America’s Cyber Security, Insecurity
In the last few days, we have learned of one of the most massive cyber-attacks in history, targeting hospitals across the nation. Cybercrime is a growing problem, and rapidly advancing technology to enable mobile devices, smart homes, buildings, and industries is outrunning the security needed to protect our lives, privacy, and resources. These advancements offer millions of access points for bad actors to inflict significant damage or threaten lives.
We must also take steps to ensure the safeguards we use to protect ourselves are, in fact, secure. An added risk in this field of cybersecurity is also our reliance on foreign owned companies.
Aware of this threat to America’s safety, in 2018, Congress established the Cyberspace Solarium Commission (CSC) to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences." The finished report was presented to the public on March 11, 2020, and Congress is in the process of turning many of the recommendations into law. Thankfully, of the 54 legislative recommendations within the report, over 20 are included in the House and Senate versions of the 2021 National Defense Authorization Act.
Keep in mind that securing America's cyber systems requires complex collaboration between security experts in numerous industries across the private and public sectors to develop a holistic approach, not limited to vendor, product, or system, but also includes management and oversight of those that maintain systems. Currently, as pointed out by the Solarium Commission, we do not have the processes or entities in place nationally to develop comprehensive solutions.
One key finding of the Solarium Commission was to establish the position of National Cyber Director. Indeed, both the House and Senate held hearings this month with much of the time spent debating just this provision. The House contains the language; the Senate recommends continuing to study the problem. While top level government organization is worth debate, critically needed is recognition and promotion of private sector leadership.
An example of this shared responsibility lies in how many U.S. government agencies, including the military and cybersecurity companies, utilize software to search for, map out, and make sense of cyber threat intelligence.
For example, the current software platform of choice by many U.S. military and government entities used to gather and interpret cyber threat intelligence is not "Made in America." This software was originally developed by a South African company, Paterva, and is now owned by a German private equity firm that does business as Maltego Technologies. Yet, Maltego has been broadly identified as a hacking tool. A cursory review of publicly available resources reveals some potentially alarming concerns in connection.
In fact, Maltego is currently used by the Department of Army Material Command Army Contracting Command, Defense Counterintelligence and Security Agency, Department of Health and Human Services, GSA, Department of Justice Federal Bureau Investigation Headquarters Division, Department of Navy Naval Sea Systems Command, United States Special Operations Command, and the Defense Counterintelligence and Security Agency. This all begs the question: why are so many critical U.S. government agencies using a foreign owned and controlled hacking tool for cyber threat intelligence gathering purposes?
Something else to consider is that some cybersecurity systems require software to be loaded onto the client's computer and cyberinfrastructure. This creates an added layer of risk, which American government agencies and companies should consider – especially if they are foreign owned. No doubt, the appropriate Congressional committees should be more actively engaged in cyber threat intelligence collection.
Still, the Trump administration appears to have taken a hard line against foreign outsourcing by banning the import of Chinese government owned Huawei components. Congress appears to be on the verge of acting to promote "Made in America," including domestic semiconductor manufacturing incentive grants in both the House and Senate versions of the FY21 NDAA. However, the Department of Defense continues to provide waivers to the ban – most recently as this month. Additionally, current legislative language does not go far enough to protect and promote American microelectronics and integration level manufacturing.
In order to maintain a cyber secure nation for the next 50 years, both public and private will need to be cooperatively engaged. This must include taking a hard line to ensure that our most important secrets and personal information are protected by domestic companies that reduce the risks associated with our online and connected digital world. We have risen to the challenge before and must again.
Gregory T. Kiley is former senior professional staff member, Senate Armed Services Committee; and U.S. Air Force Officer