More Cyber Offense is not a Defense

Ask any cyber expert which countries are best at hacking infrastructure, and you’ll hear mention of Russia, China, America, Britain, and Israel. These countries enjoy the universal recognition that their militaries can electronically cripple pretty much anything they desire. And while operational testing might be required for new malware, public saber-rattling creates zero meaningful reputational gain. It does, however, increase the risk of losing important hacking tools to an adversary.

Despite this, the US government is now flexing its cyber offensive muscles more aggressively. Such action is in response apparently to Russian interference in US elections. It is also prompted by Russian cyber operations that have targeted foreign power grids including in the Ukraine. Obama began this cyber escalation by ordering secret attacks against Russian electric power systems toward the end of his second term. It is unclear what effect, if any, such action had on Russia or any other US adversary.

The Trump Administration and Congress raised the stakes by empowering US Cyber Command to operate more autonomously in this area. Both the Military Authorization Billpassed by Congress last summer and the recent National Security Presidential Memorandum 13 send a clear message: If General Nakasone wants to launch a cyber offensive, then he need not waste time asking permission. John Bolton reinforced this message to any nation who chooses to take on the US in cyber: “You will pay a price,” he said.

Predictably, the media has focused on the political aspects of this increase in cyber offensive activity. Most recent articles on the US Cyber Command incursion into the Russian power grid focus on whether Trump was briefed on the initiative. This seems irrelevant, because the recent legislation and memorandum specifically direct such action. In my opinion, the more consequential issue for debate is whether advancing offensive attacks on critical infrastructure, such as electric power, is a reasonable and proper strategy.

Here is my view: Despite clear attribution of offensive activity to Russia, and despite the satisfaction that comes with giving an adversary a taste of their own medicine, my belief is that Congress and the past two US Presidents – both Obama and Trump – have embarked on an ill-advised offensive strategy. By engaging openly in targeted attacks on power grids, we prove nothing about our massive capability, and we legitimize attacks on the very types of systems that should be considered off-limits in any civilized society.

The correct US national cyber strategy would involve redirecting our energy toward two objectives: The first would be to significantly bolster our national cyber defense to create distance in our protection capability from other nations. And the second would be to inspire, recruit, and attract a significant portion of our youth to serve our nation in a cyber capacity – presumably to help to defend our critical infrastructure, perhaps including select commercial entities. Let’s examine each objective more carefully:

The presumption that US critical infrastructure, including our complex power grid, are easy pickings for cyber adversaries is not acceptable. Commercial entities with this level of responsibility must step up to thwarting inbound malware breaches. Period. If the senior leadership of a company supporting critical infrastructure won't accept this responsibility, then they should be replaced. Our emphasis should be on defending infrastructure, versus trying to influence adversaries by displaying already well-established offensive prowess.

Every coach knows that defense wins championships. And yet, in cyber security, we have grown far too comfortable with the asymmetry between offense and defense. In fact, the cyber offense has gotten so far ahead of the defense that displays of raw hacking power are simply no longer impressive. It’s like the Bannister effect: Once someone runs the mile in a four minutes, it becomes a lay-up for everyone else. As such, no one is newly impressed that the US is in a power grid: It's already a recognized and fully-banked capability.

If we choose to make progress, then Bolton, Nakasone, and acting Homeland Security secretary Kevin McAleenan must focus on defense. What we have instead is an under-funded DHS team with the inability to attract and maintain the best talent. Our nation relies on an antiquated perimeter defense called Einstein that would be considered insufficient to protect a small regional bank, much less the entirely of our non-military infrastructure. At the risk of sounding glib, I believe we have an all-star offense with a minor league defense.

If the US wants Russia to take note, then improving our defenses against inbound attacks would become the primary goal. It’s beyond the scope of this note to explain the specifics of how this is done, but one would expect modern security techniques such as massive de-perimeterization, micro-segmentation of virtualized cloud-based workloads, decentralization of passwordless multi-factor authentication, and automation of AI-based incident response workflows to be central themes in our new national strategy.

The second objective to improve our posture should involve a well-funded national program to attract young people to serve our country in cyber security. I’ve written about such a program, and have generally dubbed it the US Cyber Corps. But perhaps we should consider taking this idea to a much higher level. Perhaps we should consider a program of national service for young people in the last six months of their high school studies. The program could provide a bridge for youngsters into cyber security.

I would envision starting with a two week boot-camp for youngsters to learn the basics of IT security, networking, software, and infrastructure protection. This training would commence in December, and youngsters would be assigned (in-person or remote) to a civilian agency until they enter university nine months later. The program could include scholarships for particularly capable youngsters to have their university studies (in computer science, of course) paid for by the government, in return for several years of service post-graduation.

I know that some of you will say that such programs already exist – and yes, I’ve seen evidence of Cyber Corps scattered around some agencies. But we have nothing resembling the comprehensive program akin to the Peace Corps in the early 1960s. I see zero downside to such a program, and I could easily imagine industry and academia chipping in the help with costs. At the absolute minimum, I would imagine our tech-savvy youth helping to bring about valuable shifts in culture toward improved IT operations and cyber security.

Let me know what you think of all this. I see virtually zero debate in the mainstream media about the embarrassingly ineffective cyber defenses we've established as a nation. We debate whether we have enough planes and tanks, but rarely debate whether have enough MFA-enabled secure access to critical application. Instead, we’ve adopted the defeatist attitude that breaches are inevitable and that debate about defense is a waste of time. I believe this is wrong, and I recommend that we more seriously focus on protecting our infrastructure.

My argument can be summarized as follows: Cranking up our cyber offensive attacks on foreign critical infrastructure, along with the associated political rhetoric and public posturing is not a reasonable means to a more secure nation. The United States – and all other countries - should focus on defense, recognizing that the end goal should be to put the offenders out of business. This will not be easy, but lobbing more offense at our adversaries is an enormous waste of time – and proves nothing to anyone.