BY ADAM BRAND –
In the last few years, the United States has suffered a significant number of cyber security breaches, on American institutions, elections and businesses. These attacks have been primarily carried out by American rivals, such as Russia and China. Notable past examples include the Russian 2014 Cozy Bear hack and attempts by China to steal intellectual property.
Cyber attacks have damaged the U.S. economy, jeopardised American lives and contributed to a destabilisation of the country as a whole. The U.S. is the world’s richest nation, preeminent military power and a technological behemoth, and yet it appears to be losing a game that it should logically be able to play and win. This begs the question; why is the U.S. being compromised by cyber attacks?
To understand the flaws in the United States’ approach to cybersecurity, we need to look at the recent SolarWinds and FireEye attack, which saw hundreds of American companies and U.S. institutions infiltrated. A few notable victims were Microsoft, U.S. Treasury, State Commerce Department, National Institute of Health and Homeland Security. The hack is believed to have been perpetrated by Russian Intelligence Services, and is considered one of the most disruptive cyber-attacks in US history. This is due to the hack going undetected for nine months, successfully targeting numerous high-profile targets and the sensitivity of data leaked. The incident has been described by senior US Senator Dick Durbin as “virtually a declaration of war”. The U.S. Government remains unsure as to how much data was stolen. What is certain, however, is that the breach was so severe and widespread, that many of the compromised networks will need to be completely replaced. The cybersecurity ramifications make this an act beyond mere espionage. The attack has jeopardised systems which are essential for the proper functioning of the internet and has led to more questions than answers about the future safety of American infrastructure and data.
What decisions did the US Government make that allowed this hack to occur? According to Brad Smith, the President of Microsoft whose own company fell victim to the hack, there are many explanatory factors.
The first reason is America’s reluctance to put an end to the global proliferation of Private Sector Offensive Actors (PSOAs). These are companies that sell specialized hacking tools on a large scale, often to governments. The most notable example of this would be NSO, which sold a spying software to governments called Pegasus, that worked by hacking WhatsApp on smartphones. According to U.S. Consul General Michael F. Kleine, the reason for this reluctance is that the U.S. lacks the capability to stamp out these firms worldwide and they themselves benefit by hiring them to test their own cybersecurity systems. Faced with a catch 22, the U.S. government has instead opted for a ‘track it and leverage it’ strategy. The drawback to this approach is that the lack of action against PSOAs has allowed the number of potential attackers to rapidly expand. Further, governments with money are now able to significantly expand their cyber-offensive capabilities. The situation can be compared to the proliferation of accessible firearms, which has resulted in more gun related deaths. An environment without weapons is inherently more safe than one with them.
The second key driver behind America’s cybersecurity failings is a lack of coordination amongst U.S. Government organisations, which has rendered them less equipped to respond effectively to cyberattacks. This issue stems from the failure of the U.S. government to apply the findings of the 9/11 Commission to its overarching cybersecurity strategy. The Commission attributed the failure to prevent 9/11 to a lack of “unifying strategic intelligence”. Reflecting on Microsoft’s own experience, Brad Smith has stated that in order to effectively respond to hacking incidents, organisations need to operate on a “need to share” rather than a “need to know” basis for information acquisition. Indeed, Microsoft’s cybersecurity experts require access to information on all of the interconnected networks of the company’s divisions. This ensures that they can fully assess the extent of a hack and swiftly intercept any potential breach. According to Smith, in Microsoft’s dealings with U.S. federal agencies, it appears as if they are willingly ignoring the findings of the 9/11 Commission when dealing with hacking incidents. Instead, they continue to operate on a “need to know” basis. This has made it difficult if not impossible to coordinate effective cybersecurity responses.
Lastly, there is a lack of strength in international rules to govern nation-state behaviour regarding cybersecurity. Specifically, it seems that little has been done to address the issue of cyber-related election interference between nation-states. This is particularly concerning for the U.S as the most powerful democracy in the world, since election interference should ideally be seen as a red-line not to cross. Rather than endure election interference, the U.S. should be working to prevent reckless behaviour by other nation-states; either through deterrence or by creating a global environment that incentivizes states not to attack each other. Instead, the U.S. has failed to effectively pursue either of these strategies. This was evident in 2019 when the U.S. hacked Russia’s energy grid in response to election interference. The outcome was not as intended, and only incentivised Russia to make further attempts of election interference in the 2020 elections. Gen. Paul Nakasone, head of U.S. Cyber Command, argues that any attempt at deterrence is doomed to fail. This is because “unlike the nuclear realm, where our strategic advantage or power comes from possessing a capability or weapons system, in cyberspace it is the use of cyber capabilities that is strategically consequential”. In other words, merely possessing cyber offensive capabilities is not enough, because as it stands, the benefit of using them outweighs the cost. As such, this makes it incredibly difficult to foster an environment which discourages cyber-attacks.
Let us circle back to the original question, which asked why the U.S. is doing so terribly at cybersecurity. The US government has allowed an International environment to be established that promotes the proliferation of cyber-offensive technologies and incentivises their use. Furthermore, the U.S. has failed to reform its institutions to adequately respond to this ongoing threat. It is the latter point that is a matter of interest for Australia, as a nation that is highly vulnerable to cyber-attacks. Learning from U.S. failures, the Government should be working to ensure that its own institutions are following the advice of Microsoft President Brad Smith, to ensure that we are adequately prepared to combat this grave threat.
