America is Losing the Cyberwar: What’s Next for Our Cyber-Defense without an NSC Cybersecurity Coordinator?

by James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

Rob Joyce, White House Cybersecurity Coordinator and Acting Deputy of U.S. Homeland Security, concludes his tenure today. Anonymous sources, via traditional corporate media, suggest that he may be the final “cybersecurity czar” of the current, and potentially of future, administration(s).  In the unlikely event that the accounts accurately reflect the thoughts of National Security Advisor John Bolton, the United States could soon be at a significant detriment. The coordinator — a post created at the beginning of the Obama administration — leads a team of NSC staffers who manage federal cyber strategy on everything from election security to encryption policies to digital warfare. According to a Wednesday report in Politico, attributed to anonymous sources, National Security Adviser John Bolton is allegedly pushing to “abolish the role of special assistant to the president and cybersecurity coordinator.”  It is important to recognize that especially now, in the age of disinformation, anonymous sources should be considered with a measure of skepticism. In the same story, Politico reports that Christopher Krebs, a top DHS cyber official, “was actively soliciting names” for a new cyber coordinator at the 2018 RSA Conference. In contrast to Politico’s story, in an April statement, White House press secretary Sarah Sanders said that Rob Joyce has “has agreed to stay on as needed to provide continuity and facilitate the transition with his replacement” thereby indicating that Bolton intends to search for a qualified replacement for Joyce [1].

Threats Define the Digital Age

The modern threat landscape is rife with digital threat actors of every variety that weaponize every vector and exploit vulnerabilities in every system. Cyberwarfare is asymmetrical; adversaries no longer have to allocate significant resources or possess extensive technical expertise to perpetrate devastating attacks. Many essential networks and systems remain remotely discoverable and accessible. Niche critical infrastructure personnel are incessantly targeted with social engineering lures and targeted attacks. Despite recent efforts by ICIT, the Federal CISO’s office, and other pivotal thought leaders, many public and private sector critical infrastructure networks remain vulnerable due to an abundance of outdated legacy systems, a disregard or ignorance of cyber-hygiene best practices, and a plague of faux experts, disreputable vendors, and malicious special interest groups hell-bent on undermining meaningful cybersecurity modernization and reform so they can frame themselves as essential while profiting from the inflated risk of adversarial compromise.

America’s malicious adversaries are legion. Russian advanced persistent threat actors (APTs) compromise critical infrastructure systems, meddle in elections, and coordinate pervasive multi-vector Maskirovka-style influence operations. Russian influence operations and associated cyber-attacks will increase as the 2018 and 2020 elections near. Chinese APTs pilfer valuable intellectual property and sensitive consumer information while they leverage an army of insider threats and military hackers in attacks that advance the Thirteenth Five-Year Plan. Recent efforts to remove Chinese manufactured intentionally spyware-riddled devices from sensitive environments could lead to an uptick in retaliatory digital assaults and an insider threat epidemic; especially, as China introduces its mass surveillance Social Credit System and covertly attempts to expand its scope internationally. The decision to end the Iran deal could incite retaliatory digital warfare from Iranian APTs or hail-mary threat cyber-jihadists. Due to the ease of obfuscation and the complexity of meaningful attribution, false-flag attacks, where a sophisticated threat actor poses as a lower-level actor and leaves misleading technical artifacts to shift the narrative are increasing and will become a mainstay of cyber-warfare before the end of 2018. Cyber-mercenaries offer point-and-click or as-a-service attacks and are contracted by other sophisticated and unsophisticated adversaries to launch layers of the client’s multi-vector digital campaign. Cybercriminals infect vital PCs, ICS/SCADA equipment, IoT devices, and mobile systems with crypto-miners, ransomware, remote-access-trojans (RATs), and other malware so they can steal sensitive PII and other data. In many instances, niche critical infrastructure personnel are victims of cyber breaches, and as a result, national security is jeopardized by the risk that a domestic or foreign adversary will masquerade as legitimate users , disseminate convincing social engineering lures, or coerce privileged staff to act as insider threats in order to bypass physical and technical safeguards and gain access to and control over systems and data crucial to the sustained security of the nation and its people.

Iconic Cybersecurity Leadership Combats Digital Threat Actors

Now, more than ever, America needs qualified Cybersecurity, Information Security, and Information Technology leadership and collaborative coordination. National cybersecurity is a non-partisan issue that unifies politically and ideologically opposed factions in the mutually-beneficial defense of America’s critical infrastructure digital and technological assets. There is no definitive confirmation that Mr. Bolton plans to abolish the position(s). Politico’s story was based on accounts from anonymous sources. Most other coverage was derivative of Politico. What is clear and immediately pressing is that as of today, essential cybersecurity leadership roles in the Executive branch remain vacant. Finding qualified and well-trained replacements for Tom Bossert or Rob Joyce will not be trivial. It would be easy to hand off the position to a political appointee; however, without significant technical training and a robust Information Security background, the benefits the positions serve to the country could invert and become exploitable weaknesses. Altogether eliminating the role of cybersecurity coordinator would signal to domestic critical infrastructure organizations, businesses, the public, and foreign adversaries alike that cybersecurity is no longer a priority of the Executive branch.  Foreign adversaries of all affiliations and levels of sophistication will see the decision as a glaring weakness, and as with all lucrative vulnerabilities, they will launch extensive multi-vector campaigns to exploit the vulnerability. Additionally, dissolving the role would regress much of the progress the U.S. has made on cyber efforts over the past few years. Given how the digital landscape has shifted, reverting the United States to a 2009 security posture in the 2018 threat landscape could be a devastating blow to the security of federal, state, and local governments, agencies, critical infrastructure organizations, businesses, and the public. Meanwhile, reorganizing and delegating the responsibilities of the office to a side project of an existing position rather than the sole purview of a dedicated coordinator would imply, whether erroneously or not, to every stakeholder, adversary, and member of the public, that cybersecurity is at best, an afterthought. In reality, cyberspace is the new theater of war. Cybersecurity must be a priority at every level within government, agencies, and critical infrastructure organizations. In fact, in the past, Mr. Bolton has expressed his view that the United States should pursue a more aggressive cyber-strategy with regard to foreign adversaries, such as when in a series of op-eds he called for the US to use its “muscular cyber capabilities” to retaliate against China, Russia, Iran, and North Korea so dramatically “that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.” Eliminating the role of cybersecurity coordinator could shift greater control of cyber activities to US Cyber Command; however, there is no guarantee that the transfer would correlate with an increase in offensive digital operations. Further, other nations may see the shift as an act of aggression and would blame the US for every emerging cyber campaign. False flag attacks would be rampant because the United States would be an easy shill. Meanwhile, in the absence of a coordinator, the agencies may revert to their former competitive and siloed statuses. Every intrusion on a government system would be a bureaucratic fight over jurisdiction, and threat actors would benefit from the conflict.

Appointing a New Cybersecurity Coordinator is Difficult, But Essential

Fostering cybersecurity coordination and collaboration should not be a side task to be handled in a deputy’s spare time, and it should not be the responsibility of inexperienced appointees drawn by perceived prestige or influence. Cybersecurity coordination and advisement should remain the hyper-focused responsibility of dedicated and capable thought leader.

The cultivation and appointment of well-trained and qualified leadership are critical to national security. Organizations cannot be left to fend for themselves. Many lack the resources necessary to combat the onslaught of digital menaces. Since adversaries often laterally move up the supply-chain or across associated networks, intrusions are not necessarily indicative of a lack of resources, cyber-hygiene, or even cybersecurity. Systems belonging to virtually every organization in America have been compromised at one point or another. Many are vulnerable or infected right now. Anyone who believes otherwise is naively ignoring the reality of the omnipresent digital threat landscape. Cybersecurity impacts permeate every sector. For instance, attacks on the energy grid cripple the operations of every other sector. Attacks on healthcare networks increase public panic and jeopardize lives. Breaches of agency systems undermine citizens’ trust in the government.

Replacing Rob Joyce will be difficult, but it is unquestionably essential, and the selection of a viable candidate should not be made out of presupposition or haste. The world is more interconnected now than ever, and America is subject to persistent and innumerable digital threats from every variety of adversary, across every conceivable vector. The National Security Council and the Executive branch depend on the cybersecurity coordinator to guide staff on emerging Information Security topics and dilemmas. Since its creation, the role of cybersecurity coordinator has improved government, agency, and other public and private responses to cybersecurity incidents; all indications suggest that progress will continue at increasing rates. ICIT hopes that Mr. Bolton considers appointing a new cybersecurity coordinator at the NSC, and we look forward to assisting the office in every available capacity.

Sources:

[1] GELLER, E., BENNETT, C. and Shafer, J. (2018). Bolton pushing to eliminate White House cyber job. [online] POLITICO. Available at: https://www.politico.com/story/2018/05/09/bolton-white-house-cyber-czar-523430 [Accessed 11 May 2018].

Leave a Reply