Last Friday I warned about the potential for adversary cyber operations against the United States during the coronavirus pandemic. That warning has already come to fruition. News reports indicate that on Sunday computer systems within the Department of Health and Human Services (HHS) were affected by operations designed to slow their service (but not corrupt or exfiltrate sensitive data). No claim of responsibility has been issued, and so far the U.S. government has not identified a culprit.
Whoever conducted the attack likely had the cyber capability to do far more damage and may have conducted this to prove a capability that could be further weaponized if so desired.
In addition to the attack against HHS, there were reports circulating on social media channels and delivered via text messages regarding a full blown U.S. government-mandated quarantine — likely intended to cause fear, panic and uncertainty with a population already on edge over a crisis unlike any the country has faced in modern memory.
In a rare move, earlier Monday the National Security Council issued an official response via Twitter, indicating that these reports were false, which hopefully will help reassure the public about this particular information.
These two incidents over the last 24 hours demonstrate how adversaries have already attempted, and will likely continue to seek, additional opportunities to conduct similar cyber operations to affect governmental responses to the virus and sow discord and dissent. What the country needs at this time is strong leadership to signal to these adversaries that their efforts will not achieve their desired effects, reassurance that our cyber infrastructure in the government (federal, state and local) and private sector is secure and resilient, and consideration of a range of response options to punish such behavior.
The recently-released report by the bipartisan, congressionally-mandated Cyberspace Solarium Commission offers one such roadmap to curb the effects and likelihood of such cyber operations. The commission’s full report lays out a series of 80 recommendations to achieve what it calls the concept of “layered cyber deterrence.” In the commission’s executive summary, layered cyber deterrence is explained by combining “ . . . enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies. It is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy.”
In other words, the commission argues that the United States must further integrate its disparate elements of cyber security – offensive operations, intelligence collection and analysis, defensive measures, private sector collaboration and partnership, information-sharing and technological innovation – into a more comprehensive framework that ensures that the country can deter, detect, react, punish and recover from a range of cyber operations. The notion of deterrence in cyberspace likewise takes on a different concept than the consideration of this term with conventional national security doctrine, since the scope, pace and volume of cyberattacks far exceeds those associated with other types of operations against the United States. That does not mean, however, that we should have a different standard for which kinds of attacks are acceptable and which are not.
These recent cyber incidents are an example of why incorporating some of the principles outlined in the Cyberspace Solarium Commission report could deter future behavior if we signal our resolve, protect our systems and respond swiftly and appropriately. Our adversaries will be watching our response.
Javed Ali is a Towsley Policymaker in Residence at the University of Michigan’s Gerald R. Ford School of Public Policy and has over 20 years professional experience in Washington, D.C. on national security issues, including senior roles at the Federal Bureau of Investigation, Office of the Director of National Intelligence and National Security Council.