New Cooperative Cybersecurity Models Needed in an Era of Global Risk

This article originally appeared in Forbes.

Cybersecurity risks to national security are evolving as hybrid wars are changing the threat landscape. There is an urgency to examine the scope and limitations of existing strategies and frameworks in the United States and the North Atlantic Treaty Organization (NATO) alliance and identify the core cybersecurity challenges that the U.S. and its allies must overcome.

Cybersecurity a Top Priority

In 2010, President Barack Obama declared cybersecurity a top priority and announced the creation of a new White House office dedicated to cybersecurity issues. This decision responded to growing cyber-attacks against U.S. government agencies, critical infrastructure, and private sector entities. Since then, cybersecurity has remained a top national security priority for the United States with subsequent administrations continuing to prioritize cybersecurity issues and invest in efforts to improve the nation's cybersecurity posture.

In the past few years, a tense geopolitical environment and evolving technology have rapidly increased the complexity of cybersecurity risks and their implications for U.S. national security. Hybrid war and the changing threat landscape in cyberspace have increased the risks of confrontation between nation-states. The scope and limitations of cybersecurity strategies and cyber warfare doctrines developed by the United States and its allies needs more collaboration and implementation to address the core challenges that the United States and its allies are facing.

Hybrid War and the Changing Threat Landscape

Since the invasion of Ukraine by Russia on February 24, 2022, the global cyber threat landscape has considerably changed, now involving more aggressive state actors engaging in hybrid warfare. Cyber operations are spilling beyond the Ukraine conflict, with the cyber battlefield ranging from social media platforms to private/public information networks to critical infrastructures. For instance, Killnet, a pro-Russian hacktivist group, has engaged in several cyber-attacks against Western companies, media, government services, and NATO. These cyber-attacks sometimes cause direct physical consequences, such as disrupting access to critical services and resources (e.g.,Viasat's satellite network).

The volume of global cyber-attacks in 2022 increased by 38% compared to 2021, and recent data and reports show that cyber-attacks on NATO member countries have increased by 300%. Western countries are also directly engaged in this hybrid warfare by fending off cyber-attacks launched by Russia and conducting information warfare operations in Russia and former Soviet Union countries.

Hybrid wars present a severe potential for escalation of conflict and increase the risk of a direct confrontation between nations. As the conflict in Ukraine progresses, the frequency and intensity of cyber warfare are likely to increase and significantly raise the stakes for the national security of the United States and its allies. Unfortunately, there are not universally accepted normative and operational frameworks for cyber warfare as the concept itself is still evolving. Nonetheless, a series of initiatives were enacted to strengthen the national security of the United States and its allies through cybersecurity strategies and frameworks.

U.S. National Cybersecurity Risk Strategies

Since 2003, the U.S. government has published five national cybersecurity strategies[1], each reflecting the evolving nature of cybersecurity threats and the U.S. government's response to them. The most recent National Cybersecurity Strategy (NCS) was published in March 2023 and offered a more proactive framework for the private and public sectors to disrupt and protect against cyber-attacks compared to previous strategies. The NCS also emphasizes enhancing resiliency through targeted investment, partnerships, and international cooperation. More specifically, the strategy calls for greater collaboration between the private sector and federal government regarding cyber threat intelligence sharing and protecting critical technologies, such as cloud computing and data centers.

The strategy also aims to improve investigations of ransomware crimes and the targeting of illicit cryptocurrency exchanges. Finally, the strategy offers detailed guidelines to increase cybersecurity resiliency nationwide. However, the document falls short in identifying deterrence mechanisms and offensive capabilities that private and public sectors can deploy to increase the risks and costs of cyber-attacks.

U.S. Cyber Warfare Doctrine

In 2018, the Department of Defense (DoD) released the Department of Defense Cyber Strategy which is a separate initiative from the National Cybersecurity Strategy and outlines more specifically the U.S. government's approach to cyber warfare. The strategy focuses on three main goals: building a more lethal and resilient force, strengthening alliances, attracting new partners, and reforming the department to support the strategy better. In addition to the DoD Cyber Strategy, the U.S. government has released several other documents that provide guidance on cyber warfare, including the National Military Strategy for Cyberspace Operations and the Joint Publication 3-12 (R) Cyberspace Operations.

The U.S. cyber warfare doctrine emphasizes the importance of offensive cyber capabilities (use of malware, denial-of-service attacks, hacking), and defensive measures. It recognizes the need for a whole-of-government approach to cyber defense. The doctrine also stresses the importance of international partnerships and cooperation in the fight against cyber threats.

However, while it is an important initiative, the U.S. cyber warfare strategy has several limitations. The U.S. cyber warfare doctrine may not always be able to keep pace with the latest threats and may require frequent updates to stay relevant. This is especially true if two or more nation-states conduct coordinated attacks against the U.S. Similarly, U.S. cyber warfare doctrine may not have clear guidance on addressing attribution challenges and may need to be updated to address this issue. Also, the doctrine may face severe ethical and legal challenges regarding the response's proportionality and the escalation ladder. This is especially pertinent if cyber operations and kinetic actions require the use of force, cause civilian casualties, and impact the protection of individual rights. And the global nature of cyber operations could constrain the U.S. cyber warfare doctrine by limiting the possibility of international cooperation with allies and non-aligned countries due to the nature of offensive or defensive actions being taken.

NATO Cyber Defense Policy

NATO has developed a framework outlining the policies and principles for defending its networks and systems against cyber-attacks, including its approach to cyber operations in the context of military conflict. The NATO Cyber Defense Policy includes three main components.

1. The Cyber Defense Capability Targets set out the minimum requirements for member states' cyber defense capabilities (firewalls, intrusion detection, encryption, and authentication mechanisms), including their ability to prevent, detect, and respond to cyber-attacks.
2. The Cyber Defense Action Plan identifies the steps that NATO will take to improve its cyber defense capabilities and those of its member states.
3. The Cyber Defense Concept provides a framework for understanding the role of cyber operations in military conflict. It also defines NATO's approach to cyber warfare in the context of its overall defense strategy. To counter cyber threats, NATO focuses on international cooperation and information sharing, both within NATO and with external partner organizations and countries.

Despite the significant evolutions in NATO’s ability and capability to address the increasing number and sophistication of cyber-attacks, several limitations continue to hinder its effectiveness, namely: asymmetrical capabilities among member states, reluctance to share sensitive information, lack of harmonization of legal and regulatory frameworks among member countries, competing interests among member countries and their impact on funding and resources devoted to cyber defense, and lack of cyber norms and international law limit NATO’s legitimacy in enforcing cyber defense principles.

Core Cybersecurity Challenges

The prospect of cyber warfare involving the United States and its allies is at an all-time high. Despite having advanced cyber defense capabilities, the United States still faces several core challenges that make its national security vulnerable to hostile state and non-state actors. The first and most critical challenge is the decentralization of power and, more specifically, a decentralized cybersecurity governance that prevents the U.S. government from rapidly responding to and recovering from a cyber-attack. The lack of a centralized and empowered authority increases delays in identifying the source and scope of an attack, determining the appropriate response, and coordinating a unified response across all the different entities involved.

In comparison, hostile state actors, such as China, Iran, North Korea, and Russia, have authoritarian government systems and a highly centralized decision-making power in one person or institution. In these cases, centralized cybersecurity governance can lead to faster and more efficient decision-making, as there are fewer layers of bureaucracy and less time spent on consultation and negotiation. This government structure also allows consistency in implementing cybersecurity strategies, policies, and regulations across the country. In centralized governance, institutions have greater control over resources and can allocate them more effectively to meet the needs of the entire country or region. It can also respond quickly and effectively, with clear leadership and coordinated response.

The United States has a highly connected and technologically advanced society, which makes it a lucrative target for cybercriminals and nation-state actors. This dependency on technology can lead to significant disruptions if critical systems are compromised (e.g., Colonial Pipeline 2021). The immensity and complexity of the U.S. cyber infrastructure make it difficult to secure in its entirety. This complexity makes it challenging to detect and respond to threats promptly. In addition, the complex network of public and private organizations responsible for critical infrastructure, and their interdependence, make it difficult to coordinate cyber defense efforts effectively. And the United States faces a cybersecurity skills gap, making recruiting and retaining talented personnel to address the wide range of cyber threats and vulnerabilities challenging.

In addition, the global nature of technology supply chains can introduce vulnerabilities into critical systems without the U.S. being aware of them or having the legitimacy to address them. Each of these challenges requires coordination and pooling of government and private sector resources, the development of adaptive offensive and defensive cyber strategies, and the inception of centralized cyber command and control operating in constructive collaboration with international partners.

Specifics of a Global Cooperative Approach Among Allies

The U.S. and allies’ cybersecurity posture must change to one of wait and react to that of being pro-active, cooperative, and holistic. Initiative-taking means adopting a working industry and government global cybersecurity framework that would include measures for encryption, authentication, biometrics, analytics, automated network security, and a whole host of other topics related to cyber threats. Specifically, a technical framework of priorities should include:

• Defining and monitoring the evolving threat landscape of state actors and sophisticated criminal hacking groups
• Core risk management (identifying, assessing, and responding to threats- i.e., NIST Framework: Identify, Protect, Detect, Respond, Recover)
• Protecting critical infrastructure through rapid proto-typing of technologies
• Enhanced Public/Private cooperation that includes sharing key threat information.
• Modernization of security architectures and adaptation of strategies of security by design
• Advanced encryption and biometrics (quantum proof encryption, keyless authentication)
• Automated network-security correcting systems (self-encrypting drives)
• Further development of artificial intelligence technologies for “real time” horizon scanning and monitoring of networks
• Access and identity management and control in accordance with Zero Trust guidelines
• Endpoint protection to address Internet of Things and hardware security vulnerabilities.
• Diagnostics, data analytics, and forensics (network traffic analysis, payload analysis, and endpoint behavior analysis)
• Enterprise and network isolation to protect against malware, botnets, insider threats.
• Cooperative cyber-incident response

Policy Implications and Recommendations for a Governing Model

To effectively address the growing cybersecurity threats and numerous limitations posed by our existing cybersecurity strategies, doctrine, and governance structures, the United States should consider adopting a more centralized approach that could be based on the aviation industry. At the domestic level, a new agency comparable to the Federal Aviation Administration (FAA) could be created. Like the FAA, a “Federal Cybersecurity Administration” would set security standards, regulations, and compliance rules, and manage the digital infrastructure and networks that are critical to our nation's security, economy, and daily functioning: the national cyberspace. It includes all the devices, systems, and networks that are used to transmit, store, and process digital information, as well as the people, policies, and procedures that govern their use.

Protecting the national cyberspace is critical to national security in the digital age. A similar logic could also be applied at the international level. For many countries, national cyberspace is considered a strategic asset and is protected by various government agencies and policies.

Governments and organizations worldwide increasingly recognize the need for cybersecurity measures to protect their cyberspace from cyber threats. An international agency that transcends multiple transnational organizations and supra-national structures such as the European Union, G-7, OECD, and NATO could be incepted to offer effective cybersecurity strategies, set cyber defensive and offensive operation standards, and provide support and services to country members.

One of the top challenges in cybersecurity has been to get democratic governments, agencies, and industry to cooperate in a strategic manner. Enactment of a general working framework, among Western allies pinned with a willingness for cooperation, can serve as a catalyst for action in the evolving threat landscape.

[1] National Strategy to Secure Cyberspace (2003); Comprehensive National Cybersecurity Initiative (2008); Cybersecurity National Action Plan (2016); National Cyber Strategy (2018); and National Cybersecurity Strategy (2023).