June 26, 2024 | CyberScoop

Protecting America’s cybersecurity demands showing our teeth

Deterring U.S. adversaries from attacking American infrastructure requires making clear that the United States can strike back in kind.
June 26, 2024 | CyberScoop

Protecting America’s cybersecurity demands showing our teeth

Deterring U.S. adversaries from attacking American infrastructure requires making clear that the United States can strike back in kind.

A poisoned Potomac River flowing through Washington, D.C. Drones crashing into public buildings. Railways being weaponized. When the Cyberspace Solarium Commission released our initial recommendations in March 2020, we listed these fictional dangers to our nation’s grid and infrastructure from a cyberattack.

Four years later, we’ve averted those specific fictions from becoming reality, but our nation remains far too vulnerable to adversaries hacking our most critical infrastructure. Although our global foes have so far only compromised our country’s communication, energy, health care, transportation and water sectors on smaller, local scales, a larger attack may be looming.

Alongside our fellow commissioners, we have long decried the escalation of cyber hostilities on our free markets, on our system of governance, and on our health and welfare. We have not been shy in calling this threat existential. It’s well past time for us to boost our nation’s cybersecurity — both from a defensive position, but also with a visible, muscular deterrence.   

Where do we go from here? Certainly, we need more defense. The U.S. government must fill the thousands of open cybersecurity billets and modernize vulnerable legacy computer systems. The companies that build and maintain the software and hardware that power our economy must be obligated to ensure the security of their creations. At the individual level, we must do what we can to safeguard our digital security.

Stronger cybersecurity alone, however, cannot ensure our safety. We are being attacked; we will continue to be attacked; some of those attacks will be successful; successful attacks will inflict physical and economic hardship on the American people. 

As a country, we must prepare and practice responding, recovering and reconstituting, if and when we are struck. This is why we supported the successful inclusion of Section 1517 in last year’s National Defense Authorization Act that tests the cyber resiliency and reconstitution of critical infrastructure that supports military installations. In the event of an overseas conflict, the adversary would likely attack the electricity, water and telecommunications surrounding U.S. military bases. Once those critical services are brought down, the military would have a hard time deploying to even get into the fight.

Further downstream, we need to show that our citizens won’t give in to extortion from bad actors — be they individuals or nation-states. That means we — you, me, and our neighbor down the street — need to be prepared for an attack on our critical infrastructure. We support civilian preparedness training and other measures so that Americans are equipped for whatever foes hit us with.

But we are living in a fantasy if we think that we can protect ourselves and our country through defensive actions alone.

We must face up to the hard truth that we must embark on a radically different way to deal with adversaries within cyberspace. If we want Beijing or Moscow or Tehran to stop building their weapons into our infrastructure, we can’t rely on asking nicely. Rather than more words, we must show the world that continuing to mine our water and power systems will yield a painful response. 

In other words, we need our cyber warfighters to emerge from the shadows and bare their teeth. Because the essence of deterrence is ensuring the adversary is scared. And they only become scared if they believe that we have both the capability and will to hold them in harm’s way as they now hold us.

Unfortunately, neither the Chinese Communist Party nor the Russian military seem filled with existential dread that their own critical infrastructure might be compromised. In fact, they may not care at all if their populations are put in peril as long as the elites are secure. We need to think broadly and boldly about making the world aware of our capability to do serious damage if we are attacked.

It won’t be easy showcasing this offensive cyber capability. We may need a good bit of “strategic declassification” of our offensive cyber capabilities. We may need to take more public credit for offensive operations that our incredible government cyber defenders are currently doing around the world. Smarter people than us will have to figure out how to make our cyber deterrence not only visible but palpable.

Deterrence is about making sure your adversary is afraid of what you might do to them. It must be scary for them. And, to be honest, it will be scary for us, as we contemplate the risk that our effort to deter will lead to escalation. But signaling that we will avoid conflict at all costs will never inspire fear from our adversaries. Russia, China, Iran and others have demonstrated they can strangle our economic and security lifelines.

It is past time we demonstrated that we are ready, willing, and able to return the favor.

Sen. Angus King, I-Maine, serves on the Senate Armed Services Committee as well as the Senate Select Committee on Intelligence. He served as the co-chair of the Cyberspace Solarium Commission, which has seen over 80 of its cybersecurity recommendations enacted into law. Samantha F. Ravich, Ph.D., was a commissioner on the Cyberspace Solarium Commission. She is also the chair of the Center for Cyber and Technology Innovation at the Foundation for the Defense of Democracies.

Issues:

Cyber U.S. Defense Policy and Strategy