Would the United States be ready if we were to experience a massive cyberattack? With a lack of federal strategy, a lot of cybersecurity experts are not so sure. After all, the country has seen the damage a lack of a federal-backed plan to fight a threat can cause with the COVID-19 pandemic.
The U.S. House Committee on Oversight and Reform recently held a hearing on the nation’s cybersecurity preparedness. During the meeting, there was a bipartisan bill introduced that called for the creation of a national cyber director role within the White House. The role previously existed, but was eliminated by the current administration in 2018, and instead, the responsibilities were lumped in with those of the national security director. Various cybersecurity experts argued that the role being its own entity is necessary to help defeat threats and coordinate a cohesive strategy across federal agencies.
Cyber defense is vastly different from kinetic wars fought on the ground and requires different kinds of preparation and leadership. Due to the nature of cyberattacks, it is harder to prepare and respond since the private enterprise and all levels of government are directly exposed.
But is a federal plan of action necessary? There are members of the government who believe it should be up to the states to protect themselves against cyberthreat actors. However, this can be dangerous.
The Case for a National Cyber Director
Without a strong federal coordination to battle COVID-19, the United States has experienced considerable impact compared to other countries across the world. Since the beginning of 2020, millions of individuals have been diagnosed with the virus, and over 170,000 people have passed away as a result of infection. Each state was left to its own devices, fighting for PPE and relief from overwhelmed hospitals and increasing unemployment numbers. Without any border controls, the virus has easily moved from one part of the country to another.
Much like the pandemic, hacking threats deserve federal attention and resources to mitigate horrific damages. Cybersecurity is the issue of our time. The United States has just as much to lose if there is an unstructured response to a nation-state backed cyberattack. In the past few years, we have seen its influence on critical infrastructure, elections, intellectual property (IP) theft, service interruptions due to ransomware and more. Much like how the virus moved, the same could happen with a cyberattack if malware was passed along online.
Russia has done more damage than just interfering in the 2016 presidential election - the country has also been accused of hacking Ukranian and Georgian power grids to cause countrywide blackouts. In 2019, one in five North American-based corporations on the CNBC Global CFO Council said that Chinese companies had stolen their IP within the last year. Stolen IP can ruin an organization’s competitive advantage.
If we ended up in a cyberbattle with some of the top nation-state actors, they could shut down supply chains, hospitals, the internet, oil and gas, electricity grids, water systems and more.
A national cyber director would be able to coordinate the cybersecurity flow of information to the executive branch and be able to coordinate a strategy to defend against these kinds of attacks. They could also build out a proactive offensive strategy to retaliate if necessary - long before a cyberattack successfully hit our shores.
Qualifications for the Role
If the United States were quicker to respond to COVID-19, we could be in the same position as Taiwan, whose population is 24 million people but has only had 449 confirmed cases of the virus and seven deaths as of July. The ability for a tactical and quick response is critical for candidates seeking the national cyber director role. Candidates should be evaluated in terms of their ability to lead the country to have a short mean time to respond (MTTR) to a cyberattack. In the cyber world, an organization’s MTTR has to be quick. An organization or entity risks exposing more data and halting business operations the longer the threat actor is in a network.
In 2019, CrowdStrike released a report that gave insight into how fast a nation-state attacker could act. According to the report, nation-state attackers like Russia are able to breach an organization and conduct their first lateral movement across a network in 19 minutes. If you think about that in relation to how quickly a traditional Army would have to move for battle - it is magnitudes faster.
The parallels continue between COVID-19 and its response and the need for a national cyber director. Just as Dr. Deborah Birx and Dr. Anthony Fauci are in charge of spearheading advisement on the pandemic response to the president, the national cyber director would be responsible for gathering information on threats, prevention and response. The role would involve having a strong understanding of the types of government regulations needed to implement the best protection possible for the nation, as well as divvying up the budget to the companies making the technology to keep everyone protected.
Just as federal and state officials had daily briefings to keep the public informed on the pandemic in the beginning of our battle with COVID-19, the national cyber director would have to be able to work collaboratively with various federal agencies to make sure both the public and private sector are protected against threats.
Learning from the Pandemic
Before 2020, no one could have predicted the impact a virus like COVID-19 would have on the United States. We must not allow ourselves to be caught in the same place twice with a massive cyberattack.
The effectiveness of a national cyber director will come down to people, process and technology. Not only does the right candidate have to be selected for the job, there needs to be federal guidelines in place. Preparing and responding to a massive cyberattack is hard. Before appointing a person to this position, the federal government needs to iron out the details of how this role will work with existing cyber organizations. Next, everyone needs to recognize this role isn’t a panacea. As we have seen with COVID, other elements are required, such as strong political leadership.
The private sector has a role to play, too. The cybersecurity industry needs to be encouraged to keep innovating and working together with the federal government to build the best offensive and defensive tools. With the right candidate and strategy in place, the United States could be much better prepared for a massive cyberattack than they were for the pandemic with a national cyber director in charge.