At a glance.
- Legislating against foreign election interference.
- Espionage, staging, sabotage, and war.
- Policy implications of the SolarWinds and Exchange Server compromises.
Legislating against foreign election interference.
- States would implement voter-verified ballots, harden voter rolls, and check systems in advance of elections.
- Funds would be set aside for audits and equipment updates.
- A Senior Cyber Policy Advisor would be installed in the Election Assistance Commission.
- The Director of National Intelligence would brief states and Congress on current cyber threats each election cycle.
- Foreign-funded political social media posts would be flagged.
- The President would craft a plan to protect institutions vital to democracy.
Comparable provisions previously stalled in the Senate.
Espionage, staging, sabotage, and war.
Brookings argues against calling Solorigate cyberwarfare, properly understood as “the use of computers to conduct an operation that is intended to have a kinetic effect” like damaging critical infrastructure. Accordingly, the article also advises against involving the military in any response, and cautions that boosting domestic surveillance would repeat the mistakes of the 1950 Internal Security Act, “which did little to prevent espionage and a great deal to enable domestic oppression.” Critics of the Act claim its data collection requirements depressed national security.
In contrast, Deccan Herald reviews what may have been, according to a Recorded Future report, something closer to an act of war. Chinese malware is implicated in last year’s Mumbai grid failure, an event that presented minimal occasion for espionage but tipped authorities off to possible staging efforts.
Ramifications of the SolarWinds and Exchange Server compromises.
SC Media reports that up to 100 thousand Microsoft Exchange Servers may have been compromised (some multiple times), while the Washington Post puts the current upper estimate at 250 thousand. Multiple groups—Chinese and Russian-language—are now apparently engaging in what one expert called a “free-for-all.” For the moment Federal agencies appear to be safe (though CNN warns defense contractors may not be), but smaller businesses along with local and state departments could be navigating the fallout for some time. Some worry the hack could lay the groundwork for a colossal ransomware campaign. The Biden Administration is urging patching and considering enlisting the Unified Coordination Group.
Wired observes that both the SolarWinds and Microsoft Exchange hacks are ongoing, and Microsoft’s patches could soon be reverse-engineered. The article tempers Cybersecurity and Infrastructure Security Agency Acting Director Wales’ comments that Solorigate could take the Government a year and a half to remedy with the reminder that cyberespionage is always with us.
A C4ISRNET opinion piece holds that international alliances, as opposed to a “splinternet” of segregated national networks with diverse regulations, pave the best path forward. Just a handful of countries have adequate cyber defense capabilities, but a norm-building, resource-sharing coalition could make the Internet a safer place.
OODA Loop maintains that the same cybersecurity recommendations have been circulating since the 1970 Ware Report and 1997 Commission on Critical Infrastructure Protection (e.g. info-sharing and public-private partnership), with a couple additions in the 2010 National Security Strategy (capacity and norms building). (Worth noting is the fact that OODA lumps all legal and policy proposals into the same category.) Meanwhile the US burns through ‘cyber czars’ like matches, expensive upgrades have questionable effect, and a modernized workforce is stymied by slow-moving institutions. The private sector is not incentivized to prioritize cybersecurity, and state and local organizations stumble along with limited resources.
OODA Loop considers three possible explanations: the advice is bad, it’s been delivered to the wrong audience, or it’s been poorly implemented. The article suggests the following remedies: build a cybersecurity research repository, make goals measurable, mandate and reward compliance, offer some liability protections while holding operators accountable, mind the margins of norms and diplomacy, and weed out other ineffective recommendations. In short, better policies.