It’s been just over a year since cybersecurity firm FireEye disclosed what turned out to be the proverbial tip of the SolarWinds iceberg. As we now know, the breach of its network turned out to be part of a much broader Russian cyber espionage operation.
Exploiting vulnerabilities in the SolarWinds platform, Russia’s intelligence services gained access to the networks of thousands of customers, including a number of key federal government clients. A far smaller number of users were subsequently compromised by follow-up hacking. Microsoft President Brad Smith described it at the time as “the largest and most sophisticated attack the world has ever seen.”
Unfortunately, just twelve months later, the SolarWinds hack faces some stiff competition for Smith’s superlative ranking. The steady drumbeat of hostile cyber operations that have unfolded since, from China’s Microsoft Exchange Server hack to increasingly costly and harmful ransomware attacks, have given the SolarWinds breach a run for its money. They demonstrate even more clearly what some of us already knew: As a nation, we remain unacceptably vulnerable to cyber threats, a circumstance our adversaries recognize and routinely exploit to our disadvantage in strategic competition.
With the digitization and interconnection of almost every facet of our lives, not to mention our homeland security and national defense systems, national cybersecurity is, as President Biden recently described it, “the core national security challenge we are facing.” Yet too often we have failed to keep pace with this persistent and evolving threat, hitting the snooze button in the face of one “wake up call” after another.
We have failed to fully embrace the strategic reality that our adversaries are committed to constant and unrelenting hostile cyber campaigns against us. Reversing this trend requires not only a recognition of the gravity of the threat, but a related commitment at all levels of the public and private sectors to more proactively confront it.
While the Biden Administration has yet to issue a comprehensive cyber strategy, it has taken a number of steps in the right direction. It has prioritized cybersecurity through both policy and action to push a more collaborative national effort to reduce vulnerabilities, enhance resiliency and drive down risk. Mandating improved cybersecurity standards across the Federal government, leveraging the weight of the government to improve supply chain security in the private sector, enhancing partnerships, establishing improved standards and expectations for critical infrastructure security, and taking steps to remove barriers to threat information sharing between government and the private sector are just a few of the efforts underway to improve overall security and deny our adversaries the benefits of their malign efforts.
As important as these efforts are, they are incipient; and even when fully realized they will not eliminate the incentive structures that motivate our adversaries to confront us through cyberspace. More persistent, proactive measures are needed to counter our adversaries and set the overall conditions of security in cyberspace.
The administration has also made cyber diplomacy a cornerstone of its approach, continuing its leadership role in United Nations processes, engaging a smaller group of states to more actively cooperate in the fight against ransomware, and enhancing key partnerships and alliances. The value of diplomacy and the advancement of international law and norms of responsible state behavior in cyberspace should not be understated. Ceding the field to determined moves from China and Russia to reset the rules-based order to fit their authoritarian goals would be a mistake. However, diplomatic efforts are characteristically reactive and slow. They are unlikely to alter our key adversaries’ calculus, and will not provide solutions to an immediate, ongoing, and urgent problem.
It is vital for the U.S. to take a leading role in international norms-setting efforts, but we will also need to persistently engage our adversaries, employing our cyber capabilities during day-to-day competition to disrupt or halt their malicious cyber operations at the source. Disruptive counter-cyber operations must play a role in achieving cybersecurity in depth.
Recently, NSA Director and Commander of the U.S. Cyber Command Gen. Paul Nakasone acknowledged operations to disrupt ransomware groups, taken in partnership with other elements of the federal government. These actions no doubt reflect valuable lessons learned during operations to defend our elections from foreign interference and other threats to the nation. These operations were made possible by key changes in strategy, policy, and legislation in 2018 that provided for more agile and responsive coordination and approval processes to confront emerging threats. Although not offering a panacea, these operations have made a successful contribution to national security–something we should build on.
States, non-state actors, and criminals will not abandon cyber tools as means of statecraft, conflict, and crime. Our vulnerability to these threats will remain a core national security concern for the foreseeable future. Disruptive operations are an essential component to achieving better cybersecurity and can be done consistently with our international legal obligations, commitment to norms, and our goal of ensuring a free, open, and secure internet.
Lieutenant General (Ret). Vince Stewart is the former Deputy Commander of U.S. Cyber Command and the Chief of Inclusion and Innovation for Ankura.
Colonel (Ret.) Gary Corn is former Staff Judge Advocate to U.S. Cyber Command and program director for American University Washington College of Law’s Tech, Law & Security Program and a senior fellow for the R Street Institute.
Editor’s Note: This article has been updated to reflect the number of users affected by the Sunburst breach, according to CISA findings.
More must-read commentary published by Fortune:
- Extreme events are forcing corporations to think like insurers
- To deliver the infrastructure boom, construction giants must open their doors to startups
- Meet your new A.I. best friend
- Can a community of basketball fanatics run an NBA team as a DAO?
- If you’re not Elon Musk: Communication and compliance for fintech CEOs
