A Cyber Strategy Defining Moment for the Biden Administration
In the face of two massive cyber-attacks, President Biden’s response to the SolarWinds attack is his chance to reset the current state of unchecked nation state cyber aggression targeting the U.S. The lack of a strong and significant response will only further embolden nation state driven or sponsored cyber-attacks against U.S. public and private sector companies and institutions.
As reported over the weekend, the Biden Administration is preparing to act in response to Russia’s involvement in the SolarWinds cyber-attack. Establishing a clear precedent of intolerance toward aggression now will be critical to our nation’s future security. President Biden must strongly come forward, putting every nation state and cybercriminal group on notice that cyber-attacks will not only be taken extremely seriously, but that there will be a high cost where those responsible are held accountable through all levers of national power – diplomatic, economic, law enforcement, intelligence and military operations. Unfortunately, the difficulty in definitively attributing many cyber-attacks has historically resulted in muted and inconsistent responses from the U.S., and directly undermined our ability to establish any level of cyber deterrence.
This past decade we saw the steady growth of cyberattacks. Over the past five years this area of warfare was compounded with more and more adversaries turning to cyber operations. Finally, the last year has seen near unrestricted cyber aggression and boldness from our adversaries. We must act to stem the tide.
The USG can no longer wait for absolute certainty around attribution or use that lack of certainty as an excuse for inaction. The U.S. intelligence agencies should be able and are positioned to provide intelligence assessments and attribution with enough clarity to hold an associated nation state to some level of responsibility. And, if there is not confidence in the administration that the appropriate teams and expertise exists at NSA, CIA, FBI, or DoD, or they are not capable of producing an actionable attribution then this field of analysis needs to be made a priority.
As for what constitutes a strong response, the Biden administration needs to take a mix of both overt, economic and diplomatic, and covert actions, intelligence and military actions in response. This is the defining moment for the Biden administration to reset the global cyber warfare scales and force cyber actors to re-evaluate their risk versus gain assessment when conducting cyber operations against U.S. institutions and U.S. based companies. The target audience the response needs to reach is not just the Russians, but rather the entire global stage of current cyber actors and those that will be entering the arena. If not definitive, we will only see more aggressive actions taken by a growing number of adversaries and criminals that will plague the Biden administration and those after.
If the Biden Administration has any chance of establishing the USG as the cyber superpower, it needs to start here with holding Russia accountable for SolarWinds and begin to put the teeth back into cyber deterrence and by extension the often cited defend forward strategy. However, this is only the opening round. It is equally important the Biden Administration commit to a strategy of establishing defensive superiority to bookend offensive capability because deterrence only works if you have the capability and resolution to inflict more damage than you take.
AI security, compliance, and privacy leader | ISO 42001, NIST AI RMF, and EU AI Act expert | Host, Deploy Securely Podcast | Founder, StackAware | Harvard MBA | Marine veteran
4yInteresting article, Marcus. I agree that the breach of SolarWinds - and the subsequent compromise of many U.S. government information systems - was devastating and requires the "defensive superiority" you discuss. Our federal departments and agencies have a lot of work to do in terms of getting their own houses in order, unfortunately. I also agree that absolute certainty with respect to attribution in cyberspace (or in any situation) is too high a bar to spur action. We must be prepared to accept some gray area in our decision-making. With respect to retaliation though, I think defining the end state is critical here. What will things look like when both sides have escalated the conflict to the maximum extent foreseeable? Are we as a country prepared to go there? Although weakened economically and militarily, Russia still has the largest nuclear arsenal in the world. Russia must have been prepared for some level of response from the United States when they started their infiltration via SolarWinds. At least in terms of actions that have any chance of being attributed to America, however, the Biden Administration needs to be very measured in calibrating them so that we don't grossly exceed what the Russians are prepared for. The Russians clearly feel far less constrained in terms of what they are willing to do (conducting nerve gas attacks in NATO countries, for example), so we need to be firm without provoking an even more aggressive response. What I would suggest is a more focused, multi-faceted campaign to "de-fang" the Russian government's offensive cyber capabilities. This could take the form of network-based attacks, human infiltrations of state-sponsored hacker networks, and targeted sanctions against key economic enablers. When you mention potential military action, though, I think that a kinetic strike would be a bridge too far. Our national survival is not (yet) at stake here, and the potential price is too high.
CIA Officer (Ret)
4y“Defensive Superiority,” as you describe it, is the key. While I would never oppose offensive cyber operations as a means to establish deterrence in cyber space, the paradigm shift has to happen around the defensive side and the common sense improvements we can