Cyber 911
The United States’ private sector and strategic interests have been the cyber target of Iranian political reprisals. The direction that the state took during this time was myopic. It was short-sighted to leave the private sector to its own devices, without federal direction or transparency of American actions (Scenario). This resulted in the private sector executives bearing the brunt of an administration’s geopolitical policy. C-Suit executives responded to this isolation, by requesting autonomy and federal resources to retaliate against the attacker (Schmidle). State and non-state actors’ cyberattacks are pressuring the government to allow within a legal framework the authority to engage in cyber offensive actions when attacked (Schmidle). This autonomy is advocated by researchers as well, with the regulation of offensive privileges within certified corporations (Dwyer). In response, the government has indicated risks of vigilantism, lack of federal oversight, and political ramifications that industry may enact if given autonomy (Schmidle). The United States should not grant victims of geopolitical squabbles offensive autonomy. Companies do not have the legal right to include offensive operations like “hacking-back” in their cyber defence (Schmitt). Even in forms of regulation, the government is giving the authority to the private sector to be the “judge, jury, and executioner” of foreign and criminal affairs (Winstead). Ergo, it is a state’s role to provide enhanced cyber capabilities to companies that are the victims of cyber-attacks. This will require congress to appropriate resources to develop agencies that support businesses by triaging existing resources. The strategic end state for the United States is to leverage the state’s multidisciplinary resources to protect companies from malicious operations. Under the principle, that protection is operationalized with credible deterrence, offence, and defence operations.
Cyber Hygiene — All Businesses
The Iranian operation toolkit focused on weakly secured enterprises with high bandwidth networks (Scenario). American solution for strategic defence against this type of politically motivated and indiscriminate enterprise attack is to recognize that all levels of the supply chain can be a target. Targeting all levels of the supply chain for resilience can be operationalized federally through procurement and publicly through information campaigns.
RFP, RFSA, and RFSOs
Federally, this can be operationalized in the mandatory requirements section of all public tenders. Government has the authority to utilize CMCC level 1 standards for the cyber defence of all contractors and supply arrangement holders (Dwyer). Government has the authority to require prime contractors, to vet their supply contractors for the same standards. Prime contractors do this already for security clearances. Adding in additional mandatories for all contractors who do business with the government is a way to use existing authorities to develop a baseline of cyber defence.
Agencies
State-backed cyber attacks require holistic responses. They are holistic because cyber offensive actions intertwine political, legal, and technical expertise (Conti and Raymond). Multidisciplinary responses can not be expected to be taken by small and medium enterprises. The government will need to fulfil the role of disseminating intelligence and retaliatory services to victims of cyber attacks. The United States will need to create agencies and personnel that can conduct coordinated responses. This approach would be facilitated by a centralized agency where companies can report and request aid in the event of cyber attacks. This agency triages the Federal Bureau of Investigation cyber response, with a “National Cyber Security” agency which provides authorized industries and intelligence on foreign adversaries’ potential movements (Healy et al.). Without the development of new agencies, the private sector may choose to hire and contract amateur or illicit technicians whose responses would not be within the parameters of U.S political and security interests. By establishing an agency which triages intelligence sharing, and offensive actions, and communicates it with the external client, the businesses will be able to better react to malicious actions. The government will be able to fulfil its role in providing offensive operations, credible deterrence, and defence.
Targeting all Businesses
Intelligence sharing and offensive operations industries will not be enough on their own. The government would need to get businesses up to a level of cyber defence to protect companies from low-skill attacks. Cyber-attacks are not always done in sophisticated operations. Instead, attacks can originate from phishing campaigns, rented malware, and insider threats (Emesh). The United States will then need to promote cyber hygiene to more than key industries, victims, and contractors using modern tools. The government should seek to get all businesses to a form of CMCC level 1 which is basic cyber hygiene (Dwyer). Currently, this classification is reserved for prime contractors, to fill this gap, the objective of certification will need to be extended to all businesses in America (Dwyer).
The government will need to market to access a larger range of businesses and entrepreneurs. The government can contract or development teams that promote small business cyber security. It can do this by developing public webinars on platforms like Eventbrite, events in person, and memorandums of understanding with stakeholders who work in diverse communities to communicate cyber resilience. Federal digital access points should be created that provide businesses with free information and resources on the basics of protecting individual businesses from cybercrime. Promotion and education webinars address the challenges of smaller businesses and the weakest links of the supply chain.
Adversary nations are not necessarily developing their cyber toolkits (Emesh).
· Iran crowdsourced their DDOS kit off the dark web that is hosted in Russia (Scenario)
· Russian hackers also use crowdsourcing tools to bolster their cyber capabilities (Emesh)
These toolkits are already published (Scenario). Intelligence and investigative bodies, and cyber security professionals would benefit from a policy of federal government support and intelligence awareness. Updating software and preparing themselves with provided intelligence and information on solutions for recovering from DDOS and ransomware attacks contribute to national cyber defence.
Conclusion
Solutions do exist for cyber protection, but the challenge is the government communicating to SMEs relevant intelligence and cyber information. The United States’ strategic end state is treating cyber protection and cyber standards like COVID vaccines. A non-mandatory for most, but with ample information, then mandated by businesses who sell to the government, with agency support for critical victims. This will achieve a better strategic end-state and prevent future incidents like this from being as easily exploited. To accomplish this strategic tenet, the United States will need to increase personnel within cyber defensive agencies, develop new agencies, and expand the resources of these agencies when working with businesses that are a victim of cybercrime. When businesses are maligned, federal agencies will be required to provide aggressive cyber counter-offensive actions within the framework of the law. The United States’ strategic endgame is the development of agency capacity to support larger and more diverse companies when they are a victim of cyber-attacks. While larger agencies provide intelligence to critical infrastructures and services for retaliation to achieve credible deterrence. This would achieve the strategic endgame of multidisciplinary government resources for the protection, deterrence, and offence of American interests.
Work Cited
1. Bouveret, Antoine. 2018. “Cyber Risk for the Financial Sector.” IMF Working Paper WP/18/143. Pp. 1–15
2. Conti, Greg, and David Richard Raymond. On Cyber: Towards an Operational Art for Cyber Conflict. The United States?: Kopidion, 2017. Print.
3. Dwyer, Morgan. “Does the Defense Department’s New Approach to Industrial Base Cybersecurity Create More Problems than It Solves?” Does the Defense Department’s New Approach to Industrial Base Cybersecurity Create More Problems Than It Solves? | Center for Strategic and International Studies. 18 Dec. 2019. Web. 2 Oct. 2022. <https://www.csis.org/analysis/does-defense-departments-new-approach-industrial-base-cybersecurity-create-more-problems-it>.
4. Emesh, Alexander. “The Smoking Gun — global Malware and Russia.” Medium. Medium, 04 Oct. 2022. Web. 4 Oct. 2022. <https://efmags.medium.com/e221ce35c9b4>.
5. Kaffenberger and Kopp. 2019. “Cyber Risk Scenarios and the Financial System.” Working Paper, Carnegie Endowment for International Peace
6. Scenario: Policy Issues Arising from Sustained Iranian Attack Campaigns Against US and Global Financial Sector Targets. Web.
7. Schmidle, Nicholas. “The Digital Vigilantes Who Hack Back.” The New Yorker. 2022 Condé Nast, 30 Apr. 2018. Web. 2 Oct. 2022. <https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back>.
8. Schmitt, Michael N. “Peacetime Cyber Responses and Wartime Cyber Operations Under International Law: An Analytical Vade Mecum.” Harvard National Security Journal. © 2017 by the President and Fellows of Harvard College and Michael N. Schmitt., 2017. Web. 2 Oct. 2022. <https://harvardnsj.org/wp-content/uploads/sites/13/2017/02/Schmitt-NSJ-Vol-8.pdf>.
9. Winstead, Nicholas. “Hack-back: Toward a Legal Framework for Cyber Self-Defense.” American University. © 2022 American University., 26 June 2020. Web. 2 Oct. 2022. <https://www.american.edu/sis/centers/security-technology/hack-back-toward-a-legal-framework-for-cyber-self-defense.cfm>.
