As Washington continues to investigate the true depth of what experts are describing as one of the most damaging cyberattacks in U.S. history, both government and private sector leaders are considering not only the aftermath, but the shifting dynamics of global espionage.
The Cipher Brief is bringing you multiple expert perspectives on the breach and what it means for the future of U.S. national security.
Susan M. Gordon is former Principal Deputy Director of National Intelligence.
The Cipher Brief: What needs to happen right now to ensure that we have full insight into all aspects of this breach?
Gordon: The only way to have full insight—ever—is for each affected entity to do the hard work of understanding their situation from initial vulnerability, to pathway of penetration, to actual loss, and to remediation. There does need to be sufficient pressure on them that they do it quickly, thoroughly, and report on their findings. In addition to answering to their own organization and stakeholders, they must share the information—all of it—with some responsible outside authority who can collect the data so it can be aggregated and shared as part of the way forward. There will be resistance to this latter effort in the name of confidentiality and privacy or even security, but the fact that we don’t share routinely what each experience is, is one of the reasons we are in this mess. Lots of lessons are individually learned, but few are collectively applied. If nothing else, this hack proves again that we are a connected ecosystem, not independent, isolated entities. And the intelligence, law enforcement, and cybersecurity communities need to share what they know with the people who need it, not just with whom they are comfortable sharing.
The Cipher Brief: How should the Trump team and the incoming Biden team coordinate to transition responsibility for dealing with this attack?
Gordon: The first step is to take ALL politics out of this. This was an assault on America, not on one administration or another, not on one party or another. Put finger pointing aside and come together to deal with it. That means the outgoing administration has to use all its power and authority every day they are in office to make sure we are taking necessary steps to understand what happened and begin to recover. And they must do it in concert with the incoming administration so that there is zero daylight in how America responds. I would create an integrated team today. The authority for that team is time-dependent (who holds office), but the collective involvement is necessary.
The Cipher Brief: What level of certainty is needed before the US publicly attributes this breach?
Gordon: I haven’t seen the data, but that so many that work in this space attribute to Russia, it seems that we’re close. Remember, FireEye’s pedigree is strong in this space, they would not have been casual, nor would Microsoft. It is ultimately up to the US Government to do the due diligence, but this cannot take the years that it has in the past. If there is real uncertainty, then figure out how to resolve, quickly, and do the work. I do think it’s interesting that the USG no longer has absolute control over identification, attribution, and notification of attacks. It’s something for the USG to embrace and further advance the partnership with the private sector in defense of the nation’s security.
The Cipher Brief: How much could remediation and rebuilding of the networks in the U.S. cost and how long would something like that take?
Gordon: Lots and long. And it really can’t be rushed; that’s one of our failure modes is that we hurry to repair the immediate, and we don’t use the opportunity to consider other weaknesses. The real challenge is that this hack created the opportunity for the attacker to burrow in. If it was the Russians, they certainly know about stealth, about persistence, and about how to find new opportunity after initial opportunity. So, every organization—government or private—will have to eliminate immediate threat, assess loss, conduct forensic analysis of other penetrations, perhaps replace the infrastructure, and get better at this. And, while they’re doing all this, with internal resources that may be insufficient, they have to try to continue to execute mission.
The Cipher Brief: Given what we already know from this breach, what cyber gaps still exist in the FY21 NDAA?
Gordon: I’m not sure this is a top line resources thing; I think this is an application of resources thing. It’s not about buying new products and services, it’s about understanding risk and protecting against unacceptable loss, not any loss. And it’s not about more oversight, it’s about more leadership involvement.
The Cipher Brief: What should be the first act of the new National Cyber Director, should one be named in the first phases of the Biden Administration?
Gordon: Admit that defenses can’t be absolute; that loss is a part of doing business in an interdependent, interconnected world; that technology alone won’t save us; that what happens in the private sector matters, and they have to be brought into the fold, fully; and that we need to invest in the people who are responsible for protecting our critical infrastructure and data. I might consider the development of Generally Accepted Security Practices (like financial GAAP) to which all governmental and (at least) publicly traded entities must adhere as a first action.
And then, do real things, not just the “punch list” of things we always do.
On whether we should name one, I’m not generally a fan of “czars”, but we need a serious organizing entity with authority to make us act as one, even as we are distinct and distributed.
The Cipher Brief: Can a cyber breach of this magnitude be considered an act of war?
Gordon: It is a consequential attack on America. It is not simply the age-old profession of espionage being effected digitally. The impact is huge and systemic; the national security and economic costs will be massive; and our inability to ever fully assess the extent of their penetration means we cannot be sure that they have not laid the foundation for physical destruction.
It demands response, and in finding our voice and our way forward, we will begin the establishment of enforceable norms and ultimately deterrence. That “it hasn’t worked to date” cannot be justification for inaction.
The Cipher Brief: How do you feel about retaliation once attribution is determined? What are the ‘tools in the box’ that should be on the table?
Gordon: I worry that when we use the word “retaliation” we imply a cyber response. Cyber response is one tool in our toolkit, but just as technology can’t be sole solution to defense, neither can cyber be the sole response to attack. Diplomacy, economic sanctions, expulsions, political isolation, and even physical action (in some cases) should be on the table.
Read also Washington’s Cyber Reckoning in The Cipher Brief
Read more expert-driven national security insight, perspective and analysis in The Cipher Brief
