In light of the latest breach– including 200GB of PII of Department of Justice and FBI personnel – yesterday’s news from DC is all the more compelling. As is often the case, the most intriguing aspects are hidden deep within the texts or spread across the various documents and hearings. To help make sense of this extremely active week in cyber policy, we have analyzed some of the crosscutting themes on the threat and policy responses from the following:
- President Obama’s The Wall Street Journal article, Protecting U.S. Innovations from Cyberthreats
- DNI Clapper’s Worldwide Threat Assessment Senate Armed Services Committee Statement for the Record
- White House Fact Sheet: Cybersecurity National Action Plan (CNAP)
- Cyber budget within the 2017 Budget Proposal
Disparate & Unprecedented Paths
- State & Non-State Actors: The CNAP and the threat assessment both highlight the range of adversaries, including criminals, lone wolves, terrorists, and state-sponsored espionage (i.e. spies). The sophistication of their techniques clearly varies, but each type of threat actor is increasingly leaning of the availability and low risk of offensive cyber operations to achieve their objectives.
- Adversaries’ offensive tradecraft: Threat actors are keeping all options on the table, pursuing the range of cyber statecraft from propaganda to deception to espionage. Both Russia and China rely heavily on misinformation and espionage, while data integrity and accountability is increasingly problematic, which has strategic level implications for attribution and U.S. policy responses.
- Targets: The targets vary depending on the threat actor, which means that most industries remain potential targets. Those entities with significant PII, IP, or critical infrastructure are at the greatest risk. These include power grids and financial systems, as well as defense contractors.
- Tech & Data Science: Cyber and technology dominate all discussions of leading national security challenges, consistent with previous assessments. In contrast, data science and security are rarely referenced when talking about adversaries’ capabilities, but this year’s threat assessment breaks new ground in identifying the foreign data science capabilities of threat actors. While Director Clapper focuses more on foreign data collection capabilities, the sophistication of the data science will determine any insights that can be gleaned from the collection.
- Between the lines: There is increasingly the potential for unintended consequences given the complex mix of actors, capabilities, and targets. Sophisticated digital tools in the hands of unsophisticated actors are likely to produce negative externalities. Moreover, adversaries’ risk calculus is extraordinarily slanted in favor of offensive attacks. As long as the benefits of a cyber attack outweigh the costs, prepare for more high profile breaches.
Multi-faceted Responses
- Greater spending: The new budget proposal includes a 35% increase in cybersecurity spending to $19 billion. This will cover a broad range of initiatives, including new defensive teams, IT modernization, and broader training initiatives across society.
- Additional bureaucracy: Just as the NCCIC was formed to create a central source for information sharing, the CNAP recommends the creation of a federal CISO. While the attempt is to parallel the organizational feature of the private sector, it may cause confusion considering there is an extant cyber czar.
- Proactive hunting: Given the seemingly endless string of breaches, the CNAP calls for “proactively hunting for intruders”. This will be an interesting area to observe, as it’s among the first federal signs of an offensive-based strategy to defend the government networks.
- Tech Outreach: The budget and the CNAP both stress the need for better government relationships with Silicon Valley. This includes the formation of a new commission comprised of national security experts and Silicon Valley technologists, which would be responsible for longer-term cyber initiatives. President Obama’s reference to the federal system as an “Atari game in an Xbox world” likely resonates with the tech crowd. However, given the absence of anything close to security at this week’s Crunchies, it is unclear whether Silicon Valley is ready to invest in the tough security challenges.
- Elevated Role of R&D: - The CNAP calls for a testing lab for government and industry to pursue cutting-edge technologies. Director Clapper similarly noted the need to stay ahead of the sophisticated research of many adversarial states in the realms of AI, data science and the Internet of Things. This may be another signal that we are working toward crafting this era’s Sputnik moment, just as President Obama described over five years ago.
- Between the lines: Protecting digital infrastructure remains a top national security priority, with an emphasis on strengthening and diversifying our cyber defenses to counter the growing range of adversaries. Interestingly, the pursuit of norms to counter adversarial behavior was markedly absent, potentially because it has yet to have any clear deterrent effect. Instead, the budget and CNAP advocate for changes across the workforce, modernization of archaic federal IT infrastructure, creative strategic thinking, proactive cyber techniques, and strengthened partnerships between Silicon Valley and DC. This is a challenge that requires the best strategic thinkers working alongside the most innovative technologists to help secure the country’s critical assets. The budget battle has already begun, so it is uncertain whether many of these necessary changes will in fact become a reality.