An Airman monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017.

An Airman monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017. Air Force photo by J.M. Eddins Jr.

Sweeping Hack Gives Biden a Mandate to Reorient America’s Cyber Strategy

It’s long past time to wrest the focus from offense back to defense.

National security agencies are investigating the extent and possible effects of a major cybersecurity breach, thought to be a Russian state-backed hack, affecting federal organizations—including Treasury, Commerce, and the Department of Homeland Security—and an as-yet unknown number of large corporations. The attack is one more reminder of our government’s need for a defense-focused cyber strategy instead of Washington’s current posture, which is too risky and leaves few resources for keeping state systems safe.

The public details of this week’s attack are still relatively few. The hackers are thought to be a Moscow-supported group known as APT29 or Cozy Bear, which was also involved in hacking the Democratic National Committee in 2016 and the State Department and White House email servers during the Obama administration. (Russia, predictably, has denied involvement and further claimed it does not “conduct offensive operations in the cyber domain” at all.)

Beyond the obvious data collection, the motive for the breach isn’t yet clear. The hackers were able to access internal departmental email traffic, but how much or how classified is still to be determined. This single attack has targets outside the federal government too because it was accomplished by compromising a widely used network management software. The corruption of that software, probably months-old and not isolated to U.S. entities, has been described as “top-tier operational tradecraft.”

Given its timing, the bulk of the response to this breach will fall to the incoming Biden administration rather than the outgoing Trump team. That may be fortuitous, as the Trump administration’s approach to cybersecurity has at once been too casual and too aggressive. An attack on the apparent scale of this one can and should occasion a rethink of U.S. strategy on cybersecurity.

The too-casual side of the Trump approach was revealed in news, broken by Yahoo this past summer, that President Trump issued a secret “presidential finding” in 2018 which allows the CIA to conduct cyberattacks against a broad range of international targets—including private individuals and charitable and religious organizations—if they are suspected of connection to a target state, particularly China, Iran, North Korea, and Russia. 

“Before, you would need years of signals and dozens of pages of intelligence to show that [the target] is a de facto arm of the government,” said an unnamed former U.S. official quoted in the Yahoo story. But now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you're good.” The permitted attacks are not only data sweeps, like this one by Cozy Bear. There “has been a combination of destructive things—stuff is on fire and exploding,” the official told Yahoo, “and also public dissemination of data: leaking or things that look like leaking.” 

These attacks can have grave consequences in real life, including for innocent bystanders and people mistakenly targeted under this loose standard of verification. This is far too freewheeling of an approach for an arena of foreign policy which is fast becoming “real” war. It risks harming ordinary civilians not responsible for their governments’ malign behavior—or even escalating into a shooting war between the U.S. and one of the great powers (Russia, China) with whom we tend to trade cyber strikes.

That brings us to the too-aggressive part of Washington’s present strategy: We do way too many strikes and far too little defense, exposing our agencies and secrets to breaches like the one revealed this week. “Across the U.S. federal government,” Reuters reports, an appalling “90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure.” With a ratio like that, is it any wonder malicious foreign hacks of federal agencies happen so frequently?

This week’s hack, like so many before it, should alert President-elect Joe Biden that this is a policy area overdue for reform. Instead of devoting our resources to antagonizing other nations, potentially inciting unintended and undesirable consequences for innocent civilians as well as our own national security, we should be shoring up our online defense. 

That means hardening digital targets, especially those involving physical infrastructure and weapons systems, as the Government Accountability Office reports Pentagon investigators from 2012 to 2017 “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.” These internal testers were about to commandeer the systems undetected with “relatively simple tools and techniques.”

In that context, having Russian hackers reading Commerce Department emails feels like getting off easy. Far more dangerous breaches are possible—and, given enough time, likely—if we do not shift our cybersecurity strategy to prioritize restraint and defense. This new attack gives the Biden team a mandate to do exactly that.

Bonnie Kristian is a fellow at Defense Priorities, contributing editor at The Week, and columnist at Christianity Today. Her writing has also appeared at CNN, NBC, USA Today, the Los Angeles Times, and Defense One, among other outlets.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.