While we do not yet know the extent of the damage done, the SolarWinds cyber-attack is a sobering reminder that bad actors are actively at work against the United States. Now more than ever, it is critical that we contain and remove all malware and secure our government networks. To do this, the federal government must ensure a coordinated and robust response, pulling resources from wherever necessary, including utilizing Defense Support of Civil Authorities (DSCA), private sector collaboration, and sector-specific agency teams to quickly identify the depth and extent of the breach.
R Street Institute Senior Fellow Bryson Bort argues that, “Everyone can and will be hacked, but the extent of this compromise is a failure of our current approach to cybersecurity. We need to treat computer product security like we do safety. In the 1960s, Ralph Nader changed the automotive industry by forcing the adoption of the seatbelt. Here we are in 2020, and our computers are Unsafe at Any Speed. It is unacceptable to continue in 2020 as we did in 1990. We must do better and invest more into cybersecurity.”
Senior Fellow Paul Rosenzweig points out, “SolarWinds demonstrates two things. First, that no system is invulnerable to attack; and second, that the lack of imposed consequences on adversaries invites further intrusions. President Trump’s continuing failure to address Russian cyber espionage invited the SolarWinds intrusion.” The lack of focus on cybersecurity, the removal of the White House Cybersecurity Coordinator, and a weak strategy have led many, including former Trump Homeland Security Adviser to President Trump, Tom Bossert  to argue that more must be done.
Still, we need to be careful of throwing out what progress has been made when it comes to cybersecurity. Some have argued that this breach shows that offensive cybersecurity, namely the Defend Forward  concept has failed. Senior Fellow Gary Corn cautions, “Defend Forward is neither a panacea, nor the culprit here, and those who are already calling it a deterrence failure don’t understand the concept. [The] lack of consequence has encouraged, not deterred our adversaries. But Defend Forward is not strictly about deterrence, it is about disruption.” He continues, “Any strategy that does not incorporate operations forward to actively disrupt adversary capabilities and threats is flawed. We don’t declare counterterrorism a failure because it fails to disrupt every enemy attempt. The run of Defend Forward is too short to draw any conclusions at this point.”
This attack has shown how many of our most important government agencies are dangerously vulnerable. If the U.S. government wants to protect itself, it needs better detection of and better resilience against this type of malicious cyber activity. It also needs better coordination when it comes to disclosing breaches. While the Cybersecurity and Infrastructure Security Agency (CISA) has responded to the emergency quickly, the department has long been under-resourced and under-staffed. It is imperative going forward that CISA is bolstered with better funding and clearer authority so that our country has an adequate response capability.
It is vital that we do a better job protecting our nation’s critical infrastructure. According to Fellow Kathryn Waldron, “The SolarWinds hack has proven the extent to which a cyber-attack can devastate our supply chains. A similar attack on our 5G networks or other critical infrastructure could be even worse. Cyber is only going to play an increasingly critical part of great power competition going forward. The United States needs to make sure it can fend off any Advanced Persistent Threat––whether it be a ‘cozy bear,’ a ‘panda’ or anyone else.”
Senior Managing Fellow Tatyana Bolton adds, “We need to re-examine the risks that the United States is willing to take with its national security. We cannot be better prepared for a land war with China than a digital war with China. We need to address both risks now.”
The R Street Institute believes there are a number of recommendations from the Cyberspace Solarium Commission report that the Biden administration should adopt to make America more cyber secure. These include:
- Updating our Cyber Strategy (recommendation 1.1)
- Creating the position of National Cyber Director (recommendation 1.3)
- Strengthening CISA (recommendation 1.4)
- Fixing the coordination problems with sector specific agencies and improve sector risk management through Sector Risk Management Agencies (recommendation 3.1)
- Developing the ability to call a Cyber State of Distress tied to a Cyber Response and Recovery Fund (recommendation 3.3)
- Developing an industrial base strategy for information and communications technology to ensure trusted supply chains (recommendation 4.6)
- Establishing the Joint Collaborative Environment (recommendation 5.2)
- Strengthening the public-private integrated cyber center at CISA (recommendation 5.3)
For its part, the R Street Institute has launched the Secure and Competitive Markets in the Digital Age Initiative. This initiative aims to bring together experts from cybersecurity, economics, law, national security and other fields to create a cohesive national strategy for securing the ICT supply chain that balances the considerations of both the American free market economy and national security.
In addition, the R Street Cyber team recommends that the Biden administration establish transparent criteria for determining which foreign companies represent a national security threat. The administration should also encourage the diversification of companies that comprise U.S. supply chains to avoid a security monoculture where one common vulnerability can take down multiple agencies at once.
The SolarWinds hack has been a devastating lesson in why it’s important for our nation to remain cyber vigilant. It’s up to President-elect Biden to ensure this is a lesson we never have to repeat.
- “Tom Bossert”: https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html
- “Defend Forward”: https://www.lawfareblog.com/operationalizing-defend-forward-how-concept-works-change-adversary-behavior