The past few months have brought revelations about two of the most significant foreign hacking operations conducted against the United States government and our private sector in recent memory: the SolarStorm / Holiday Bear hack by the Russian government and the exploitation of the Microsoft Exchange infrastructure by the Chinese government.
Last week, the U.S. government highlighted a "blind spot" in defending our nation in cyberspace. Our adversaries used infrastructure that is based here in the United States. These facts once again demonstrate that as a nation, we simply are not organized, equipped, or trained effectively to take on this mission. More now than ever, as we become even more reliant on our cyber infrastructure in a post-COVID environment, it is critical that the government and the private sector work together to address this significant shortfall. Recent events clearly show that failing to recognize threats we face and take back our home court advantage will result in catastrophic consequences.
In the aftermath of the 9/11 terrorist attacks, Americans learned the importance of connecting the dots when it comes to threats against our nation and its people. Yet today, in the cyber domain, not only can our government not connect the dots, it can't see many of the dots at all. This is a huge problem because you can't defend what you can't see.
This is not to suggest the government should take on the defense of the private sector nor seek to run private sector networks; that would simply be unwise. We must also recognize that our private sector companies—whose primary responsibility is to produce goods and services—are fundamentally overmatched when it comes to defending against nation-state adversaries, particularly given the virtually unlimited resources that they can bring to bear. Solving this problem requires significant changes on both sides of the public and private sector equation.
In a recent op-ed, former Secretary of Defense Bob Gates noted the importance of getting key government agencies like the National Security Agency (NSA) and the Department of Homeland Security (DHS) to work together more effectively, combining their authorities to better defend the nation in the cyber domain. We share his view and believe that such an organizational construct must work seamlessly in peacetime, crisis and war.
Today our government is clearly in crisis mode responding to these major hacks. If we are to get ahead of the problem, it is critical that we get the government's cyber house in order, get civilian and defense agencies working with one another to share threat intelligence and collaborate in real-time, and make sure everyone understands their respective roles.
The next issue is how to set the private sector on a parallel course. While there certainly isn't—and shouldn't be—one person in charge of private sector cyber defense, there is no question that individual companies standing alone—regardless of size—simply can't compete against Russia, China, Iran, or North Korea. As such, it is crucial, as the Cyberspace Solarium Commission recommended last year, that private sector companies work together, across industries, to identify common threats and take action to divide and conquer.
The operational advantage that dozens of companies (much less hundreds or thousands) can achieve by working together—sharing resources, crowdsourcing threat intelligence and empowering their cyber analysts and operators to collaborate in real time—is massive. Likewise, big and small companies in a single supply chain can work together to better protect one another. Such a collective defense approach addresses some of the immediate challenges we face and helps identify new and novel threats as everyone involved can look for potential patterns in identifying the dots, much the same way we do for traffic jams on Waze.
The government can also empower this collaborative private sector defense by rapidly sharing actionable information obtained from its overseas intelligence collection. Just as government successfully collaborated with the private sector to defend the 2018 and 2020 elections, we must do so across the board when it comes to nation-state level cyber threats. The government can incentivize the sharing of anonymized threat intelligence between the government and the private sector by improving the protections for such sharing and opening up who can get the information in the first instance. One step in the right direction would be to build on the Solarium Commission's idea of creating a joint collaborative cyber environment across the public and private sectors.
The White House must ensure that our government agencies have the right authorities and resources to do their jobs and that our adversaries know that there will be real consequences if they come after us in cyberspace. Congress can assist in this effort by working with the White House and pressing it to do more and providing the right kind of protections and tax incentives to promote increased cybersecurity investment by the private sector and encourage collaboration that is critical to keeping our nation safe.
To be sure, these are not small issues to address. To wait for the next major cyber incident before acting would be deeply unwise. We've already seen the damage that can be done in cyberspace, even where sophisticated actors are involved.
The NotPetya attack conducted by Russia against Ukraine in 2017 resulted in over $10 billion of damage worldwide, most of it in collateral damage to American and European companies that weren't even the targets of the attack. And the recent SolarStorm and Microsoft Exchange hacks highlight that the magnitude of nation-state threats continue to rise. If they had been destructive attacks, our nation could have suffered trillions of dollars in damage. Having been warned repeatedly, we simply cannot wait any longer to act. We must get ahead of this threat and we must do so now.
Gen. (Ret.) Keith B. Alexander is the former director of the National Security Agency and founding commander of United States Cyber Command. He currently serves as chair, president and co-CEO of IronNet Cybersecurity, a start-up technology company focused on network traffic analytics and collective defense.
Jamil N. Jaffer is the former chief counsel and senior adviser to the Senate Foreign Relations Committee and served in senior national security roles in the Bush Justice Department and White House. He currently serves as senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity.
The views expressed in this article are the writers' own.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
