“Clark, that’s the gift that keeps on giving the whole year.” Cousin Eddie, Christmas Vacation.
For 2021, what kept coming week after week was a slew of cyber incidents. Since last December’s discovery of the SolarWinds breaches into multiple U.S. cabinet agencies and corporate America, we have seen an unending stream of cyber-espionage, ransomware attacks and more. With them came major policy changes and policy failures. Here’s hoping we do better in 2022.
Nation-state cyber espionage and intrusions have become part of “the new normal.” Starting with Russian-backed Cozy Bear breaches and sledding through Chinese-backed hacks on Microsoft’s Exchange Server software, we ended 2021 with a critical Log4j 2 vulnerability that is reportedly being exploited for future ransomware and malicious efforts by the likes of China, Iran, North Korea, and Turkey.
This kind of hacking is not new, but the pace and severity of the threat to national security communications and critical infrastructure is much greater. Our adversaries’ ever evolving abilities to digitally penetrate our borders have reduced the level of security Americans used to take for granted.
A huge jump in ransomware attacks damaged many critical infrastructure operators, hospitals, businesses, and schools. Targets ranged from the Colonial Pipeline to JBS meatpacking to Kaseya, an IT management software provider. The attack on the latter affected roughly 1,500 organizations.
All this has led government agencies, businesses, and organizations to make cyber security a greater priority—as they must, especially since COVID-19 pushed the world to even greater reliance on IT in both our business and personal lives. Targeted investments to boost cyber security, policy changes and training are increasingly seen as necessities, rather than just nice-to-have.
Capitol Hill continues to debate how government may best respond to the challenge. Lawmakers are often torn between adopting heavy-handed regulation or taking a more collaborative approach with private and critical-infrastructure sectors.
Negotiations over cyber-breach incident reporting bogged down in definitional fights and turf wars. Ultimately, lawmakers were unable to reach an agreement on this basic policy matter—a glaring omission in the National Defense Authorization Act (NDAA), which did manage to contain several important cyber policy prescriptions.
The Biden administration made several well-intentioned cyber security moves through executive order and policies adopted by various agencies with national security responsibilities. Three of the most important changes include baseline standards of zero-trust architecture and endpoint detection and response, multifactor authentication and encryption, and breach reporting requirements throughout the federal government and associated contractors.
The president is reportedly considering a further executive order to clarify the roles of the numerous agencies working in the cyber security arena. The GAO has identified 23 different agencies across the federal government that have cybersecurity roles and responsibilities, many of them overlapping.
Recruitment of cyber talent also remains difficult for the federal government. Of the roughly 500,000 cyber job openings in the U.S., an estimated 36,000 are across government agencies. There is concern that the current hodge-podge of agencies may descend into further bureaucratic malaise, infighting, and excessive surges of spending without producing sound policy and efficient execution.
On the plus side, the administration has signaled some willingness to use Cyber Command and third-country partners to respond more aggressively to cyber attacks, whether the attacks come from state-backed malefactors or prolific ransomware gangs hiding behind Presidents’ Putin and Xi’s curtains. Whether Putin has actually begun to crack down on these gangs is a matter of dispute between the administration and the FBI.
As we look to 2022, there is much room for cyber policy improvement. Capitol Hill, where cyber policy has stayed somewhat bipartisan and accommodating, needs to stay focused on building out government policies, law enforcement and intelligence community capabilities, and foreign policy approaches without the tired, one-track solution of throwing more money at the problem or growing an already bloated cyber government bureaucracy.
Smart investments, reforms to federal workforce hiring and firing practices, diplomatic bilateral and multilateral inroads to law enforcement coordination through the Budapest Convention on Cybercrime, and truly integrative and timely critical infrastructure and private-sector information sharing to combat ransomware and other cyber threats will be vital.
As artificial intelligence technologies continue to advance and their uses expand, our cyber defensive capabilities must be refined as well, using these technologies to build better layered defenses. The race to quantum computing will require continued investment and collaboration, as will government planning for a post-quantum cryptography landscape. Both should remain national security priorities.
The administration and lawmakers will also need to grapple with the challenges of on-shore supply chain and other cyber-attacks emanating from foreign adversaries hiding behind our visibility and government authority limitations. The private sector continues to build out better observation posts for nefarious network behaviors, and the proper sharing of that information amongst industry partners and government cyber hats will be necessary.
Just as Christmas left Clark Griswold asking, “Where’s the Tylenol?,” 2021 may have left us with a cyber-induced hangover. Unless we take steps to improve our cyber security and preparedness, we may well find ourselves with an even worse cyber headache next year.
This piece originally appeared in 1945