President-Elect Joe Biden’s incoming national security adviser Jake Sullivan told NPR this week that the Defense Department hasn’t granted a meeting to the Biden transition team since Dec. 18. That – Sullivan tells NPR – is complicating the ability of the incoming administration of being read-in on the current administration’s response to what experts are describing as one of the most damaging cyberattacks in U.S. history.
The hack, which government officials have privately said was carried out by Russia using previously unknown tactics, compromised both government and private sector systems. The Cipher Brief has spoken with a number of experts on this issue since the hack was first made public and we spoke recently with Cipher Brief Expert Gilman Louie about what we’ve learned from the breach so far and how to begin thinking about protecting the country from another hack of this magnitude.
Louie is a partner at Alsop Louie Partners and is the founder and former CEO of In-Q-Tel, a strategic venture fund created to help enhance national security by connecting the Central Intelligence Agency and U.S. Intelligence community with venture-backed entrepreneurial companies. Louie is also chair of the Federation of American Scientists and on the board of the Mandarin Institute and the Markle Foundation.
The Cipher Brief: What needs to happen right now to ensure that we have full insight into all aspects of this breach?
Louie: Stories are coming out about the affected US government departments, but we also have to remember that this actor pivoted into U.S. networks by compromising major technology vendors.
This is a fast-evolving situation, and every day, almost every other hour, new information is being disseminated. We’re seeing threat intel and information being dropped on Twitter, LinkedIn, company blogs, etc.
We really need the cyber community and the federal government to be collaborating and sharing critical information on tactics, techniques, and procedures to root the attacker out. The faster we can do that, the quicker we can begin remediation.
The Cipher Brief: What level of certainty do you think is needed before the US attributes this breach?
Louie: Attribution is a difficult task, but our investigators are the best of the best. They also hold themselves to a strict standard – to be able to prove, in a court of law, that this breach was built and executed by a specific person or group of persons. It may take time, but they are methodical, and they have been successful with their investigations.
I think that level of certainty is important especially in the current geopolitical environment. The world is still ravaged by COVID; we’re in the middle of a presidential transition. Naming an attacker or group responsible without significant evidence and clear ties would be a mistake.
The Cipher Brief: How much could remediation and rebuilding of the networks in the U.S. cost and how long will it take?
Louie: We know rebuilding the networks for the U.S. government will cost a significant amount of money. The bigger question, and one that will be far more costly, is what’s the cost and impact for the IT supply chain? The truth is, as of today, this is a “billions of dollars” problem that extends far past the U.S. government’s networks. This will take years.
The Cipher Brief: Given what we already know from this breach, what cyber gaps still exists in the FY21 NDAA?
Louie: One of the things we think could be stronger is a threat intelligence and information sharing collaboration environment that spans the DoD, IC, and DHS. We see a coordinated response right now, and that’s great. But a consistent, persistent collaboration will help us be more prepared and share critical intelligence on a consistent basis – so when we do have another breach like this, that intel sharing is a muscle we’ve been exercising all along.
More than just sharing of indicators of compromise, this collaborative environment should enable and support sharing of threat actor profiles and actor modeling. This adversary-focused intelligence can really help our cyber teams mitigate and prevent malicious activity by understanding the risk and prioritizing threat hunt and investigations.
The Cipher Brief: What should be the first act of the new National Cyber Director, should one be named in the first phases of the Biden Administration?
Louie: Yes, Biden should name a National Cyber Director in the first 30 days of his administration.
The Cipher Brief: Can a cyber breach of this magnitude be considered an act of war?
Louie: Maybe not an act of war, but this breach certainly highlights how cyber can be weaponized and how hard it can be to know it’s happening. This was a really stealthy, patient, well-planned attack.
But they still left some trails. It is impossible to cover every track. This is as much a failure of intelligence and intelligence sharing as it is a cyber breach. If we aren’t really tracking our enemies, their intent, and their capabilities, then how can we possibly be prepared?
The Cipher Brief: How do you feel about retaliation once attribution is determined? What are the ‘tools in the box’ that should be on the table?
Louie: If we treat these breaches as National Security threats, especially if they are nation-state sponsored once attribution is determined or clearly nation-state condoned, then the U.S. government can bring the power of the government to meet that threat. Some tools include a proportional cyber response, economic sanctions, tariffs, freezing of assets, suspension of visas, de-listing (of public foreign companies involved in backdoors), criminal action or even a military response if lives were lost or threatened as a result of cyber threat.
Read also Washington’s Cyber Reckoning exclusively in The Cipher Brief
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief