If it seems like cyberattacks are everywhere, it’s because they are.
With the Biden administration set to release its National Cybersecurity Strategy by the end of 2022, the stakes could not be higher for the United States and the projection of security in cyberspace.
The war in Ukraine and rising tensions with China, North Korea, and Iran have increased cybersecurity risks tremendously. Disruptive and lucrative cyberattacks have affected all industries. The rapid deployment of new digital technologies during the COVID-19 pandemic has left public and private organizations exposed to cyberthreats. And, like most nations, the U.S. is facing a massive workforce gap in cybersecurity.
To better protect the country and its allies, the new National Cybersecurity Strategy should address five critical challenges: hybrid wars, nefarious non-state actors, infrastructure defense, supply chain reinforcement, and workforce development.
At Georgetown University, students in the Master’s in Cybersecurity Risk Management program learn to protect organizations from today’s ever-evolving cybersecurity threats. They gain hands-on experience developing and executing integrated strategies, policies, and safeguards to manage cybersecurity risks across an enterprise of any size.
1. From Competition to Hybrid Wars
China is by far the most serious economic competitor challenging the U.S. For years, China has been spying on key sectors using a wide range of technology and cybersecurity tools to steal economic, military, and political secrets to secure a competitive advantage. Major data breaches caused by China have contributed to weakening aviation, biotech, and manufacturing, among others.
Recently, cyberspace has become a major point of convergence between technology and geopolitics. For instance, in 2007, Russia unleashed a large-scale cyberattack against Estonia in a growing political conflict between the two nations. Since then, Russia has continued to use cyberattacks in a hybrid-war framework in which offensive kinetic operations are supported by disruptive cyber operations. A similar approach has been deployed by Russia in Georgia (2008) and Ukraine (2014, 2022).
The proposed National Cybersecurity Strategy must recognize existing and emerging trends regarding threats from nation-state actors and remain flexible and innovative regarding the measures that can address the ever-evolving risks they represent.
2. Nefarious Non-State Actors
Terrorists and criminal hacker groups represent the two main non-state actors posing a serious challenge to America in cyberspace. Domestic and international terrorist organizations have been able to recruit, disseminate propaganda, and inspire political violence through various social media platforms. In some cases, they attacked political and media targets by defacing or overwhelming official websites. Some cyber political activist groups are also responsible for sowing political division using disinformation campaigns on social media.
Criminal groups continue to undermine the security and safety of American citizens in cyberspace by stealing identities, committing large-scale money heists (cryptocurrencies and ransomware), and selling criminal goods and services online.
To address the threat posed by non-states actors in cyberspace, the next National Cybersecurity Strategy should tackle delicate issues related to the use and role of encryption (cryptocurrencies) that provide a shield for bad actors and increase international collaborations with countries that share similar cybersecurity challenges. The strategy should also propose measures to increase the costs of perpetrating criminal activities in cyberspace.
3. Defending Critical Infrastructures
Because the U.S. critical infrastructure is so decentralized and composed of myriad private actors, the National Cybersecurity Strategy should play a key role in guiding and incentivizing private companies, who are a part of the critical infrastructure, to invest in implementing standards.
In critical sectors like energy, telecommunication, and transportation, the government should increase the cost of not adopting cybersecurity standards. Motivators should be used to shift an organization’s culture from complacency to a more robust cybersecurity posture. National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) have been leading large-scale initiatives to increase cybersecurity collaboration between the private and public sectors.
However, these collaborative efforts are solely based on goodwill and voluntary participation of the private sector. This passiveness in participation in federal initiatives to secure national critical infrastructure sectors should be addressed in the National Cybersecurity Strategy to avoid situations like Colonial Pipeline (2021) in the future.
4. Strengthening Supply Chain and Digital Technologies
The COVID-19 pandemic highlighted how the U.S. supply chains are fragile to disruptions. Management of conventional supply chains relies on the use of data analytics and technologies that are vulnerable to cyberattacks. Moreover, the Solarwinds hack of 2020 showed how digital supply chains can be used as conduits to penetrate information systems on a large scale and across the U.S.
As companies and government agencies move in the direction of digital transformation to increase efficiency and effectiveness, cybersecurity cannot remain an afterthought. The National Cybersecurity Strategy should define a clear framework to reduce vulnerabilities associated with the adoption of new technology solutions powered by artificial intelligence, cloud computing, and wireless devices while addressing the inherent security flaws of older technology within industrial control systems. The adoption of models and guiding principles like “zero trust security” should be outlined in the proposed strategy since it can be transposed in a modern security architecture.
5. Developing the Workforce
A 2021 study conducted by ISC2 on the cybersecurity workforce shows that the current need for cyber professionals is estimated at 4.19 million worldwide, but 2.72 million job positions are yet to be filled–a workforce gap which significantly affects the United States.
In other words, the job market is highly competitive for employers and often disadvantages the public sector (state and local governments) to the benefit of the private sector that offers better-paying jobs.
To address this shortage of talent, the National Cybersecurity Strategy should identify incentives and streamline a strategy to increase professional training, increase the quality of working conditions, and invest in workforce diversity. Nonetheless, it will take some time before we reach an equilibrium between demand and supply of cybersecurity talents across industry sectors.