Multiple, dynamic threats have reshaped the cyber-risk landscape; ignore them at your peril.
As we look forward to the new year and the potential for a return to some measure of normalcy, we have the opportunity to consider how we might tackle the new challenges of the rapidly evolving cyber-threat environment going forward.
In particular, as cyber defenders in both the public and private sectors assess our posture and consider how our approach should shift going forward, it is strikingly clear that while we have made significant progress in strengthening our defenses and are getting better at raising the cost to our adversaries. However, we have yet to fundamentally shift our paradigm to account for the threats we face and to keep up with our adversaries’ capabilities.
In 2017, we saw two cyberattacks that have fundamentally shifted our understanding of the threat environment. NotPetya, a cyberattack aimed at Ukraine by Russia, spun out of control, causing $10 billion in damages worldwide. That attack taught us that collateral damage is a real thing in cyberspace and one need not be the direct target of a cyberattack to suffer significant harm.
Likewise, the WannaCry ransomware attack conducted by North Korea, also in 2017, demonstrated the crippling effect such attacks can have on the public and private sector, including healthcare institutions. Less noticed by the public, but perhaps even more critical to the American economy, is the continued theft of core intellectual property by nation-states, principally China, which undermines the global competitiveness of American companies and directly threatens American jobs, particularly as we seek to grow as an innovation-focused economic power.
This effort undercuts not only the work of large enterprises but also small startups that are highly dependent on the creation of new and unique intellectual property and which are increasingly at the heart of American economic growth.
More recently, as the global COVID pandemic has spread, we’ve seen a marked increase in malware attacks taking advantage of the situation and targeting the response and recovery infrastructure, including international organizations and vaccine manufacturers. We’ve likewise seen attacks on medical facilities resulting, indirectly, in patient deaths, financial institutions and governments being robbed or defrauded of hundreds of millions of dollars, continued efforts by adversaries to put privately owned critical infrastructure at risk, potentially to shape or modify government behavior.
This all takes place as we continue to see nation-states like China not only siphoning off billions of dollars of intellectual capital from across the globe as noted above but also extracting massive amounts of data to train sophisticated machine learning algorithms. Furthermore, China, Russia, and Iran are engaged in efforts to manipulate popular opinion and undermine the rule of law and confidence in elected leaders and key institutions.
Unfortunately, the threat landscape is likely to get worse before it gets better. With the broad rollout of 5G networks globally and increasing capabilities and use of mobile and Internet of Things devices, not to mention the new work-from-home environment spurred by the COVID pandemic, we are operating in a target-rich environment for both nation-state and private cyberattackers. And the lines between the two are increasingly becoming blurred. While we’ve long known that the Russians operate through criminal proxies, the advent of such double-dipping in China is troubling given the massive scale and sophistication of attacks that collusion between criminal and nation-state actors in China can bring to cyber-threat landscape.
Moreover, this rapid growth in infrastructure and threats also means that the workload facing cybersecurity personnel is growing faster than we can possibly develop talent. There simply will not be enough people to solve this problem and, as such, we must crowdsource the knowledge we need and leverage advanced technologies to address this shortfall.
The good news is that the private sector and the government have been improving defenses. The cybersecurity conversation has made it into nearly every boardroom, even if directors and risk committees aren’t always prepared — or equipped — to fully grapple with the myriad threats they face.
Corporate cybersecurity leaders are increasingly gaining a seat at executive leadership meetings and seeing budgets more aligned to the threat. And the government has finally started to get serious about the threat by taking the fight to cyber adversaries overseas under new authorities with advanced capabilities and working across traditional lines. We should preserve and expand on these efforts by doubling down on the defend forward strategy and persistent engagement mission of US Cyber Command overseas, and by expanding partnerships and joint training, exercises, and planning among our cyber defenders in government and the private sector.
Yet more needs to be done. Government and industry continue to operate in traditional silos, focused first on defending individually, rather than protecting collectively. To be sure, industry and government have done more to share information recently than perhaps ever before, but such sharing is simply one aspect of the larger effort. The real key is to be able to collaborate defensively at speed and scale across companies, industries, states, and national boundaries.
As the Cyberspace Solarium Commission noted earlier this year, we need a paradigm shift to collective defense, with shared situational awareness and broad collaboration across the board. As we look to the next year, and think about change we need, when it comes to the cyber realm, it’s worth remembering the old adage that united we stand, divided we fall.
Gen. (Ret) Keith B. Alexander is the former director of the National Security Agency and founding commander of the US Cyber Command, and currently serves as chairman, president, and co-CEO of IronNet Cybersecurity. Jamil Jaffer served in senior national security roles in the … View Full Bio