25 February 2021

A strong offense can decrease cyberattacks on critical infrastructure

BY MICHAEL HAYDEN, TOM RIDGE, JOHN SHKOR AND MARK MONTGOMERY

After years of malicious cyber activity targeting U.S. critical infrastructure, hackers linked to Russia recently infiltrated numerous American companies and federal government agencies, including the Departments of Homeland Security and Commerce, the Treasury and the Pentagon. This attack compromised national security and is costing business and the government untold millions or billions of dollars in damages.

This litany of increasingly sophisticated cyber intrusions by Russia, China and others makes it clear that we are in a cyber conflict and our cyber defenses alone are insufficient to protect our critical infrastructure.

It is time to reassess our national approach to cyber protection and ensure that our efforts include a strong defense and, importantly, a commitment to using offense capabilities, both cyber and non-cyber, to impose consequences on those who would do us harm.

We need to reduce the ever-increasing number of cyber intrusions into our critical infrastructure, especially the electric grid that powers our nation, and to see these pervasive cyber penetrations for what they are — an effective form of cyber-enabled asymmetric economic warfare that threatens our national security.

These attacks are equivalent to a physical attack on the homeland and create vulnerabilities that later could be used to disable significant portions of our critical infrastructure, including health care, communications, transportation and other elements essential to our economy and quality of life.

Malevolent actors, and governments that support or harbor them, must know that we will respond to malicious cyber intrusions swiftly, using the full range of U.S. legal, economic, diplomatic and sovereign powers.

Our 2018 National Cyber Strategy says that the U.S. will undertake an assertive cyber deterrence initiative to identify and deter incoming cyber attacks by applying consequences — i.e., foreign aggression, whether by individuals or countries, will be met with a strong U.S. response that may not be limited to cyber tools alone.

The congressionally-appointed Cyberspace Solarium Commission called for similar actions in its 2020 report, outlining numerous defensive and offensive recommendations to better protect our critical infrastructure. Congress enacted several of these recommendations in 2020, and we urge that any infrastructure legislation considered in the next Congress make the electric grid a top priority when securing and defending our critical infrastructure.

For its part, Protect Our Power, a nonpartisan, nonprofit group focused on improving electric grid security, has been working with all aspects of the electric power industry since 2016 to build consensus on what needs to be done and how to finance a plan for upgrading our electric grid. The group has worked with key stakeholders, including power companies and federal and state officials, to drive needed physical and regulatory improvements and advocate for a national policy to address this threat.

The electric power industry and government agencies have made real progress in defensive action to secure the grid. But what is increasingly clear is that defense alone, without effective cyber deterrence, is an incomplete strategy.

President George W. Bush made clear after 9/11 that the U.S. no longer would allow the concept of sovereignty to shield terrorists attacking the United States from behind the borders of another nation. This principle must govern in the cyber world if the U.S. is to effectively protect our critical infrastructure.

Foreign leaders must fully understand that those who conduct, sanction or facilitate cyber intrusions into U.S. critical infrastructure, wherever they may operate, will suffer more significant consequences than what they intend to impose on us. In essence, we must motivate international leaders to preemptively turn the hackers off.

The way forward is clear — and not as difficult as some might think. Malicious cyber activity can be deterred, and the leaders of our national security and military organizations know what is necessary. What we lack is a commitment to investing in securing our critical infrastructure, combined with a clear declaratory policy to respond to malicious activity with both cyber and non-cyber offensive tools.


This starts with a presidentially approved national strategy, along with the necessary findings, authorizations, rules of engagement and coordinating mechanisms to signal that this threat to the United States will not be tolerated.

President Biden intends to impose consequences on the actors behind the most recent cyberattacks on U.S. businesses and agencies. And the 2021 National Defense Authorization Act establishes a much-needed, Senate-confirmed national cyber director within the Executive Office of the President to direct and coordinate a “whole of government” response.

The departments of State, Homeland Security, Defense, Justice, Treasury, Commerce and the United States Trade Representative and Director of National Intelligence now should be tasked with developing a full array of sanctions and consequences that can be levied against malicious cyber actors.

Improving our ability to repel cyberattacks is important, but our overall cyber strategy must also include a strong offensive capability and the will to use it whenever and wherever necessary.

Retired Gen. Michael V. Hayden is the former director of the National Security Agency and former director of the Central Intelligence Agency.

Thomas J. Ridge is the former U.S. Secretary of Homeland and the 43rd governor of Pennsylvania.

No comments: