WASHINGTON — The United States has the world's strongest military, but cyberspace is disrupting physical war.
The federal government isn't adequately prepared for cyberspace, said Sen. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission, while speaking at the Great Power Competition and Cyber Conflict event in Washington, D.C. Tuesday.
Cyber vulnerabilities allow enemies to strike at will, with the possibility of an existing, dormant intrusion. Cyberwar isn't confined to a battlefield; it's as much of a threat to the private sector as it is to the federal government.
On Monday, the Department of Homeland Security issued guidance for possible "retaliatory aggression against the U.S." from Iran, following Friday's airstrike, killing a top Iranian general. Experts consider cyberattacks among the likely responses. Iran has since fired on two bases in Iraq where U.S. personnel are stationed.
Tehran has options in cyberspace because it's a "capacity they have and developed over the years. That may well be their choice for a response to the events of last weekend," said King.
Cyber warfare is extending across attack mediums, including espionage, surveillance, malware and disinformation and from threat actors in Russia, China, Iran and North Korea.
"How do you strike that right balance between encouraging the private sector to do more to invest in their own cybersecurity, but also not putting them in an untenable position or in a position that will result in destruction of their business?"
U.S. Representative, R-Wisconsin
Iran can leverage "for-profit threat actors to take advantage of [the] U.S. governments' weak security to ransack their systems," Brett Callow, threat analyst for Emsisoft, told CIO Dive in an email. But "I suspect Iran will prove to be a storm in a teacup."
The inadequacy of the U.S.' cyber resilience is common knowledge. Research from the State Auditor of Mississippi concluded that "many state entities are operating like state and federal cybersecurity laws do not apply to them."
The disregard for cybersecurity hygiene is leading to issues in disaster recovery planning, decrypted information, and "not performing legally mandated risk assessments," according to Emsisoft. Across the board, U.S. government falls short of proper cyber management. Instead, "grossly negligent" practices are woven throughout government entities.
Protecting U.S. organizations
The U.S. has historically used sanctions to diffuse tension. Sanctions are "tougher than saying something mean but it's not as tough or unpredictable as shooting a missile at somebody," said Rep. Mike Gallagher, R-Wisconsin, and Commission co-chair, while speaking at the event.
On Wednesday, the day after Gallagher made his remarks, President Donald Trump announced "punishing economic sanctions on the Iranian regime," according to the White House. The U.S. will uphold the sanctions "until Iran changes its behavior."
But sanctions have their limits in deterring adversarial behavior when cyber is a low cost solution for attacking an enemy.
Russian President Vladimir Putin can hire 8,000 hackers "for the price of one jet fighter," said King. "That's a low-cost way to mess with another country."
The Commission is working toward publishing cyber recommendations (topics pending). As tensions increase across attack vectors, the federal government is still struggling with filling its cybersecurity talent pool.
"I want the most bloodthirsty, vicious, brilliant hackers in the world working for us," hacking U.S. systems so they can tell federal agencies where the problems lie, said King.
In the meantime, the federal government has to lean on the private sector for information sharing and vice versa.
King warned 80% of the cyber target surface is in the private sector. "It's not army versus army," he said. "How do we defend the electric system in the southwest or the water system in New York?"
Finding cyber incentives
There is a continued disconnect between the reality and perception of cyber resilience.
From CEOs to Secretaries of State, "everybody is overconfident" about their cyber resilience, according to King.
Industry has struggled with open lines of communication during a cyber crisis, and the federal government navigates a tenuous balance with information sharing.
The federal government, in turn, could help the private sector by boosting attribution capabilities, said Gallagher. It is "not the default mode" of the national security or intelligence community to assume risk and then share threats accordingly.
Gallagher wants to see the federal government capitalize on private sector practices, such as the 1:10:60 rule; one minute for intrusion detection, 10 minutes for analysis, and 60 minutes for remediation.
"You can imagine a world where we require regulated companies or critical infrastructure to collect 1:10:60 data or something similar," he said. Organizations wouldn't necessarily have to publish their findings, in fear of "perverse market incentives." But if a major breach were to occur, data could be interrogated and negligence could be determined.
In turn, this creates a financial incentive for cybersecurity. Norm-setting standards or incentives are a consideration.
Insurance has the potential to influence organizations' security postures. If there were a "vigorous insurance market for destruction" for cyber-related damages, insurance providers have an indirect power in enforcing cyber hygiene, said King.
"We don't want to pass a law that says every American should have two-factor authentication, but every American should," said Gallagher.
In the meantime, the DHS' Cybersecurity and Infrastructure Security Agency is advising companies to increase defenses.
"I do think there's an anxiety in the private sector," said Gallagher. "How do you strike that right balance between encouraging the private sector to do more to invest in their own cybersecurity, but also not putting them in an untenable position or in a position that will result in destruction of their business?"