A lack of consensus between legislators and industry on critical cyber components is holding up the development of deterrence policies and combat future threats to the domain, according to a panel of cyber experts speaking at a George Washington Univ. event Tuesday.
The panel pushed for Congress’ cyber policy agenda to include setting definitions for digital acts of war and setting standards for industry cyber resilience efforts to better protect consumers.
“So much of our capacity is not able to be deployed, both offensive and defensive capacity, because we lack legal and policy guidance as to what our true limits are,” said retired Air Force Gen. Michael Hayden, former director of the National Security Agency. “We haven’t yet decided on the principles, the philosophical approach, the accepted international practice and the non-acceptable.”
In government too much of cyber policy is over-classified and in the private sector data continues to be guarded closely for liability reasons, according to Hayden.
Greater engagement between the public and private sector on the subject of information sharing and responding to threats in the cyber domain will begin to help the effort to define digital acts of war.
Hayden pointed to North Korea's 2014 hack of Sony [SNE] as a case study, but characterized the situation as an example of a “cyber armed attack,” not warfare.
Rep. Will Hurd (R-Texas), chairman of the House IT subcommittee, believes the U.S. could look towards the United Nations definition as a first step, where any nation deemed to be interfering with another’s critical infrastructure is believed to be committing cyber warfare.
In light of Russian interference in U.S. elections, Hurd believes defining roles for combating disinformation campaign is just as critical as settling on a cyber warfare strategy.
“When it comes to disinformation, the United States does not have a strategy for it,” said Hurd. “When you have a covert action, the Russians influencing us in English and in the United States, who’s responsible for countering that?”
Congress must focus on legislating improved cyber outcomes rather than attempting to keep up with the pace of adversarial tools and regulating specific technologies, according to Hurd.
For cyber defense, Hurd pointed to quantum computing as the next step in protecting critical infrastructure.
“When we think of purely cyber, when quantum computing becomes a real thing, and we’re closer to that period than not, it is going to totally upend how we think about defending digital infrastructure,” said Hurd. “We have to start thinking about that problem now.”
Greater public-private discourse is needed to avoid future cyber incidents similar to the September’s Equifax [EFX] data breach, according to the panel.
“We are at a cyber security crisis point. We see these breaches so often it’s hardly even news anymore,” said Susan Hennessey, Brookings fellow and managing editor of Lawfare.
The fallout from data breaches are being treated like market failures, but it’s up to Congress to take action with regards to holding companies responsible when they hold massive quantities of American’s data.
“We know that there are defined policy tools here. You can regulate, but that’s enormously complex across lots of different domains … and Congress tends to not get it right when they get into complex technology litigation. You can tax, and that is it’s own difficult question. You can subsidize, think you can give these guys more money to try to keep us safer. I don’t know there’s an appetite for that,” said Hennessey. “We’re really at the point where we’re going to have to start changing the levers in order to correct what really is a pretty profound failure.”
Hurd echoed the role industry must play in taking ownership of its cyber hygiene to better protect its role in the cyber domain.
Congress must push for a discussion on cyber standards, and attempt to define whether industry systems must utilize the most up-to-date-software and how long they have to reach proper cyber resilience levels.
“The Equifax attack was not a zero-day attack. Zero-day being a vulnerability in software that has been previously undiscovered. We knew there was patches to the software, and Equifax had not patched the software,” said Hurd.