Cyber-Follies at Homeland Security
Russia, China, and the balance of the world's bad cyber-actors won't stop attacking American commercial and infrastructure targets like the Colonial Pipeline and JBS, the world's largest meat-processing company, until we make them pay an unacceptable price. Unfortunately, Congress and the federal government accept that grave risk.
America is a sitting duck to cyber-criminals and state actors, who easily harvest our intellectual property, degrade our communications, create false information that influences our politics, and erode our national will from keyboards abroad.
Yes, cyberspace operations are the new nuclear weapons and can be scaled from pinpricks up to attacks that cripple entire countries. The threat is so serious that it ought to capture the attention of every American.
The tip of the threat is cyber-crime, which costs the world perhaps $6 trillion annually, but more worrisome are state-sponsored cyber-attacks. After all, cyber is an invisible weapon to impose a cost and consume resources. No wonder our enemies in Moscow and Beijing host significant offensive cyber-armies and a variety of cyber-proxies that sow discontent and keep America tied down — an effective strategy.
President Joe Biden's promise to put Russian president Vladimir Putin on notice for harboring cyber-criminals is an empty threat. Putin knows that America offers easy cyber-targets, such as last month's ransomware attack, which locked up Colonial Pipeline's computers, leaving East Coast gas tanks empty for more than a week.
Colonial's CEO, Joseph Blount, told the U.S. Senate's Homeland Security Committee, "We have an emergency response process: see the threat, contain the threat, remediate the threat, and restore." That process failed, and so do most major commercial and government-based plans when suffering a sophisticated cyber-attack, which annually affects a majority of American businesses. Twenty-six percent actually pay ransom.
It's of little comfort that our Justice Department retrieved $2.3 of $4.4 million in cryptocurrency Colonial paid to the attackers. The problem is so widespread that it threatens all Americans, and our government is guilty of malpractice.
Senator Maggie Hassan (D-N.H.) responded to Mr. Blount's excuse. "I don't think it's acceptable to understand the critical nature [of the threat and] ... of your product, but then not really have the preparation and the system in place to protect it as if it's critical infrastructure." Hassan continued, "We need to start imagining what can happen, and respond accordingly as opposed to always be looking at what the last problem was and really investing in critical infrastructure."
Just "imagine," Senator Hassan, if, instead of shuttering Colonial, a cyber-attack crippled our electric grid. Richard Andres, a professor at the U.S. National War College, explained the potentially catastrophic impact of a cyber-attack that incapacitates our grid. It would stop all commerce, gasoline pumps, and telephones. City water and sewer would stop flowing, food wouldn't be delivered, hospitals would function a few days on emergency power, National Guard and law enforcement would stop coming to work after less than a week, and then disease and starvation would set in within days.
The blame for this level of vulnerability properly rests with our lawmakers, who exercise blind, mostly uninformed oversight of the cyber-risk. They write laws but seldom if ever ensure that our security investment produces the necessary hardening of our systems.
Too many lawmakers think cyber is something they can't understand, and they are joined by incompetent bureaucrats, such as those at Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Those bureaucrats share responsibility because it's CISA's job to put in place plans, strategies, and mechanisms to prevent and respond to cyber-attacks.
The facts demonstrate that CISA is a catastrophe — a sinkhole for taxpayer money — and its leaders don't seem to have a clue about the cyber threat and how to protect this country from potential ruin.
We shouldn't be surprised that CISA director Brandon Wales testified last month that he believes "that Colonial would not have reached out to CISA if the FBI had not notified the agency." That's quite telling.
Colonial's failure to report the attack to CISA is a major vote of no confidence. Evidently, it's also a knock against Congress. After all, Congress fails to ask CISA's leadership commonsense questions such as these: what have you done with the money meant to harden our cyber-defenses? What's your plan, and how have your plans bought down the cyber risk?
CISA lacks mature strategic thinking and planning. These people have no cyber-strategy, and their infrastructure plans gather dust — eight years without implementation. CISA warrants the "Golden Fleece" award, which was given by William Proxmire, a former U.S. senator from Wisconsin, for the "wasteful, ridiculous or ironic use of the taxpayers' money."
It's not that CISA doesn't have an abundance of guidance. After all, President Barack Obama issued Presidential Policy Directive 21: Critical Infrastructure Security and Resilience. That directive created a collaborative process impacting 16 critical infrastructure sectors, all 50 states, and all levels of government and industry.
CISA, which is the federal government's lead for PPD-21, published a National Infrastructure Protection Plan that affirms that "[o]ur nation's well-being relies upon secure and resilient critical infrastructure — the assets, systems, and networks that underpin American society." Yet we suffered the Colonial Pipeline incident, and that's not all.
Arguably just as bad, the 2020 cyber-attack that compromised a third-party software vendor's system, SolarWinds, led to highly destructive data breaches of federal agencies such as the Department of Commerce and even one at CISA.
Microsoft Corp identified the SolarWinds cyber-actor as Nobelium, a Russia-based actor, which more recently (May 2021) targeted other government agencies, think tanks, and non-governmental organizations. Both the U.S. and Britain blamed Russia's foreign intelligence service for SolarWinds and the most recent hacks.
What did CISA do when it became aware of the SolarWinds attack? It did nothing, initially allowing contaminated, malware-infected servers to sit around like a time bomb. Why? Lack of training and more likely incompetence.
The only good news is that the Pentagon is much better prepared for cyber-warfare than the rest of the federal government. Although not perfect, the Defense Department has cyber-commands and chains of authority to take immediate action to address attacks. It aggressively trains its personnel and creates counters and defensive protection.
So what needs to be done?
In 2019, Congress created the Cyberspace Solarium Commission to answer two questions: "First, what strategic approach will best defend the United States against cyberattacks of significant consequence? Second, what policies and legislation are required to implement that strategy?"
The Commission provided 54 separate legislative proposals, and the 2020 report outlined required action for the Executive Branch as well as private corporations.
What's the response to that report by Congress and the federal government? Crickets! Where are the oversight and needed legislation? Why isn't CISA using its authority to make the U.S. safer?
Congress must aggressively exercise intelligent oversight. Demand that our tax dollars reduce the risk to our infrastructure. This is about survival and our way of life. We are attacked daily, and it is getting much worse.
America must invest in talent, equipment, and informed leadership. We also need a strategy that keeps our many enemies on their heels. Deny them access to cloud space in the U.S. to hide their cyber-tools, and go after those beyond our borders. Remember, we never want to fight the cyber-war at home. Go on the offensive.
Mr. Maginnis is a retired U.S. Army officer and the author of Alliance of Evil: Russia, China, the United States and a New Cold War. His new book, Give Me Liberty, Not Marxism, comes out this spring and chronicles the Marxist threat and how China seeks to radically transform America.
To comment, you can find the MeWe post for this article here.