Deterrence of nation-state cyber adversaries comes in many flavors, but the operating model suggested this week by a House Armed Services Committee member lacks neither impact nor directness.
Speaking at the May 4 Hack the Capitol conference, Rep. Rob Wittman, R-Va., discussed a range of ways for the U.S. to sanction nation-states that launch cyberattacks against U.S. assets, particularly the high-visibility assaults uncovered earlier this year that struck at thousands of private-sector and government networks.
Some sanctioning activities, he said, ought to be the kind that “don’t make the headlines,” and that also compel adversaries to expend resources to better protect their own systems from retaliation. On the whole, however, sanctions against adversaries should be emphatic in order to achieve deterrence, he said.
Adversaries, he said, need to “understand that if there’s an effort that they perpetrated against the United States, or companies in the United States, or for that matter, United States interests, that if we receive a kick in the knee, that they will receive a punch in the face,” Rep. Wittman said.
“I really believe that that’s [a] way that we can deter those sorts of actions,” he said. “Remember this is that round where everybody is probing … they’re looking and seeing what happens if we do this, what happens if we do that, and that behavior gets ramped up pretty precipitously.” If adversaries don’t receive a sufficient response, he said, they will not be deterred from further action and will conclude, “let’s do a little bit more.”
“I want to make sure that we look at all of the different aspects, not just protecting our systems, but also understanding what we can do to deter through our efforts to invoke a time and cost element on our adversaries,” Rep. Wittman said.
Elsewhere in this comments, the congressman said that individuals need to become more skillful at protecting their own information, and referring to smartphone technology, said,
“I believe that each individual needs to understand the true impact of what they have in their hand.”
“The information that gets put out into the cyber sphere is incredible,” he said, adding individuals “need to understand what they need to do on their personal communications devices, those things are incredibly important, and that just increases by orders of magnitude what we need to do to protect our systems.”
Helping that individual awareness effort, the congressman said, “goes back to education” including greater emphasis on STEM education.
“We hear a lot about STEM,” he said, “but what we want to do is to make sure we’re doing even more to invest in STEM education and the elements of what we need to do in science technology, engineering, and math, and how those elements are what we do to construct systems that are not as vulnerable to protect that data, to make sure that people understand how the pieces of these systems work so they themselves can make sure that they protect the information that they exchange.”
“I think that is incredibly important,” Rep. Wittman said, adding, “STEM, I believe, is the realm of the future.”
CISA at Quarterback
Speaking at the same event, Rep. John Katko, R-N.Y., ranking member of the House Homeland Security Committee, said that the Cybersecurity and Infrastructure Security Agency (CISA) needs the funding and authority to act as the “quarterback” in charge of improved cyber defense and response capabilities for the Federal government and U.S. critical infrastructure.
CISA, he said, “currently lacks the resources and authorities to have adequate visibility into the real-time cyber threat landscape across the .com domain” and “desperately needs more centralized real-time visibility into the entirety of the civilian government.”
“The current confederated model is simply not sustainable,” the congressman said.
The Homeland Security Committee in March approved a bill sponsored by Reps. Katko and Bennie Thomson, D-Miss., chairman of the committee, that would solidify CISA’s role in protecting critical infrastructure – particularly in the area of industrial control systems – from cyber threats.