US Congress, warning of cybersecurity vulnerabilities, recommends overhaul

The US has condemned foreign operations aimed at intruding in American networks to influence elections or penetrate energy grids. PHOTO: REUTERS

WASHINGTON (NYTIMES) - A year-long congressional study of American cyberspace strategy concludes that the United States remains ill-prepared to deter attacks, including from Russia, North Korea and Iran. It calls for an overhaul of how the US manages its offensive and defensive cyber operations.

The report, mandated by Congress and led by a bipartisan group of lawmakers, says the military needs far more personnel trained for cyber operations. It also says that Congress needs to dedicate committees to cyber operations, and that the public and private sectors need vastly improved defences created in layers, along with more aggressive offensive actions inside the networks of other nations.

Those steps would be intended to drastically raise the cost of attacking the US or its companies.

"The US government is currently not designed to act with the speed and agility necessary to defend the country in cyberspace," the final report of the Cyberspace Solarium Commission concludes.

"We must get faster and smarter, improving the government's ability to organise concurrent, continuous and collaborative efforts to build resilience, respond to cyber threats, and preserve military options that signal a capability and willingness to impose costs on adversaries."

Independent Senator Angus King from Maine, who is a co-chairman of the commission, said in an interview: "There is rarely a silver bullet; there is silver buckshot."

Many of the actions in the 122-page report can be taken by Congress, including transforming the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, into a rapid-response group akin to how the Federal Emergency Management Agency is supposed to react to natural disasters.

But other steps would require active support from the White House. President Donald Trump's staff is famously reluctant to bring cyber-security issues to his desk for fear that he would again conflate recommendations for improved defences with discussion of Russia's efforts to interfere in American elections. He considers that tantamount to questioning the legitimacy of his presidency.

The White House has also been secretive about current policy: The administration refused to share with Congress, or the commission, the presidential order signed in August 2018 that gave new powers to the military's Cyber Command.

The commission stops short of addressing one of the central conundrums of current cyber operations. The US has condemned foreign operations aimed at intruding in American networks to influence elections or penetrate energy grids. But at the same time, the report calls for an acceleration of US strategies in which Cyber Command and the National Security Agency go deep inside Russian, Chinese, Iranian and North Korean networks, among others, to see attacks massing or to take preemptive action to deter an adversary's operations.

In order to reach international agreements on what kinds of actions are permissible, the US must be willing to say what kinds of offensive techniques it is willing to give up. US intelligence agencies and the military have resisted such discussions.

"I don't think we should take any options off the table if we are attacked," said Rhode Island's Democratic Representative Jim Langevin, who is on the commission and the chairman of a House sub-committee on intelligence and emerging threats. "We will not in peacetime take down infrastructure."

The report endorses the current concept of "forward defence" or "persistent engagement" so the US stays inside foreign networks. But it argues for penalties against those who steal intellectual policy, interfere in elections or manipulate data in the US.

"Those that would violate those norms should be held accountable, with public shaming and sanctions or indictments, using all tools of national power," Mr Langevin said.

Many of the commission's proposals have a bureaucratic feel, even if they might help lead to a better coordinated strategy. While the White House has had a cyber-security coordinator, the job was downgraded by Mr John Bolton, who was dismissed last year as national security adviser. The position created by the commission would be confirmed by the Senate and report to the President.

The commission was created in part to assess why America's response to nuclear weapons deployment was so focused and its response to cyber strategy so disorganised. While nuclear weapons have not been used in war in nearly 75 years, cyber weapons - far less drastic in effect - are used all the time against government and industrial targets and private individuals. In the absence of a single major, catastrophic event, the fear was that Congress was not focused on daily, corrosive cyber battles.

"This is almost like a 9/11 commission in the absence of a 9/11," said Republican Representative Mike Gallagher of Wisconsin, a co-chairman of the commission. "We are attempting to galvanise the American public and spur a change in the status quo prior to that huge cyber attack."

To better deter adversaries, the commission calls for both quicker attribution of who is responsible for cyber attacks - easier to advocate than execute - and a clearer, more public discussion of America's military cyber operations aimed at countering such adventurism.

Under the Trump administration, the government has taken some steps to shore up its cyber capabilities and use them more aggressively.

Mr Trump, from time to time, has favoured cyber attacks over traditional, physical strikes. When Iran shot down an US drone over the Persian Gulf last year, Mr Trump called off airstrikes but allowed a cyber attack that hurt Teheran's ability to strike oil tankers covertly in the Persian Gulf. There were attacks on Russia's Internet Research Agency before the 2018 congressional elections.

The Pentagon is already beginning work on one key proposal: an expansion of the nation's cyber ranks. Cyber Command was formed with 6,200 personnel but has since expanded its missions to encompass far more operations aimed at potential adversaries, Mr Gallagher said.

"Three years from now, we could be looking at that as a recommendation that results in an expansion of the cyber-mission force," he said.

General Paul M. Nakasone, the head of Cyber Command, testified last week that the Pentagon had already ordered a study to potentially increase the number of personnel.

The cyberspace commission was modelled on work done in the Eisenhower administration, the original Project Solarium, which ultimately shored up the containment policy of the Cold War and focused the military on building a broad deterrence policy around nuclear weapons.

Cyber operations are of growing importance, but they are not yet as central to US security strategy as nuclear weapons were in the 1950s. Still, just as early Cold War strategists needed to build up the nuance of deterrence around nuclear weapons, national security experts today are wrestling with how to deter adversaries in cyberspace.

To build up deterrence, a key recommendation of the commission is that the US speak more clearly about its cyber operations, which are shrouded in mystery.

"Saying we will respond at a time and place of our choosing is not sufficient," Mr King said. "That is too mushy. There has to be a communication that there will be a response in a timely manner."

Join ST's Telegram channel and get the latest breaking news delivered to you.