2 September 2022

Redefining Cybersecurity as International Security, Not Just National Security

Pedro Allende

Following a spate of cyberattacks, including significant attacks on operational technology (OT) devices, there has been a great deal of emphasis on coordination and collaboration between government and the private sector, and among private sector entities. This concept in the cybersecurity context has been dubbed collective defense—and it is, admittedly, a work in progress.

Although the United States tends to think about this on a national level, as a part of national security, it would behoove the government to think about cybersecurity beyond national borders.

A Short and Narrow Primer on How the Unites States Protects Itself

Broadly, the relationship between the government and the private sector is complex. There are competing authorities within the government, information siloes, and the elephant in the room: information sharing. In the United States, information sharing is largely voluntary. Information sharing also faces hurdles from corporations whose lawyers are focused on liability concerns—and rightfully so, despite certain liability protections—and from the government, whose ability to enrich data with classified information is hamstrung by a general queasiness when it comes to declassifying information or classifying it at the lowest level possible, often leading to alerts that let companies know little more than “something bad might be happening soon.” But it is getting better quickly.

Putting aside the evolution of how the United States handles cybersecurity as a nation, there is a compelling case to be made for looking beyond our borders in support of our closest allies, some of whom are likely viewed by adversaries as proxies, or worse, as test beds for future attacks against U.S. entities and infrastructure. Although working externally would greatly benefit U.S. allies, this is not entirely altruistic. It is symbiotic. The United States might be able to overcome some of the internal structural issues with information sharing that create blind spots.

The United States knows global companies often use shared services across their different units with similar structures. Critical infrastructure in the United States is considered in 16 critical infrastructure sectors. Forensic analysis of cyberattacks can often give us insights into the tactics, techniques, and procedures (TTPs) used in the attack. However, the United States misses opportunities to know more.

Companies operating in the United States need many of the same essential business services when operating in Argentina, Latvia, Singapore, and Nigeria. At least some of its critical and operational infrastructure is like other countries at the sector level and operational level.

Cyber collaboration on a global scale makes sense. It is particularly important, at a time when U.S. influence in the Western Hemisphere is facing internal hemispheric and external challenges, to view cyber collaboration as an opportunity to deepen and strengthen ties in the United States’ own neighborhood.

Maritime

Among the largest ports in the world, the United States has strong diplomatic and strategic relationships with South Korea, the Netherlands, and Japan. Panama, also one of the largest ports, has a longstanding relationship with the United States and is strategically important for global commerce and supply chains, which have been strained in recent years.
Energy Infrastructure

Although national energy strategies and decisions differ based on policy goals and availability of energy sources, among other reasons, some of the equipment used is surprisingly common. Indeed, the same equipment that generates, transmits, and distributes electricity in the United States is in use by some of its closest allies. Brazil, the largest oil producer in South America, has a network of oil and gas pipelines, and was the only country in South America to increase its crude oil production in 2020. Brazil is also the second-largest producer of hydropower on Earth. Colombia is the third-largest hydropower producer in South America.
Food and Agriculture

Dinner tables are a collection of globally sourced ingredients at varying levels of processing. Mexico, however, is expected to remain the largest foreign supplier of agricultural goods to the United States. It is also an important trade partner, but in recent years, has sought to distance itself from the United States—a fact most recently punctuated by President Andrés Manuel López Obrador's decision to boycott the Summit of the Americas. Working together to protect a major economic engine of the Mexican economy that also helps feed the United States is an excellent idea.

Other Critical Infrastructure

There is likely at least one or two nations for each U.S. critical infrastructure sector that is similar enough to serve as a proxy for that U.S. critical infrastructure sector—even if at a smaller scale.

How This Works in Theory

Much like the information-sharing programs inside our borders, the United States can offer pilot programs to carefully selected allies to place advanced sensors on their infrastructure to allow the U.S. government, or a third party, to monitor the activities on select infrastructure with the consent of the host government or owner. The information-sharing arrangement can be structured for mutual benefit, providing the host government greater visibility into their infrastructure and providing the United States unprecedented views into the operations of adversaries.

How This Works in Practice

When Russia invaded Ukraine in February 2022, cyberattacks on Ukrainian information and communications technology systems preceded the physical attack. As Anne Neuberger, deputy national security advisor, pointed out in early February, Russia has “used cyber as a key component of their force projection” with the understanding that “disabling or destroying critical infrastructure can augment their pressure on a country’s government, military, and population, and accelerate their ceding to Russian objectives.”

While suggesting more cross-border collaboration on cybersecurity, it is important to note that Russian cyber activity did not just stop at the Ukrainian border. The threat of Russian attacks on nations supporting Ukraine’s fight, including against the United States and U.S.-based organizations, is real—Russia is exploring options for potential cyberattacks, leading the Cybersecurity & Infrastructure Security Agenda (CISA) to encourage organizations to go “Shields Up” and emphasize speedy reporting of cyber incidents as an early warning to other organizations.

With each iteration, the world is learning and getting better. The previous Russian incursion into Ukraine in 2015, which resulted in Crimea's annexation, included a measurable uptick in Russian cyber activity. Those attacks resulted in widespread effects on critical infrastructure, including energy and telecommunications. This was coupled with information operations to isolate the population in Crimea and insert a Russian narrative. This time, the effects were much more subdued.

But this was not due entirely to the preparation and cyber assets of the Ukrainian government. Much of the credit here goes to the private sector. Without the fast work of private sector actors such as Microsoft, which rapidly mobilized to counter a meticulous ransomware campaign, Lumen Technologies, which literally cut .ru domains from the internet, and SpaceX, which deployed Starlink internet service to Ukraine, the effect of Russian cyberattacks could have been destabilizing and granted Moscow the tactical advantage and confusion it so desired.

Imagine if Ukraine was a closer ally at the time and the West was able to position sensors on its infrastructure to watch Russian cyberattacks evolving in real time. What would that show beyond identifying TTPs? Could it show gaps in the Russian methodologies used? Could it show the roadblocks Russia encountered, how it overcame them, and how long it took to do it? Could it help the West create an early warning system of a pending action?

The same principles apply to other actors like hacktivists and criminal organizations that use ransomware for profit.

Aside from the obvious benefits of closer partnership with U.S. allies, in this new era of great power competition, it would be negligent to not quote Sun Tzu:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. You will succumb in every battle if you know neither the enemy nor yourself.

When it comes to cyber, Sun Tzu’s principles still apply. Their application, however, is at a different speed, scale, and methodology.

It is imperative to understand one’s systems. Once an adversary’s attack can be analyzed and deconstructed, countermeasures can be developed and deployed at scale almost instantly.

In essence, you see it once, then you inoculate everybody.

No comments: