The Need for Nuance in US Cyber Defense
By Josephine Wolff, Associate Professor at The Fletcher School at Tufts University
It’s not clear that the US is as vulnerable to cyber attacks as we think.
How vulnerable is the United States to cyberattacks? It’s a difficult — and important — question to be able to answer, and those answers are often based on some combination of guesswork and how recently US critical infrastructure has been breached in some high-profile fashion. But in order to make informed decisions about how and how much to invest in cybersecurity, we need to have a clearer idea of exactly what parts of US infrastructure are vulnerable and what types of attacks they are vulnerable to. In other words, we need to go beyond guesswork and examples of successful attacks on US infrastructure to look at near misses and thwarted attacks and what we can learn from them.
As a general rule, countries that have more digitized and Internet-connected infrastructure are more vulnerable to cyberattacks. Countries with electric grids, water treatment facilities, fuel pipelines, and other critical infrastructure running on older technology that is not connected to newer computer networks are usually less susceptible to computer-based intrusions and compromises of that infrastructure. Of course, that doesn’t mean older technologies can’t be hacked — but it’s often harder to do, and especially harder for perpetrators in other countries to do remotely unless there’s some kind of network connection they can access and exploit from abroad.
TO DATE, 2022 HAS FEATURED SURPRISINGLY FEWER LARGE-SCALE CYBERATTACKS ON US CRITICAL INFRASTRUCTURE THAN IN PREVIOUS YEARS. WHY DOES THAT MATTER?
When we think about which countries are most susceptible to cyberattacks, we tend to think about the ones that are most aggressively updating and rolling out new IT infrastructure — countries like the United States. When former government officials refer to the United States as being the country most vulnerable to cyberattacks in the whole world, this is often what they’re basing those assessments on. These assessments about how vulnerable the United States is to cyberattacks aren’t necessarily wrong, but they do tend to be predicated on fairly broad assumptions about how digitized our critical infrastructure is compared to other countries and how many high-profile, public cyberattacks we’ve experienced recently.
It’s an interesting moment to revisit the question of how vulnerable the United States is to cyberattacks. To date, 2022 has featured surprisingly fewer large-scale cyberattacks on US critical infrastructure than in previous years, when compromises of SolarWinds, Microsoft Exchange, Colonial Pipeline — to name just a few — seemed to indicate a complete inability to protect ourselves against foreign intrusions. Of course, 2022 is not over yet, and it’s entirely possible that there are serious cyberattacks occurring right now that have not yet been discovered or made public. But still, it seems worth taking stock of how the United States measures and assesses its own preparedness for cyberattacks, especially since the US government raised the alarm about Russian cyberattacks earlier this year and those attacks — again, so far at least — have largely failed to materialize.
ASSESSING THE US CYBER DEFENSE POSTURE
There are many theories as to why the much-anticipated onslaught of Russian cyberattacks during Russia’s war with Ukraine never occurred, but one possible explanation is that the United States and its allies are simply more prepared than they have been in the past. To support that explanation, the US government has announced some of the pre-emptive measures it has taken to counter Russian cyberattacks, including using secret court orders to remove Russian malware from computers before they could be harnessed by the Russian government for any malicious purpose. Additionally, the US government has launched forums for cybersecurity information sharing to help provide organizations with threat intelligence about emerging cyber risks. Even more recently, the Department of Homeland Security announced new cybersecurity performance goals for critical infrastructure.
The challenge, when it comes to interpreting news stories like these about how the US government has successfully prevented potential cyberattacks, is trying to assess whether they actually reflect a real shift in how prepared US infrastructure is to withstand computer-based compromises or just a one-off victory being promoted by the government to signal its competence. And since no country — and no computer network — is absolutely secured against online intrusions, people are understandably wary of leaping to the conclusion that the United States has finally figured out cyber defense.
After all, it is always safer to predict that a country is vulnerable to cyberattacks than to predict that it is not. The latter claim can be disproven — as soon as a successful attack occurs — whereas the former claim really cannot ever be disproved.
AN OPPORTUNITY TO CREATE NUANCE
At some point, we know that the US cyber infrastructure will fall victim to another serious compromise, and people will take that as evidence that we don’t know how to defend ourselves. But whether there have been recent cybersecurity breaches in the news can’t be our only metric for our preparedness to withstand cyberattacks — otherwise, we have no way of assessing whether we’re making progress or not when it comes to securing our networks.
And publicizing cyberattacks that have been successfully averted is actually a useful and important counterbalance to assessing our cyber preparedness based on successful cyberattacks in the news. These cyber “near misses” give us an opportunity to assess how close adversaries are getting to infiltrating our networks, what stage we’re able to intercept them at, and what changes in our defense posture might have enabled them to succeed.
The US government should continue to publicize these preventive measures to the extent that they’re able to do so without jeopardizing those same defensive efforts. And despite the fact that news stories about averted attacks rarely generate the same level of interest or attention as stories about successful ones, we should take seriously the imperative to incorporate them in our assessments of how strong the US cyber defense posture is, if only so that we can develop more nuanced assessments that allow room for demonstrable progress without expecting we will be able to prevent every cyberattack.
This piece is republished from Inkstick.