Washington Must Take Cybersecurity Efforts Seriously
National efforts to address cybersecurity shortcomings too often seek to treat every problem like cybercrime—solutions meant to scale, at the lowest financial and political cost; the low-hanging fruit. This needs to be addressed.
It is worth remembering, more than a year into Russia’s war in Ukraine, that the conflict was initiated not by an artillery shell or missile or any kinetic action, but with a cyberattack on the Ukrainian financial system with the deliberate aim of terrorizing Ukrainian citizens alongside more conventional cyberattacks on the Ukrainian Defence Ministry, according to Ukrainian intelligence services. As the world would later learn through more acute horrors in the physical world, such crimes were always the plan, not an accident of an army run amuck.
Although Russia has mostly used cyberattacks throughout the conflict for tactical support to its battlefield operations—including successful early efforts to knock out satellite communications—and not the more spectacular attacks on critical infrastructure we have become accustomed to seeing, it is noteworthy they began with an attack on the people of Ukraine themselves.
China is studying the progress of the war in Ukraine for lessons that might inform its own potential invasion of Taiwan, perhaps as early as 2027, according to CIA Director William Burns. But while Moscow has relied on nuclear weapons to deter decisive intervention by the Biden administration and NATO, Beijing is likely to wield a broader toolkit to keep Americans and our Indo-Pacific allies out of any future fight.
This includes the potential for “aggressive cyber attacks against the U.S. homeland” with the goal of “inducing societal panic,” according to the latest threat assessment from the U.S. intelligence community. Whereas the Kremlin has used its cyber capabilities to raise the perceived cost of resistance among ordinary Ukrainians while eschewing potentially escalatory attacks on the U.S. that might draw us into the conflict, Zhongnanhai is preparing to gamble that a shocking cyberattack on the American people—not just its military networks—would make a nation already weary from decades at war reconsider the cost of standing up for Taiwan’s democracy.
Cybersecurity and Infrastructure Security Agency director Jen Easterly warned about this recently when she alluded to plans that an invasion of Taiwan “might very well be coupled with the explosion of multiple U.S. gas pipelines; the mass pollution of our water systems; the hijacking of our telecommunications systems; the crippling of our transportation nodes.”
This problem is worse than it seems. Water systems in the United States are highly federated, matching thousands of individual municipal systems often defended by just a few employees benefitting from minimal cybersecurity investment against the skill and resources of China’s military concentrated at the point of cyberattack—a hopeless mismatch at present.
China’s ability to threaten U.S. infrastructure persists across sectors, driven not only by hacking power but including supply chain threats driven by its manufacturing prowess as well, with a commercial reach that already successful Russian cyber operatives would envy.
For example, natural gas systems have been mentioned in every Annual Threat Assessment of the U.S. intelligence community for the past several years—two of which I coauthored—reflecting longstanding concern. Left unsaid is that many natural gas compressors in the United States are imported from China, meaning that if they are held at risk during a time of heightened tension or conflict the U.S. would be relying on its adversary for replacement parts. This is not a promising prospect for security and national success.
National efforts to address cybersecurity shortcomings too often seek to treat every problem like cybercrime—solutions meant to scale, at the lowest financial and political cost; the low-hanging fruit. But Beijing’s operatives include not only criminals turned to national purpose but uniformed professionals who rival our own in skill, professionalism, and access to cutting-edge resources. They won’t give up just because the front door is locked, and the United States needs to prepare more seriously for what a wartime conflict in cyberspace would look like if fought at home rather than in some distant continent.
2027 is closer than it seems. The kinds of engineering changes, investments, and policies that must be crafted to form a cohesive national defense against this kind of national digital attack take years to put into place under the best of circumstances.
The new U.S. National Cybersecurity Strategy rightly calls for stepped-up responsibility from key private sector players, but the U.S. government must do more to show that it takes its own intelligence assessments of this cyber threat seriously and is taking action proportionate to the risk: unambiguously stating what escalation foreign nation-states can expect if they disable U.S. critical infrastructure by cyber means, akin to the warnings we give for impairing our key national space assets such as early warning satellites; more aggressively declassifying intelligence of a tactical defensive nature—even if it means accepting marginal increased risk to classified sources—with a recognition that it is the same private sector likely to be on the front lines of cyber war; and committing to the defense of critical but under-defended sectors, such as water systems, during wartime with priority more comparable to efforts made to keep U.S. military networks up.
America’s spies are telling us there is a direct, credible, foreseeable threat to U.S. citizens coming in only a few years; it’s past time to take them seriously and move beyond the standard toolkit for cybersecurity.
Christopher Porter is a Senior Fellow with the Atlantic Council’s Cyber Statecraft Initiative. From 2019 to 2022 he was the National Intelligence Officer for Cyber, leading the U.S. intelligence community’s analysis of cyber threats and threats to U.S. elections as a member of the National Intelligence Council.
This article does not represent the views of the U.S. government or any current or past employer.
Image: Shutterstock.