Russia’s Attempt to Steal COVID-19 Research Signals a Cybersecurity Crisis in U.S.

The unprecedented hack of high-profile Twitter accounts and Russia’s recent attempt to steal coronavirus research could signal a growing cybersecurity crisis.

With an election in November the ability to manipulate politically powerful and market-moving social media accounts — including those of former President Obama, current Democratic presidential nominee Joe Biden, Bill Gates, Kim Kardashian West, Elon Musk and Apple — should be a wakeup call about U.S. exposure to vulnerable technologies.

While the Twitter cyber scammers identity is unclear, the increasing tendency of adversaries to launch cyberattacks against the United States and its allies requires renewed attention from America’s policymakers. For better deterrence and resilience, Congress should provide additional funding and authority to nonmilitary agencies that can better establish norms in cyberspace.

Ideally, nations want to communicate deterrent messages to avoid a military conflict. By signaling what America will punish in the cyber domain, it can prevent accidental escalation and communicate potential costs for future cyberattacks. During the Cold War, both the United States and the Soviet Union slowly established acceptable boundaries for attribution, confirmation and retribution, and how to signal one another over time.

The same sort of quasi-ground rules need to be developed in the cyber domain. In cyber, minor actions can have significant outcomes and trigger significant responses because the major cyber nations have not defined or established cyber norms and redline offenses well enough with sufficient condemnation or economic costs. Cyber actors must understand U.S. redlines and the severe consequences for crossing them.

Recognizing that America faces growing challenges in the cyber domain, Congress enacted the bipartisan Cyberspace Solarium Commission to evaluate current strategy and propose recommendations. However, its report, like the 2018 Department of Defense Cyber Strategy, largely avoids discussing signaling.

To address this gap, Congress should further delineate legal authorities and responsibilities for the Departments of Defense, State and Homeland Security, as well as the FBI. While the National Defense Authorization Act for Fiscal Year 2019 helped clarify the distinctions between the military’s authority under Title 10 of the U.S. code compared to the intelligence agencies ability under Title 50, the State Department and Homeland Security’s crucial role in cyber defense requires greater attention.

Homeland Security has outlined the 16 areas of critical infrastructure. However, the United States lacks a policy statement outlining redlines for each area and how cyberattacks would translate into responses inside or outside of the cyber domain.

With its creation in 2018, Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has a mandate to defend against cyberattacks that target the government — alongside the FBI — and critical infrastructure. Congress could better enable CISA by requiring that critical private-sector companies coordinate with it and mandate that they timely report cyber intrusions.

At the end of last year, Congress took a good step by providing a $334 million increase to CISA’s budget over the previous year’s funding for a total of $2 billion. Clearly-defined cyber responsibilities and authorities, however, need further refining. A recently proposed House Appropriations Homeland Security subcommittee bill would provide CISA with $2.25 billion, with $11.6 million to create a Joint Cyber Center for National Cyber Defense. These increases are noteworthy, but the budget for this new agency needs a further 50% increase for it to execute its mission effectively.

Next, legislation should institutionalize support for diplomacy about the cyber domain. One of the Solarium Commission’s recommendation for an assistant secretary of State for cybersecurity could help coordinate links between international trade, information sharing and cybersecurity. The new position has great potential to improve signaling and could better define costs for unacceptable behavior.

A new bill in the House has also called for the creation of a Senate-confirmed “Cyber Director,” a major recommendation of the Solarium report. The United States needs a point person for cyber to create accountability, but the idea of a cyber director has faced pushback from the White House, who has yet to publicize their own alternative.

Instead, Congress could conduct oversight through the proposed assistant secretary of State for cybersecurity or Joint Cyber Center for National Cyber Defense.

As Congress evaluates proposed reforms, Israel’s reorganization of its cyber defense agencies offers a useful model to study. In 2018, Israel merged the National Cyber Security Authority and the Israeli National Cyber Bureau to form the National Cyber Directorate. This new organization now defends Israeli cyberspace and reports directly to the prime minister. American policymakers should consult with their Israeli counterparts to examine how this change has effected Israel’s recent cyber battles with Iran.

Likewise, Israel can be a crucial cyber partner. Both countries previously collaborated a decade ago on the Stuxnet computer virus that infected Iran’s nuclear program. Similar cooperation should continue in the future.

There is also room for broader cyber defense and intelligence cooperation between America and Israel. The Jewish Institute for National Security of America recommended raising Israel’s information-sharing status to be on par with the United Kingdom, Australia, Canada and New Zealand. This would be a bold policy move that would help both U.S.-Israeli cyber cooperation.

America needs to upgrade its approach in the cyber domain and better utilize all levers of national power. Focusing on its nonmilitary capabilities would be an enormous benefit going forward.

RADM David T. Glenn, USGC (ret.) was the director, Command, Control, Communication and Computer (C4) Systems and Chief Information Officer (CIO) of the U.S. Cyber Command. He was a participant on the Jewish Institute for National Security of America’s (JINSA) 2012 Generals and Admirals Program to Israel. Ari Cicurel is a Senior Policy Analyst at JINSA’s Gemunder Center for Defense & Strategy.

Originally published in Washington Times