An Airman monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017.

An Airman monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter's Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017. Air Force photo by J.M. Eddins Jr.

Sweeping Hack Gives Biden a Mandate to Reorient America’s Cyber Strategy

It’s long past time to wrest the focus from offense back to defense.

National security agencies are investigating the extent and possible effects of a major cybersecurity breach, thought to be a Russian state-backed hack, affecting federal organizations—including Treasury, Commerce, and the Department of Homeland Security—and an as-yet unknown number of large corporations. The attack is one more reminder of our government’s need for a defense-focused cyber strategy instead of Washington’s current posture, which is too risky and leaves few resources for keeping state systems safe.

The public details of this week’s attack are still relatively few. The hackers are thought to be a Moscow-supported group known as APT29 or Cozy Bear, which was also involved in hacking the Democratic National Committee in 2016 and the State Department and White House email servers during the Obama administration. (Russia, predictably, has denied involvement and further claimed it does not “conduct offensive operations in the cyber domain” at all.)

Beyond the obvious data collection, the motive for the breach isn’t yet clear. The hackers were able to access internal departmental email traffic, but how much or how classified is still to be determined. This single attack has targets outside the federal government too because it was accomplished by compromising a widely used network management software. The corruption of that software, probably months-old and not isolated to U.S. entities, has been described as “top-tier operational tradecraft.”

Given its timing, the bulk of the response to this breach will fall to the incoming Biden administration rather than the outgoing Trump team. That may be fortuitous, as the Trump administration’s approach to cybersecurity has at once been too casual and too aggressive. An attack on the apparent scale of this one can and should occasion a rethink of U.S. strategy on cybersecurity.

The too-casual side of the Trump approach was revealed in news, broken by Yahoo this past summer, that President Trump issued a secret “presidential finding” in 2018 which allows the CIA to conduct cyberattacks against a broad range of international targets—including private individuals and charitable and religious organizations—if they are suspected of connection to a target state, particularly China, Iran, North Korea, and Russia. 

“Before, you would need years of signals and dozens of pages of intelligence to show that [the target] is a de facto arm of the government,” said an unnamed former U.S. official quoted in the Yahoo story. But now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you're good.” The permitted attacks are not only data sweeps, like this one by Cozy Bear. There “has been a combination of destructive things—stuff is on fire and exploding,” the official told Yahoo, “and also public dissemination of data: leaking or things that look like leaking.” 

These attacks can have grave consequences in real life, including for innocent bystanders and people mistakenly targeted under this loose standard of verification. This is far too freewheeling of an approach for an arena of foreign policy which is fast becoming “real” war. It risks harming ordinary civilians not responsible for their governments’ malign behavior—or even escalating into a shooting war between the U.S. and one of the great powers (Russia, China) with whom we tend to trade cyber strikes.

That brings us to the too-aggressive part of Washington’s present strategy: We do way too many strikes and far too little defense, exposing our agencies and secrets to breaches like the one revealed this week. “Across the U.S. federal government,” Reuters reports, an appalling “90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure.” With a ratio like that, is it any wonder malicious foreign hacks of federal agencies happen so frequently?

This week’s hack, like so many before it, should alert President-elect Joe Biden that this is a policy area overdue for reform. Instead of devoting our resources to antagonizing other nations, potentially inciting unintended and undesirable consequences for innocent civilians as well as our own national security, we should be shoring up our online defense. 

That means hardening digital targets, especially those involving physical infrastructure and weapons systems, as the Government Accountability Office reports Pentagon investigators from 2012 to 2017 “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.” These internal testers were about to commandeer the systems undetected with “relatively simple tools and techniques.”

In that context, having Russian hackers reading Commerce Department emails feels like getting off easy. Far more dangerous breaches are possible—and, given enough time, likely—if we do not shift our cybersecurity strategy to prioritize restraint and defense. This new attack gives the Biden team a mandate to do exactly that.

Bonnie Kristian is a fellow at Defense Priorities, contributing editor at The Week, and columnist at Christianity Today. Her writing has also appeared at CNN, NBC, USA Today, the Los Angeles Times, and Defense One, among other outlets.