I’ve Dealt With Foreign Cyberattacks. America Isn’t Ready for What’s Coming.
Gerstell is a senior adviser at the Center for Strategic and International Studies and the former general counsel of the National Security Agency and Central Security Service.
As Russian missiles rain on Ukraine, there’s another battle brewing — in the cybersphere. Destructive malware has flooded hundreds of Ukrainian websites and computers since Vladimir Putin announced his invasion. It would be a mistake to assume such attacks will remain limited to Ukrainian targets.
Last week President Biden warned Mr. Putin against Russian cyberattacks on the United States’ critical infrastructure. But American businesses aren’t ready for a war in cyberspace. Although Mr. Biden designated the Department of Homeland Security to lead what he vowed would be a forceful response to any such aggression, this isn’t enough. The D.H.S. doesn’t have the legal authority to order the private sector to follow its lead. More broadly, the federal government, even if warned by companies like Microsoft of incoming cyberattacks, doesn’t have the necessary infrastructure in place to protect American businesses from many of these attacks.
That the United States has to resort to threats of retaliation is itself a problem. America should already be cyberattack-proof, but coordinating these efforts across the country has been an uphill battle.
As the former general counsel of the National Security Agency, I witnessed daily the scope and sophistication of such maliciousness from Russia, China, Iran and North Korea. All of them leverage the various sectors of power at their disposal — including commercial and state-owned enterprises as well as spy agencies — to come out against U.S. businesses and citizens in full force.
Yet the United States lacks an organized response. The weekly reports of ransomware attacks and data breaches make it clear that we’re losing this battle. That’s why America’s leaders must rethink the current cyberdefense system and rally around a centralized regulator to defend both citizens and the private sector against current and future attacks.
The decentralized nature of the American government does not lend itself to fighting foreign cyberthreats. Government agencies handle cyberregulation and threats in the sectors they oversee — an inefficient and ineffective way to address an issue that cuts across our entire economy. In just the past few months, the D.H.S.’s Transportation Security Agency announced new cybersecurity requirements for pipelines and railroads; the Federal Communications Commission put out its own proposal for telecommunication companies; the Securities and Exchange Commission voted on rules for investment advisers and funds; and the Federal Trade Commission threatened to legally pursue companies that fail to fix a newly detected software vulnerability found in many business applications. And on Capitol Hill, there are approximately 80 committees and subcommittees that claim jurisdiction over various aspects of cyberregulation.
These scattered efforts are unlikely to reduce, let alone stop, cybercrime.
Echoing a number of expert studies, our first national cyber director says that the United States needs a fresh approach that “meaningfully alters the relationship between public and private sectors.” But social and bureaucratic inertia, industry resistance and partisan divisions have stood in the way of centralizing cyberdefense efforts and regulations. At a recent congressional hearing, several industry representatives and Republican members of Congress objected to stricter requirements for notification of breaches. It’s time to move past partisanship and standard objections to regulation.
From a private-sector perspective, the case for a centralized effort makes sense as well. Almost every industry runs its computers on one of three operating systems: Windows, macOS and Linux. In many cases, they also use the same business software — a defense contractor’s payroll system isn’t much different from a pharmacy’s. That means vulnerabilities are similar across industries, and will therefore require similar solutions. A centralized government response center, then, makes sense. Getting information about hacks and vulnerabilities flowing quickly and effectively between the government and the private sector — as a central agency would — is essential to stopping cyberattacks before they spread too far. And such an agency would help standardize security products and services, which in turn would reduce the overall burden on businesses by lowering costs.
The overarching goal for a central cyberregulator would be to have standards uniformly applied, yet specifically tailored where necessary to the needs of a particular sector. I’m not envisioning a rigid one-size-fits-all policy, but it should be possible to design cross-industry regulation effective enough to safeguard the public without crimping innovation.