Three Cybersecurity Questions from the Colonial Pipeline Hack
The recent hack of the Colonial Pipeline resulted in dramatic images of people lining up at gas stations and (supposedly) filling shopping bags with gasoline across the South and Mid-Atlantic. It is, however, only the latest in a long line of cyberattacks by both nation-states and independent criminal groups (and in some cases elements of both working together) against the U.S. government and critical infrastructure. The frequency and destructive capacity of these attacks indicates that the public and private sectors aren’t responding to the threat fast enough.
In January, the United States accused Russia of infiltrating networks belonging to the Departments of State, Commerce, Homeland Security, and the Treasury. In April, a cybersecurity firm hired by the U.S. government found that Chinese hackers had compromised dozens of U.S. government agencies. The Russian hack of SolarWinds and the Chinese exploitation of Microsoft were made public that same month. Chinese infiltrations into Equifax and the Office of Personnel Management, in 2017 and 2016 respectively, gave the Ministry of State Security access to the personal and financial information of millions of Americans. Iranian, North Korean, and Venezuelan operatives, as well as transnational criminal organizations, also are targeting Americans.
In the face of such an onslaught, America’s defensive capability is inadequate. Whatever steps the federal government may have taken in recent years to secure its systems—and the SolarWinds hack indicates that those steps have been small—the Colonial Pipeline fiasco illustrates the larger problem: Any number of capable adversaries can inflict harm on the country without attacking the government directly.
The debate over the cyber domain in some ways mimics that of nuclear weapons during the Cold War, when there were two schools of thought about the best way to prevent a Soviet first strike. One theory, which found its clearest explication in the Strategic Defense Initiative, was to have a strong missile defense. The other was to rely on a credible and resilient second-strike capability to deter the Soviets, which was one of the origins of the nuclear triad. For the most part, deterrence beat out missile defense to become America’s strategy. But by failing to invest sufficient resources in missile defense, it’s also likely the United States sacrificed both strategic technological advantage and peace of mind. It is not clear if deterrence was the best option in the nuclear domain in the twentieth century, nor if it will be in the cyber domain in the twenty-first.
But it is clear that the assumptions about nuclear weapons do not apply to cyberweapons. Nuclear weapons can’t be used in secret. Unlike nuclear weapons, cyberweapons have already been used by multiple states and non-state groups quite casually. Nuclear weapons require sophisticated resources and programs, unlike cyberattacks which a small group of people with easily accessible technology can launch from their homes.
The government can’t assume that the comfortable constraints of the Cold War will apply in the cyber realm. Congress and the executive branch need to form a new cyber defense strategy, and they should start by answering three questions:
Can cyberwarfare be separated from other domains? Land and naval campaigns have mixed for as long as there’s been recorded history of warfare. Since World War I and especially World War II, neither has been separable from the air domain. Yet conventional warfare has persisted without the use of nuclear weapons since 1945. To what extent can and should the cyber domain be kept separate from the other domains? Should the United States announce a new deterrence strategy that includes the possibility of kinetic retaliation to cyberattacks?
Is it time to publicize retaliatory attacks? When deterrence breaks down, it requires a public act of reprisal to reestablish it. After Iran-backed proxies attacked the U.S. embassy, the United States killed Iranian general Qasem Soleimani to demonstrate publicly the price of attacking Americans. In other words, the Trump administration did not hide the enforcement of deterrence. The United States, however, does not publicize its retaliatory attacks, but the news of enemies’ strikes frequently makes the headlines. This injures national morale at home, while boosting our adversaries’ propaganda. The concern with publicizing deterrence is that it incentivizes an adversary to retaliate to save face before its constituents, and that could lead to escalation.
What is to be done with non-state hackers? The Colonial Pipeline attack was piracy, not warfare.While it is unlikely that Vladimir Putin had given direct orders for the attack, his intelligence and state security ministries have cooperated with organized crime and allowed it to prosper in Russia. The situation is similar to the case of al Qaeda under the Taliban’s sanctuary in Afghanistan. But also, Russia, with thousands of nuclear warheads, is not the Taliban. Americans need to think seriously about pirates and cyberterrorists who are supported by state actors. Our adversaries benefit from cyber piracy and terrorism against us.
Cyberwarfare is becoming an element of great power competition. The Biden administration has prudently elevated the role of cyber domain in national security by creating a National Cyber Director for civilian defense. This is a welcome development—but the issue is far from solved.