‘Layered deterrence’ against cyberattacks
The United States is under attack. The battlegrounds couldn’t be more disparate, from our largest military installations and enormous energy-grid operators to the smallest mom-and-pop stores on Main Street and even our individual smartphones. Hackers, other criminals and foreign actors are seeking out any digital vulnerability to disrupt our lives, stall our economy and shut down access to vital information.
The pandemic accelerated an already-in-progress shift to a more digitally focused life. There’s no doubt this connectivity saved lives and kept our economy afloat over the past two years, but it came at a cost: massive, potentially devastating weak points in the systems that power our daily lives.
What happens if those networks are compromised?
Recent attacks have affected our energy sector, slowed our supply chains and damaged government institutions ranging from federal offices to local municipalities. What is the impact on society if power grids and communications systems shut down? What is the impact on the individual if they can no longer work or learn remotely or access sensitive medical documents or their bank account?
These difficult questions are why Congress created the Cyberspace Solarium Commission in 2019 to rethink our national security posture for the digital age. The commission, which we co-chair, is made up of bipartisan congressional leaders, executive branch officials, and experts from private industry, think tanks and research institutions. It met some 50 times to scrutinize the United States’ vulnerabilities in cyberspace and seek solutions. Our conclusion: America is woefully unprepared for the cyberthreats developing around the globe, but we can change that.
As the commission wraps up its scheduled work this month, more than three dozen of its recommendations have been enacted into law. These include the creation of a Senate-confirmed national cyber director to coordinate the federal government’s efforts in cyberspace.
But as we reach the end of our commission’s tenure, we believe there are important, common-sense next steps that can help protect key U.S. networks and the people who rely on them. Our strategy — “layered cyber deterrence” — is rooted in the idea that, rather than a single solution, we need a multipronged approach to both prevent attacks before they’re launched and withstand the attacks that come.
To change our enemies’ calculations, we must first harden our national defenses and resiliency. One major step toward that goal is improving the working relationship between the government and the private sector, which our commission team estimated controls over 80 percent of our threatened networks, including energy systems and financial markets. Although these systems are not under federal control, an attack on them would have a devastating impact on all Americans.
We must bridge the government-private sector gaps by passing legislation that secures our nation’s critical infrastructure and requires companies to report cyber-incidents, so that the federal government can better identify potential risks to national security and help with damage mitigation. Both of these efforts made major progress in terms of building awareness and urgency in Congress this year but ultimately fell short. We must continue to push the ball forward.
Layered cyber deterrence also calls for the United States to shape behaviors in cyberspace by working with partners and allies. The nonmilitary tools at our disposal include law enforcement, sanctions and diplomacy, which can establish clear rules for cyber-engagements and consequences for those who step out of line.
We must also be able to impose costs on those who violate these norms, so our enemies — from nation-states to criminal organizations — know that if they attack us, they will pay an unacceptable price. The best cyberattack is the one that doesn’t occur — and the best way to prevent these attacks is through a clear, unambiguous policy of deterrence.
After years of work, the cyberspace commission is wrapping up, but our members have unfinished business we don’t plan on stepping away from and we’ll continue our work through legislation and negotiation and pressure when necessary. Just as the United States has defended its interests on land, sea and air, it must recognize that the nation’s interests in a fourth domain — cyberspace — are central to our country’s long-term security and prosperity.
The threat will continue to evolve, but this is a challenge we can and must meet with imagination, determination, cooperation and engagement - from the desktop at the end of the supply chain to the top desk in the Oval Office and every place in between.