The U.S. will remain vulnerable in the cyber domain without a coherent deterrence policy or definitions for digial acts of war, as adversarial nation-states grow their capabilities to infiltrate federal networks and attempt to disrupt critical infrastructure.
Following the massive Equifax [EFX] data breach in September, a greater effort is coalescing to adopt measures that would deter potential threats and increase modernization capabilities, according to cyber experts at a George Washington Center for Cyber & Homeland Security (CCHS) event Friday.
House Informational Technology (IT) Subcommittee Chairman Rep. Will Hurd (R-Texas) is urging his colleagues and the Trump administration to adopt standards for responding to digital acts of war as nation-state actors develop increased cyber tactics.
“If North Korea had launched a missile into Equifax headquarters, we all know what the response would’ve been. Nobody knows what the response should be now, said Hurd. “We still have to be worried about the nation-states. Advanced persistent threats (APT) are still at the top of the food chain, and APT’s are ultimately what we have to defend against.”
Hurd cited the need for an overriding policy for action following attacks from terrorist organizations or nation-state actors involving attacks on the national grid, manipulation of markets or interference with critical infrastructure.
Current “redlines” haven’t been defined to deter nation-state adversaries from pushing the boundaries in the cyber domain, according to a panel at the CCHS event.
“The way that it’s worked out is our adversaries have gotten very good at finding ways to undermine that political will,” said National War College Professor Dr. Richard Andres, who believes economic sanctions, not military action, should be driving force for cyber deterrence.
In his keynote address to the crowd, White House Cyber Security Coordinator Rob Joyce reiterated that any attack on the national power grid would trigger a real response despite currently lacking a formal definition of digital acts of war, including cyber threats from North Korea.
“North Korea is a huge issue. We’re using all elements of national power in there. We’re considering it in terms of the risk,” said Joyce. “North Korea’s a belligerent nation. They’ve chosen to use cyber in the past, and so we’re making sure that we’re attentive to the probability that if cornered or not cornered will use cyber in malicious ways.”
Joyce pointed to cyber resiliency and improved notification protocols as a cornerstone for future cyber deterrence policies as nation-state actors grow capabilities for stealing information in the domain.
“It’s clear that we can’t let other nations hold us at risk through cyber. If this is a nation-state, I’m not saying it is, that amount of data has huge value to intel services and information operations,” said Joyce.
Hurd has already sponsored federal IT modernization legislation, which was included in the Senate’s recently passed defense authorization bill and will help strengthen the cyber security of federal data networks.
“The cloud is secure, you can secure the cloud. We should be transitioning to this as quickly as possible. If we have folks that are responsible for this that don’t understand it, well guess what, get up to speed on it,” said Hurd, who believes the military and intelligence community are lagging as far behind as the federal civilian agencies in modernization efforts. “Don’t be a victim. Most of the major attacks we’ve seen are not zero-day attacks. If you’re patching your network, if you’re doing proper credentialing, you would solve these problems.”
In terms of priorities, Hurd also believes the U.S. should be focused on testing our counter-electronic warfare technology, and focusing on developing quantum computing capabilities rather than artificial intelligence.
“Quantum computing is going to be here sooner than we expect. I know Vladimir Putin said whoever gets AI (artificial intelligence) first” will determine hegemony, but “hegemony is going to be decided by who gets to quantum computing first in real broad applications,” said Hurd.