8 March 2023

The government cannot win at cyber warfare without the private sector

JIANLI YANG

The American and Chinese flags wave at Genting Snow Park ahead of the 2022 Winter Olympics, Feb. 2, 2022, in Zhangjiakou, China. Hackers working on behalf of the Chinese government broke into the computer networks of at least six state governments in the United States in the past year, according to a report released by a private cybersecurity firm. The report from Mandiant does not identify the hacked agencies or offer a motive for the intrusions, which began last May and continued through the last month.

On Feb. 17, the FBI announced that it is investigating a hack of its computer network. This hacking follows a 2020 Russian cyber espionage operation on many federal networks, a 2015 Chinese hacking of the Office of Personnel Management (OPM) that led to the theft of scores of employee records, and countless others that occurred in between. Digital dictatorships around the world, such as China and Russia, control and oppress their own people, to be sure, enabled by advanced and sophisticated high technology, but they also pose a direct threat to security and interests of the democratic world.

The hacking threat emanating from these two countries cannot be overstated. According to the U.S. Intelligence Community’s 2021 Annual Threat Assessment, “China can launch cyber attacks that, at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States,” while Russia “continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries.”

The Biden administration recognizes the scope of this issue and has made cyber attacks a major diplomatic front, but the executive and legislative branches have done little to stop these attacks. The government agencies charged with deterring and defeating this threat are not properly equipped for the task, and there is a lack of consensus about which methods will be most effective for countering digital dictatorship. That needs to change.

The Council on Foreign Relations (CFR) recommends “a program of deepening public-private collaboration between the Defense Department (DOD) and the defense industry” to stop these hacks. It suggests this because it recognizes that the private sector is who owns and operates the networks and systems that the problem countries target, while the public sector “lacks the same picture of the threat environment.”

The CFR is right. Private-sector actors regularly face hackings and understand that their survival in the marketplace hinges upon addressing them swiftly and efficiently. The government, by contrast, doesn’t recognize many of these threats until they occur. The government has the ability to contract with anyone, so why wouldn’t it choose to work more closely with private companies?

Consider the case of the Office of Personnel Management, which faced that headline-making 2015 hacking from China. While OPM received an “F” cyber score on the July 2022 Federal Information Technology Acquisition Reform Act (FITARA) scorecard, private-sector companies such as MonsterGov have proper FedRAMP agency authorization and manage security for some of the biggest and most trusted Fortune 500 companies on the market today.

As the old cliché goes, the government that governs best is the one that governs least. As such, federal procurement officers should consider quickly outsourcing more of the public sector’s current responsibilities to private-sector companies.

However, even if the government relies heavily on the private sector’s shoulders, hacking of its infrastructure will still occur. Disaster preparedness and response is one thing that it will never be able to outsource. That’s why it’s critical that the government dramatically increase the number of cyber security experts it employs and begin to treat hacking as a national security priority.High egg prices: Getting to the bottom lineThe performative politics of Marjorie Taylor Greene

Sens. Marco Rubio (R-Fla.) and Mark Warner (D-Va.) have proposed legislation that would do just this. It would create a government office — the Office of Critical Technologies and Security — that would exist for the sole purpose of “coordinating across agencies and developing a long-term, whole-of-government strategy to protect against state-sponsored technology theft and risks to critical supply chains.” This office will streamline efforts to stop hacking from America’s adversaries and ensure that the U.S. doesn’t ever provide too little, too late responses to these threats ever again.

We may not be able to stop China and Russia from working to steal our sensitive information and damage our critical infrastructures, but we can stop them from being effective. We will be able to do so only if the government stops trying to manage everything and instead begins focusing singularly on its hacking detection and response effort. Only then will it find the right private and public sector balance needed to respond to these threats of terrorism and keep the American people safe and secure for generations to come.

Jianli Yang, a former political prisoner of China and survivor of the Tiananmen Square massacre, is founder and president of Citizen Power Initiatives for China and the author of “For Us, The Living: A Journey to Shine the Light on Truth.”

No comments: