“Russia, China and others knowingly exploit two fundamental gaps in our cybersecurity architecture. They acquire or co-opt domestic computers and cloud services as a platform to launch malicious cyber operations. They appreciate that our intelligence services are focused on cyber activities beyond our borders, and that these services are generally not allowed to track foreign mischief once it moves onshore. Moreover, the private sector — very much a component of our national security — is largely left to fend for itself against foreign cyberattacks, yielding a situation inconsistent with the federal government’s role of providing our “common defense” under the Constitution.
Addressing these gaps raises enormously complex legal and policy questions about the scope of government in protecting us from foreign cyber malevolence. Yet our understandable hesitancy in confronting these questions allows adversaries to continue to exploit the situation. We must start that discussion and consider how our foreign intelligence services could work with the FBI and CISA — in a manner fully consistent with our values and the Constitution — to pursue foreign cyber maliciousness when it involves using domestic parts of the internet.
To have prevented this hack, we would have had to piece together information from the intelligence community about Russian intentions and activity, link it to hints (from affected agencies or DHS) that some government systems had suspicious domestic internet connections, and then monitor those internet connections. Media reports indicate that the Russians used a domestic internet domain leased from Go Daddy, a reputable and popular host for web domains, to control the malware that was inserted in government networks. Normally a search warrant or other legal process, often taking days, is required before the FBI can fully review the traffic connecting with a suspected malicious internet site. None of the foregoing steps could, at least under current structures, have been taken in sufficient time to detect the attack in the first place; at a very minimum, we could be better structured to stop such attacks from spreading.
There is no single structural or legal solution to the problem of foreign cyberattacks. More robust sanctions against foreign adversaries and better international efforts to stop the export of cyber mischief and bring cyber criminals to justice will also help. Working with other like-minded nations, we need to raise the risks and costs of cyber espionage and cyber damage.
But steps like those outlined above are also needed to bolster our federal government’s defenses and to give us more robust tools to use against foreign cyber wrongdoers. That, along with more vigorous sharing with private businesses of otherwise classified information about the techniques of those wrongdoers, would go a long way to addressing the vulnerabilities of the private sector, and thus help fulfill government’s responsibilities in that regard. As if we needed an illustration of the private sector’s vulnerability, the recent sophisticated attack was undetected even by cybersecurity incident response firm FireEye, apparently itself a victim, with some of its cybertools used to test customer network security audaciously stolen by the intruders.”