By Chris Williams & Robert Metzger
This week’s FAR & Beyond blog features two guest authors on national security. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
The world confronts a turning point in Russia’s war against Ukraine. Putin pursues annihilation and seeks to intimidate countries providing support to the Ukrainian people in their heroic struggle to retain independence.
Thus far, Russia has been relatively restrained in its use of cyberweapons. This will likely change. The sanctions imposed by the U.S. and its partners are taking a toll on Russia’s economy and its citizens, especially Putin’s autocrat cronies. The invasion has not fulfilled his expectations. It is not in Mr. Putin’s nature to take such punches without striking back.
Putin has threatened escalation, including the use of nuclear weapons. Russia has powerful cyber weapons with which to counterpunch. Putin has used them before in attacks on Ukraine, Georgia, and elsewhere. The West presents an inviting target set, to Putin’s thinking, spanning government, infrastructure, industry, services organizations and especially the financial systems that now are being employed against him.
No comfort should be taken from Russia’s seeming cyber “restraint” so far. And we should not lull ourselves into thinking that Russian cyberattacks will be transitory annoyances. SolarWinds and other attacks mounted by the Russian intelligence services and their proxies have informed and positioned Russia to conduct even more damaging attacks. Indeed, Russia can direct its cyber weapons to corrupt, degrade or destroy infrastructure and industry in the U.S. and elsewhere. The consequences could be harsh.
Putin knew the West would impose “severe” economic sanctions and invaded anyway. Thus, the hard truth is that present measures are unlikely to restrain Russia from cyberattacks that could take a heavy toll upon our industry and infrastructure, affecting our citizenry. And should China seek to take Taiwan by force, we must assume it will launch powerful cyberattacks against those who help defend the island.
President Biden has recognized the danger of Russian cyberattacks against the United States. On March 21, he issued a statement on our nation’s cyber security, which called upon private sector organizations to “harden your cyber defenses immediately” by implementing best practices. Yet, the statement was not accompanied by a willingness to provide funding to accelerate such measures.
Today the U.S. capability to defend critical infrastructures and key industries, including the Defense Industrial Base (DIB), is limited at best. An urgent and bold national effort is needed to harden and make more resilient the most important networks of government, critical infrastructures, and key industries.
“Operation Warp Speed” showed what our scientists and healthcare industry could achieve to protect the public against the dangers of COVID-19. Foreign cyber threats warrant an effort at a similar scale to protect our government, our economy, and our way of life from Russia, China, and other increasingly hostile actors. Waiting until after the damage is done is not the responsible course. We could find ourselves in a situation where damages suffered are all but unrecoverable, diminishing the status and authority of the U.S. Government and calling into question its ability to provide basic services to the American people.
In 2021 Congress provided the Biden Administration with more than $7 trillion in new spending authority for a range of domestic programs. Yet national security was largely excluded. New funding and priorities are necessary. We now live in wartime, as vividly demonstrated by daily events in Ukraine.
Business as usual is not acceptable. Distinct from strengthening our military capabilities, hardening our most important national infrastructures and key industries must be the centerpiece of a new bipartisan initiative.
Having completed an Omnibus Appropriations bill for the remainder of the current fiscal year, Congress must now turn its attention to how best to bolster our military capabilities and national cyber defenses. A key outcome of such deliberations would be to establish and fund a National Cyber Hardening and Resilience Program.
Such a Program would have three central purposes: (1) provide significant new funding to Federal departments and agencies to accomplish the objectives of Presidential Executive Order (EO) 14028 to move to the cloud, adopt zero trust architecture, and assure software security; (2) provide significant new funding to the responsible Federal departments and agencies to harden the sixteen critical infrastructure sectors; and (3) establish a Cyber Safety Fund to provide low-interest, potentially forgivable loans to industry, giving preference to small- and medium-sized enterprises to bolster cyber hardening and resilience immediately.
The funds needed to implement the Program would be allocated among the Department of Defense, the Department of Homeland Security’s Cyber and Infrastructure Security Agency (DHS/CISA), and the other sector-responsible departments and agencies. We propose that $100 billion be allocated to civilian agencies and the infrastructure sectors, $100 billion for the Department of Defense (DoD) for hardening critical DoD and national networks, and $50 billion for a Cyber Safety Fund. The funds should be designated as emergency expenditures and remain available until expended.
This level of funding is needed to fulfill the objectives of EO 14028. The undeniable reality is that accomplishing the goals of the EO will be very expensive, yet adequate funds have not been appropriated for this purpose.
The Program would promote our national economy by applying proven technologies from trusted U.S. sources to bolster the cybersecurity and resilience of critical U.S. Government and private sector infrastructures, the DIB, and commercial organizations that qualify for loans. Some projects will produce immediate results, reducing our present exposure. The funding will also enable departments and agencies, critical infrastructure operators, DIB companies, and other commercial enterprises to commit to, accelerate and execute larger-scale, longer-term actions that will significantly enhance the nation’s cybersecurity posture (e.g., moving away from legacy IT systems that are indefensible).
The National Cyber Director (NCD) and his team should be assigned the responsibility to coordinate the implementation of this initiative and to synthesize this program with other initiatives to create an enduring, coherent and transformative national cyber defense and resilience strategy. Working with DHS/CISA, DoD, and the other sector-responsible agencies, the NCD would set priorities for Federal funding and related activities and help guide this urgent national investment. This is precisely the priority mission Congress had in mind when it created the NCD position on a bipartisan basis. Primary responsibility for allocating the funds and managing associated programs would lie with the Secretary of Defense, the Secretary of Homeland Security, the Secretary of the Treasury (for the Cyber Safety Fund), and heads of other departments and agencies, with participation of the Office of Management and Budget, the General Services Administration, and the Small Business Administration.
Speed of implementation will be key. Here, Congress should empower Federal officials to utilize all available authorities to streamline procurement of such goods and services and avoid having the routine regulatory system stymie urgently needed actions to deploy cybersecurity tools and resources that U.S. industry can provide now.
One sub-project that deserves high priority is construction of a specially hardened and resilient network with security sufficient to enable continued core operations of the Federal Government even under the worst conditions imaginable. The Secretary of Defense should have responsibility for this national effort. The U.S. Government must continue to function in times of conflict, even after broadly disabling or destructive cyber or other attacks against Government networks and facilities and various critical infrastructures.
We recognize that additional cyber security and resilience funding is vitally important but by no means a panacea. Many additional actions are needed across multiple fronts to strengthen and sustain America’s cyber defense posture.
Some critics will say the nation cannot afford to fund such an initiative or that the Biden administration has other, more compelling priorities. Russia’s invasion of Ukraine demands that all prior assumptions be revised to reflect the imminent threat to the homeland.
In addition, we cite the President’s declaration in EO 14028 (issued months before Russia’s invasion of Ukraine): “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” If we do not invest now to protect and defend, we will spend much more time and resources attempting to reconstitute and rebuild after disaster strikes.
In Ukraine, we are witnessing the determination of a proud people to resist an aggressor willing to escalate violence to achieve its political objectives. We know that use of cyber weapons to attack critical infrastructure is a primary tool of modern “asymmetric” warfare. We must expect and prepare for Putin, Xi, and other tyrants to escalate in the cyber domain.
We have been warned. We must harden our critical infrastructures and key government networks before it is too late. A bipartisan approach to achieving enhanced national cyber defense and resilience is both necessary and feasible. Who in Congress will step up to lead this effort?
Chris Williams served in various positions in the Department of Defense and in Congress. Robert Metzger is a nationally recognized attorney and expert on cyber security.