Can America expand “civil defense” to cyberspace?

The Biden Administration met this week behind closed doors to discuss the most recent ransomware attack affecting thousands of businesses, and while the White House characterized the ransomware risk as a “national security and economic security priority for the administration,” there is growing frustration among businesses, policymakers, and the public with respect to America’s cyber vulnerabilities.

The attack was timed to take place during America’s Independence Day holiday, when many Federal employees would be less accessible to assist their private sector partners with the response to this crippling hack. The size and scope of this cyberattack was even more significant than those which struck the Colonial Pipeline Company and JBS USA because it was much further reaching and indiscriminate.

Rather than targeting a single company or infrastructure, the perpetrators – believed to be an affiliate of REvil (also known as “Sodinokibi”), which operates predominantly out of Russia – conducted a “supply chain attack” by deploying the ransomware against a managed service provider (MSP).  The victim, Kaseya VSA, is just one of many contracting companies that provide clients with IT support at a lower cost and with more expertise than many small businesses could afford by hiring their own IT personnel.  The SolarWinds hack was similar in that it targeted a MSP but not for ransom.

By infecting Kaseya, the hackers claimed they infected more than 1 million devices and initially requested $45,000 to unlock each one, which would “earn” the criminal gang a total of $45 billion. The hackers presented another option to the world, a collective $70 million for them to unlock all devices at once. Either way, the profits from this cybercrime are staggering and most experts agree that ransomware attacks will not stop so long as there is money to be made.

While the Biden Administration is being criticized for a slow response to this ransomware attack, there could be an explanation for this hesitancy.  Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, pointed out that “Dutch CERT, the Dutch government’s cyber response team, is suggesting that it discovered the vulnerability and notified Kaseya, and that it was actively working with Kaseya to develop and deploy patches,” which “brings up the possibility of a grim scenario in which the ransomware gang learned about this vulnerability, or at least about plans to patch, from someone with advanced notice of the exploit!”

A multi-decade veteran cybersecurity expert, speaking on condition of anonymity, further explained:

“Critics state the U.S. defenders don’t know what they are doing on Cybersecurity but there is the whole black world in state/nation actions that must be taken into account. The Dutch have a sharp eye out on Kremlin actions so this one must play out a bit more. You can be sure the White House is pressuring the Intelligence Community (IC) to be certain on the full story…”

Still, the onslaught of effective cyberattacks targeting American interests over the past year calls into serious question the recent findings of the International Institute of Strategic Studies (IISS), which conducted a two-year “net assessment” of “Cyber Capabilities and National Power.” At least one defense publication summarized those findings with the claim that “no one can match the U.S. as a cyber superpower.”  Critics of the IISS study posit: “America can launch a cyberattack, but can it defend?”

Indeed, some of America’s top national security practitioners have been sounding the alarm for more than a decade that the U.S. needs to bolster its cyber defenses.  Daniel Gallington, Former Special Assistant for Policy to the late Secretary of Defense Donald Rumsfeld, argued in 2011 that we should begin stress testing our critical cyber infrastructures. He wrote:

“…we should enable operational test teams (assembled from the NSA, the new U.S. Cyber Command, Homeland Security and the FBI) to actively probe our cyber infrastructure, both public and private, especially our dot-gov and internal “secure” systems, as well as our Internet nodes and service providers. These activities should be done primarily to identify our vulnerabilities and mitigate the risk.”

Ten years later, this type of stress testing is even more necessary.  Dr. Edward M. Roche, who served as a program evaluator for e-Government and the Internet Governance Forum at the United Nations and who is working on a study of the Cyber Arms Race at the Institute for Cyber Arms Control, recently suggested that we “need the equivalent of a National Civil Cyber Defense Program and an order of magnitude increase in research and development investment for cybersecurity.”

Retired U.S. Army Command Sergeant Major Michael Mabee, author of The Civil Defense Book, argues that our nation’s infrastructure vulnerabilities justify a resurrection of the Civil Defense concept, which calls for a community-based approach and the integration of public and private cooperation to improve community resilience from foreign attack.

But just how do private corporations or state and local governments conduct “civil defense” in cyberspace?

One “civil cyber defense” option may be in line with Roche’s suggestion for an “increase in research and development investment” and might be possible for civilian infrastructure owners to incorporate in their own plants and factories.  Control systems cybersecurity expert Joe Weiss explains:

“Certain infrastructures can guard against having to shut down due to ransomware if they can monitor operations at the control system level or device level. If they invest in device-level monitoring technology and establish a plan for engineers to deploy to infrastructure sites to monitor these systems before an attack, they can possibly avoid having to shut down operations. This can save the company money in terms of continued operations and because they might not feel required to pay the ransom…which in a way, acts a deterrent.”

Weiss’ concept could prove extremely valuable for certain infrastructure owners that use control systems to monitor and control physical processes but would not have helped guard against the Kaseya VSA hack.

Another way could be through partnerships with the National Guard. A good example is the North Carolina Guard’s work last year to warn civilian partners about the dangers of ransomware during its “Cybersecurity Symposium” tabletop exercise that year.

National Guard units are made up of a state’s local “citizen soldiers” and their uniformed cybersecurity personnel are often employed as civilians in the same trade. Infrastructure owners might find it convenient to work with these local professionals but would need to engage the state government’s leadership to do so.

So, as the Federal Government continues to investigate and counter the onslaught of cyberattacks by America’s adversaries, it will be prudent for the nation to keep exploring options for “civil cyber defense,” especially since many experts assess that “the future of national security is increasingly local