Cyber terror in operation

[CharlesHarris]

Opinion by Sean Joyce in The Washington Post - May 12, 2021 at 3:13 p.m. EDT

Sean Joyce was deputy director of the FBI from 2011 to 2013 and currently oversees PwC’s global cybersecurity practice.

The Colonial Pipeline attack — and the panic buying at some gas pumps it has induced — demonstrates the fragility of the United States’ infrastructure and the need for a more modern approach to cybersecurity. Our adversaries understand that the United States has an increasingly digital economy and that much of our critical infrastructure is in the hands of the private sector. Nation-states and criminal groups engage in ransomware attacks, cyberespionage and disinformation operations that fuel social discord and garner headlines. Colonial is only the latest domino to fall.

The United States needs a more organized approach to these cyberthreats — one that enables the private and public sectors to work together ahead of attacks rather than play catch-up after a pipeline has been shut down. We must be able to act before a catastrophic attack and develop a strong, centralized and agile government structure, better integrated with the private sector, that will be able to neutralize the current threats we face.

Today, federal government responsibility for cyberspace is divided among the intelligence community, law enforcement, military, the Cybersecurity and Infrastructure Security Agency (CISA) and regulatory agencies. Several of these agencies have primary responsibility for protecting government networks. These networks are scanned and attacked every day, and the government can leverage all the tools at its disposal to identify, protect against and respond to these threats before they fully materialize.

However, according to CISA, more than 80 percent of the energy infrastructure is owned and operated by the private sector. And these same companies are expected to defend their assets against highly organized criminal groups that are sometimes surrogates for nation-state actors — and to do so without our government’s support.

We need a different approach to protecting our way of life. We need an approach within the government — specifically, one organization, headed by the new national cyber director, with three separate units: one focused on strengthening public-private partnerships, one focused on offensive and defensive operations, and one focused on intelligence-collection, analysis and sharing.

Currently, private firms often do not know whom or where to call inside the government. Sometimes, companies reach out to the FBI, sometimes to the Secret Service, sometimes to the National Security Agency and sometimes to CISA. This causes confusion and inefficiencies. A centralized partnerships unit, which is led by the CISA director and coordinates cyber efforts on behalf of the government with the private sector, could streamline these efforts.

Second, we need to ensure that official responses to attacks are handled in a centralized, coordinated manner by a unit solely focused on offensive and defensive operations. For example, the recent SolarWinds attack by Russia targeting a ubiquitous software application would be handled by this unit. The operations unit would be led by the FBI and NSA (agencies with primary jurisdiction in national security matters) with participation from the Secret Service, Homeland Security Investigations and other relevant agencies.

Third, we need to create an intelligence capability with the private sector. The government has struggled at sharing real-time intelligence; the private sector, made up of innumerable companies, has too. The intelligence and analysis unit would be led by the CIA and FBI to ensure that all intelligence is gathered, analyzed and disseminated appropriately throughout the intelligence community and private sector.

And we need one other big and important change. Contrary to what was the case during many of the threats we have faced in our history, this centralized organization — headed by a national cyber director and composed of the three different units — could be staffed by both the private sector and the government. This would reinforce the public-private partnership needed to combat cyberthreats.

Some of these suggestions are simple and basic. But we have lagged in updating our laws, our regulations, corporate responsibilities and adjusting to a digital, boundary-free world. We must move beyond conjecture and build trust between our government and the private sector if we are to be successful in this endeavor — or we must get used to constant disruption in our critical infrastructure.