- Nation-state cyberattacks are becoming more frequent and severe and the Solarwinds hack attributed to Russia has exposed massive weaknesses in our national defenses.
- Cybersecurity experts are recommending the Biden administration create a new task force, a new cabinet post, new legislation, and new cyber warfare rules of engagement.
- But the U.S. has many existing cyber options within the Cybersecurity and Infrastructure Agency (CISA) that have never been more important to national security, writes Dan Schiappa, chief product officer at Sophos.
Like North Korea's Sony Pictures email hack in 2014 or the Equifax data breach in 2017, the SolarWinds data breach of multiple U.S. federal agencies has again thrust cybersecurity into the spotlight. But it would be a mistake to treat this as a one-off episode. Nation-state cyberattacks are ramping up, not slowing down. Their effects are becoming more destructive, more costly, more widespread — and we still haven't scratched the surface of the kind of havoc these adversaries can really let loose. The United States government is one of the best practitioners of cybersecurity in the world, and yet as SolarWinds shows, if even a single attacker is able to slip through, the consequences can be devastating.
With a new administration in office, now is the time for a major rethink on all things cyber. Arguably the best, most effective, and possibly easiest thing the Biden administration can do on this front? Unleash the cybersecurity talent we already have.
In June 2015, the government's Office of Personnel Management (OPM) announced that it had been breached. The fallout was massive: the personnel records of over 21 million federal employees, contractors, and anyone who had ever received a security clearance were stolen. The culprit was discovered to be the Chinese government, who mined the stolen records to create a database of identities that could be weaponized for spear-phishing attacks.
The OPM breach, like SolarWinds, exposed a massive weakness, and major point of leverage, for nation-state attackers. No matter how robust your outer cyber defenses might be, the best way to infiltrate a target is by hitting them from the inside. That's why supply-chain attacks, as with SolarWinds, are so effective. If you can compromise a contractor working with the federal government, that's a backdoor into government networks that bypasses federal agency defenses. Nation-state attackers have proven adept at this, masking as authenticated users with someone else's identity or utilizing parallel tokens to circumvent two-factor authentication.
The No. 1 national cyber priority
Given this landscape of geopolitical cyberattacks, one that has only intensified during administrations of both parties, how should the Biden administration tackle national cyber policy? A new task force? New legislation? Emphasizing cyber diplomacy and the creation of cyberwarfare rules of engagement? Maybe a new Cabinet role — a National Cybersecurity Coordinator or Secretary of Cybersecurity, perhaps?
These are all sound recommendations, some of which are already being made by Congress. But the first, most important, and maybe easiest thing the Biden administration can do for cyber policy is to let loose the talent already at its disposal.
While stories like SolarWinds may lead some to think the U.S. is woefully behind the rest of the world in cybersecurity, that's simply not the case. For every SolarWinds breach that occurs, there's a thousand that the government has rebuffed. But there's a lot of untapped cyber potential within the people and agencies already in place. The Cybersecurity and Infrastructure Agency (CISA) has never been more important than now, and should be at the forefront of the Biden White House's national security portfolio.
Past administrations have relied on appointed "cyber czars," who are nominally in control of coordinating national cyber policy efforts. But the fact is, these cyber czars have never been given real power, and their appointments are often symbolic gestures, like ticking off boxes on a checklist. The real powers have been imbued more into agencies like the NSA, which have cyber defense and warfare capabilities, but no central vision overseeing them all.
That's where CISA enters the picture. An empowered and prioritized CISA can pull all of these efforts together to create an all-encompassing national cyber strategy. It will take that kind of interagency coordination to ensure coverage of all potential attack surfaces. Imagine, for example, a nation-state cyberattack on our infrastructure — power grids, nuclear plants, hospitals. It's a remarkably easy thing to pull off, and the exact kind of vulnerability that can go unaddressed without having a body like CISA pointing everyone in the right direction.
Agencies like CISA employ a remarkable level of cyber talent who just haven't been given the resources they deserve and need. Part of the reason countries like China and Russia have been such prolific cyber adversaries is because they put real money into their cyber espionage efforts. The Chinese government's army of hackers is allocated a bigger budget than many nations give to their entire military. When you give an army of PhD computer scientists a big budget and a shared vision, their missions are going to be successful. The Biden White House needs to prioritize CISA the same way.
CISA alone can't crack this problem. Leveraging the assistance of private-sector partners, for instance, will remain a huge part of any national cyber strategy. But to put together a comprehensive cyber plan that plans for scenarios from supply-chain attacks to nation-state assaults on U.S. infrastructure, and prepares accordingly, with proper foresight and investment, the White House must invest the necessary resources into agencies like CISA. We do not need another symbolic cyber czar; we already have all the talent we need. Let's unleash them.
—By Dan Schiappa, EVP and chief product officer at Sophos. Schiappa is also chair of the University of Central Florida's Dean's Advisory Board, where he oversees various aspects of the school's elite cybersecurity program. He is also a member of CNBC's Technology Executive Council.