Defending the nation in cyberspace — a call to action

Our government and industry are under siege from a broad range of cyber threat actors, including highly capable nation-states.

The secretary of the Navy recently released a comprehensive cyber study, which determined not only that the Navy is ill-suited for cyber conflict but is, in fact, “losing the global cyber-enabled information war.”

{mosads}Unfortunately, this stark assessment shows this is not an isolated problem. According to the report, the industrial base supporting the Navy and other warfighters is likewise rife with holes. Critical contractor systems have been targeted or breached by foreign actors “with impunity.”

To address this, we need a national call to action that brings together our public and private capabilities, our partners together with our allies.

The threat we face is complicated by the fact that, in most cases, private sector companies — including defense contractors — stand on the front lines alone, defending against some of the most capable players. With typical military threats, the government provides for the common defense. Yet, in cyberspace, the private sector defends itself without so much as the most basic access to key government information, simply because the private sector isn’t really viewed as a partner by government. Even worse, when attacks hit, the private sector has no way to call for government help in a timely, meaningful manner, nor does the government have a way to deliver it, even if asked.

Our allies are likewise under siege, as countries such as North Korea, China, Iran and Russia more aggressively test their capabilities in their own neighborhoods before coming up against us.

Defending our networks is further complicated by rapid changes in technology, and the concurrent growth of vulnerabilities and exploitation. Cyber defenses often rely on legacy approaches that are exploitable; while the threat grows in breadth, depth and lethality, we are rapidly falling behind. Relative to those seeking to exploit our systems, our defenders are struggling mightily to keep up. 

There is no obvious reason this ought to be so. After all, we have phenomenal technical capabilities and unbelievable technical innovation occurring every day in this country, innovation that is driving our economic engine. We also live in exponential times; just as new technologies will be critical in helping us beat cancer, providing greater ability and space to learn, hopefully addressing environmental issues and making the world a better place, they also come with increased vulnerabilities.

Nonetheless, we ought to be able to confront these threats head-on and win.

As the director of the National Security Agency (NSA), commander of U.S. Cyber Command, and a senior official in the Justice Department’s National Security Division and in the White House, we witnessed the evolution of cyber threats, from a principal focus on criminal activity to becoming a key element of national power.  

In 2007, Russian hackers attacked Estonia, in response to what Russia saw as political provocation. The attack significantly impacted Estonia’s ability to operate on the network; yet, today, Estonia is one of the most wired — and best defended — nations in the world.  

In 2008, Russian hackers attacked Georgia’s government, news outlets and financial sector, causing the National Bank of Georgia to suspend electronic services; most of the attacks were timed as Russian soldiers crossed the border into South Ossetia.  

In 2012, Iran attacked Saudi Arabia’s Aramco, and then conducted distributed denial of service (DDOS) attacks against the U.S. financial sector, responding to sanctions levied by the U.S. and our allies.  

{mossecondads}Russia since has used its cyber capabilities to attack Ukraine’s electric grid and financial sector, including the NotPetya attack, which caused an estimated $10 billion in damage worldwide and massive collateral damage at U.S. and Western companies such as Merck, Mondolez and Maersk. Russia also has used cyberspace to conduct information operations and to spread disinformation impacting elections across the globe, including the 2016 U.S. presidential election.  

And then there is the massive, decade-long transfer of wealth from the United States and allied nations by highly effective Chinese intellectual-property (IP) thefts, or the malign online activities of North Korea, just to name a few.

Looking at these threats, it is easy to be overwhelmed and assume there’s no option but to simply “name and shame” — or sanction — our enemies into submission. Indeed, that largely has been our policy for the better part of a decade. It hasn’t worked.  

There are, however, positive signs.

On the government side, in recent months, there are reports of a more aggressive posture being taken by U.S. Cyber Command. In our view, this is a step in the right direction. After all, one can’t practice deterrence without threatening — and being willing — to use force when redlines are crossed. 

On the defensive side, too, we see many opportunities to fix the problems we’ve long known about. It is simply naïve to think those who wish us harm will not use cyber capabilities to hurt our nation and economy, whether by conducting deliberate, destructive attacks or by stealing our IP or national-security secrets. Indeed, today, there are fundamentally two types of companies in our economy: those that have been hacked and know it, and those that have been hacked but just don’t know it yet. What this really tells us is that our core approach to cyber defense is fundamentally broken.   

Private-sector companies essentially are left to defend themselves, trying to stop the malware we know about and hoping to detect new or modified malware as quickly as possible, to stop evolving attacks by nation-states. Hope, of course, is not a stable or sensible course of action and we know it doesn’t work: The average time to detect malware in a network is 78 days, while the average time it takes a hacker to get in ranges from seconds to minutes (with full rights typically being secured in days).  

What all this means is that companies being hacked cannot call for help in time to save themselves. That was the case with North Korea’s attack on Sony Pictures, and in just about every major attack we’ve seen. This means company data get destroyed or stolen — and then we find out, after it’s too late. It’s not because we don’t have good people working these issues, it’s because our current strategy and approach simply aren’t working.

As we seek to get back to the notion of providing for the common defense in cyberspace, there are a number of key things we might do.

First, and most fundamentally, we must create a common base of knowledge where the public and private sectors see the full scope of threats targeting our nation. We must share information about all of these potential threats at scale and at speed, first within the private sector, as well as between industry and government. The government likewise must share all it knows with the private sector — including from highly sensitive sources and methods — to give the private sector a leg up. And we must build interoperable systems and practice using them, to prepare for the inevitable day when the cyber balloon goes up.

What all of these efforts are aimed at — within the United States, as well as with our allies — is the creation of a fundamentally more robust, collective defense system, one that can operate in real-time, at the speed of cyber threats.  

Over the next few months, we’ll work with The Hill to publish a series of short op-eds focusing on these matters. We hope to engage in a conversation with thought leaders and policymakers who read The Hill, and welcome their thoughts as we press forward with this crucial effort. 

Gen. Keith Alexander retired in 2014 as a four-star general of the U.S. Army. He directed the National Security Agency (2005-2014), was the first commander of the U.S. Cyber Command (2010-2014), and served on President Obama’s Commission on Enhancing National Cybersecurity. He is founder, president and co-CEO of IronNet Cybersecurity, which provides cybersecurity services to the private sector. Follow on Twitter @IronNetCyber.

 Jamil N. Jaffer is vice president of strategy and partnerships at IronNet Cybersecurity, the founder and executive director of George Mason University’s National Security Institute, and a visiting fellow at the Hoover Institution. He previously served in a variety of national security roles in federal government and worked on President George W. Bush’s Comprehensive National Cybersecurity Initiative. Follow him on Twitter @jamil_n_jaffer.