sen. King and Rep. Gallagher note in a letter, may even deter adversaries by sending a message “that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.”

That said, effective deterrence is a process, not a posture. Those who see themselves as our enemies will respond, adapt, and innovate in pursuit of superior offensive cyber capabilities. They will probe for our weaknesses, for ways to damage and diminish us. Additional thinking and planning is essential. Prudently, the NDAA extends the CSC’s mandate for two more years.

What’s critical right now is for President Biden to prioritize this threat. In particular, he should quickly nominate someone highly skilled as National Cyber Director. That official will have the authority to staff an office that can bring to bear the combined resources of the federal government and the private sector to implement a new and improved cybersecurity strategy based on the recommendations in the 2021 NDAA.

Mr. Biden is lucky. He has inherited a serious tool with which to make Americans safer. We’ll soon learn whether he has the imagination to make good use of it.

Clifford D. May is founder and president of the Foundation for Defense of Democracies (FDD) and a columnist for the Washington Times. Follow him on Twitter @CliffordDMay. FDD is a nonpartisan think tank focused on foreign policy and national security issues.

Issues:

China Cyber Iran North Korea Russia