President Biden’s proposed infrastructure package does not address one key area: our nation’s digital infrastructure. Virtually everything we do in our daily lives is enabled by the technologies that surround us. That has become even more clear over the last year, as the pandemic has caused a tectonic shift toward full-fledged digital and remote school, work, entertainment, worship and commerce.
Foreign adversaries and criminals alike are also able to harness the power of the internet to harvest sensitive personal information, conduct espionage, steal intellectual property, or lock up critical systems in our communities. Ransomware attacks against small businesses and state and local governments increased exponentially over the last three years, with billions of dollars lost. Moving forward, it’s all but certain that we’ll see a cybercrime spree across our communities that pales in comparison to the last few years. Ransomware is a business, and business is good.
These aren’t theoretical problems, just look back at cyber events of the last five years.
2016’s greatest hits include Russian efforts to interfere with the U.S. election, capped off with Moscow shutting down the Ukrainian power grid.
The North Koreans followed in 2017 with WannaCry, the Russians, not to be outdone, launched a similar attack the next month, dubbed NotPetya, likely the costliest cyber-attack in history — decimating networks across the world, including shipping titan Maersk.
2018 is the year that ransomware fully entered the global stage, with Atlanta, Baltimore, Charlotte, counties in Texas and parishes in Louisiana and others locked up, in part enabled by cryptocurrency and the ability of criminals to extort ransoms from victims from the other side of the planet.
China crowned 2019 with its CloudHopper campaign, where Chinese thieves compromised managed service providers (MSPs) with trusted access to hundreds of customers across the world.
In 2020, we saw the year of big vulnerabilities and even bigger hacks. Russian, Iranian, North Korean and Chinese cyber actors and cybercriminals quickly exploited newly discovered vulnerabilities in thousands of networks (that some organizations failed to patch), sending government and private sector incident responders to every corner of this country to shut down attacks.
It’s clear that we’re in the midst of a new normal of cyber enabled malicious activity. The status quo costs American businesses and government agencies hundreds of billions of dollars a year in lost productivity, fraud, and disrupted operations.
We need a new approach.
Our first order of business should be to make the underlying systems more secure and easier to defend. The promised Federal Cybersecurity Executive Order out of the White House should include requirements for more secure software development processes, eradication of legacy products, and more transparency in the supply chain of software products. While the EO will only apply to Federal Government procurement, there will no doubt be a trickle-down effect to the rest of the economy.
State and local governments, and small businesses that are constantly at risk cannot afford more modern systems and support necessary to manage that risk. This troubling divide between the digital haves and have-nots has become more stark over the last year. COVID-19 has impacted the way countless businesses operate, with many suspending or dramatically altering in-person services or shifting to remote work entirely. Those still using decade-old technology — more often than not our nation’s small and medium sized businesses, as well as state and local government agencies — have stumbled in this new normal.
Making matters worse, this risk mitigation gap will grow in the next few years as already cash-strapped agencies may not be able to join the digital transformation because COVID decimated tax revenues. Against that backdrop, the latest attacks could not come at a worse time: It’s like throwing these organizations an anchor when they’re already drowning.
Now is the time for Congress to act to protect the cybersecurity of our local communities. Congress needs to pass a comprehensive digital infrastructure investment bill that authorizes and funds grants to state and local agencies to modernize their technology platforms and obtain the support they need to manage those systems, and safeguard against cyber attacks like ransomware. They need scalable support to identify and mitigate vulnerabilities, patch systems and respond to incidents as they arise. Investment in local digital infrastructure will drive more investment in U.S. technology companies, provide high-tech jobs at the local level, improve citizen services like elections and business filings, and ramp up cyber defenses.
Modernizing state and local IT systems is not just good government — it’s a national security imperative. Investment and support of state and local cyber infrastructure is an investment in our democracy, our judicial system, law enforcement, and the privacy and security of our citizens. Our adversaries allow cybercriminals and their own state-supported hackers to operate from their own sovereign territory, disrupting citizen services and stealing money and intellectual property from U.S. governments and businesses alike. It’s time to step up and provide our non-federal partners with the resources they need to effectively defend themselves.
Christopher Krebs was director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from November 2018 to November 2020. He now is a partner at Krebs Stamos Group and a senior cyber fellow at the Aspen Institute. He previously was a senior counselor to the Homeland Security secretary, was assistant secretary for infrastructure protection and under secretary of Homeland Security, and worked as cybersecurity policy director for Microsoft.
Matthew Masterson served as Senior Cybersecurity Advisor at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), focused on election security issues; previously he served as a commissioner at the Election Assistance Commission. He is now a non-resident policy fellow with the Stanford Internet Observatory.