A top government cybersecurity advisor argues in a new essay that the United States faces a cybersecurity crisis requiring immediate attention before it undermines the nation's economic and cybersecurity.
A senior advisor to the Director of National Intelligence (DNI) and Cyber Coordination Executive, Melissa E. Hathaway's article in The Intelligencer: Journal of U.S. Intelligence Studies, published by the Association of Former Intelligence Officers, lays out a somber description of the challenges the incoming president faces in securing the country's information infrastructure.
"Our government and private sector networks and information are being exploited on an unprecedented scale by a growing array of state and non-state actors. Our corporate intellectual property is being stolen and no sector is without compromise .... Further, our government networks are being targeted to steal sensitive information and gain understanding of mission critical dependencies and vulnerabilities. Additionally, we are finding a persistent presence on these networks and we cannot say with assurance that a network that has been penetrated has not been infected with hidden software that could be triggered in a crisis to disrupt or destroy data or communications."
The adversaries are multiple: hackers, terrorist networks, rogue states, and powerful nation states like China and Russia. Their targets range from the private to the public sectors using a host of techniques, such as denial-of-service attacks. Their motives are myriad as well and "widely range from curiosity and prestige—at the hacker end of the spectrum—to industrial espionage and subversion of our national security interests by hostile nation states at the other end," she writes. Think Estonia.
Cybersecurity has become so critical that the U.S. government needs to investigate the market supply chain of IT products. To do this, the U.S. government needs to ask the five questions, according to Hathaway:
"We need this understanding," she writes, "because each of these points of interface of the device with the hardware, software, and technology design, presents an opportunity to introduce or exploit vulnerability."
As Hathaway notes, a company may have too many close ties to a rival nation states or a bug could have been inserted somewhere in the supply chain and compromised technology installed in U.S. mission critical applications.
If the U.S. public and private sectors cannot protect their networks, their adversaries could jeopardize information in four ways: they could steal it; they could disrupt it; they could deny the ability of the user to access it; and they could alter or destroy it.
The fourth possibility could be the most dangerous. The scary scenarios range from financial records and medical records that could no longer be trusted to air traffic controls systems and military logistics that have been corrupted.
What's needed, according to Hathaway, is a comprehensive and coordinated effort to share information with the private sector about cybersecurity vulnerabilities and risks.
"The U.S. government needs to generate and share with the private sector an operational understanding of how adversaries create and exploit our cyber vulnerabilities. We must disclose the extent and reach of their capabilities. We need to inform the private sector what is being targeted by our adversaries (usually intellectual property) and to the extent we know, why. Finally, the government must begin to share the extent of resources at risk, the risk-reward construct of inaction vs. action, and what other partners may be involved. This shared understanding and dialogue should influence our defensive strategy and collective resource allocation."
Finally, she says, the government must apply stricter risk models than the private sector is willing to apply to itself while providing enough resources to help fund research and development into technologies that allow U.S. citizens to maneuver through cyberspace safely.