The Solar Winds and Colonial Pipeline hacks are just the tip of the digital doomsday that is brewing. While technology has super-charged the quality and potential of our individual and commercial lives, an increasingly ominous stream of hacks has taken advantage of vulnerable software, applications, systems and networks.
Technology is a lifestyle, but it is first and foremost a business, one in which the breadth of innovation and the speed of getting to market is rewarded more than the insecurity of a product is punished. Because of that, products may be brought to market that are not secure, and then become more vulnerable as technology advances or they are subsequently modified by commercial users seeking competitive advantages. Today, nearly every ounce of data and form of money is stored, invested and transmitted on and through these internet applications, systems and networks. How secure should they be?
Unless the public and private sectors begin to put digital security on an equal footing with digital innovation, we will continue to see increasing damage to critical infrastructures and the quality of our lives. What is the solution? Unfortunately, we are decades down the path of a way of life that is insecure, which will not be easy to rehabilitate. We could mandate government or a private-sector software validation, or institute the use of technologies such as artificial intelligence to police software, networks and systems. But those changes would raise complex physical and political issues, including the role of government and the balance between security and privacy.
Perhaps the answer lies in the development of a new, permissioned secure internet – I2. Access to I2 would be licensed and be subject to a clear set of standards and enforcement mechanisms. Everyone would know how belligerent actions would be classified and what the violators, their country of origin, networks and the pipelines that they use to carry their data should expect to suffer as a response. Little of that exists today, often making a calculable risk-reward ratio for such actions on the internet a non-issue.
Instead, the world has been playing cybersecurity whack-a-mole. In the United States, President Biden’s recent executive order in response to the Colonial Pipeline hack is remarkably similar to the many pronouncements made by Presidents Clinton, Bush, Obama and Trump. Its directive that the government launch a pilot program to effectively provide a “Good Housekeeping Seal of Approval” for securely developed software could be a valuable step forward and requires immediate consideration and implementation, though it does raise the issues noted above.
Cybersecurity awareness was memorialized in President Clinton’s 1996 Executive Order 13010, which identified nine critical national infrastructures. That was followed in 1999 by Presidential Decision Directive 63, which sought to put reliable, interconnected and secure information system infrastructures in place by 2003. That’s right, 2003! Finally, in January 2000, the Clinton White House, which was remarkably prescient about cyber threats, released a 199-page plan for information systems protection warning that the next target would be America’s infrastructure.
Thirty-five days after 9/11, President George W. Bush issued Executive Order 13231 requiring federal agencies responsible for defense and security to protect critical infrastructures. The Bush administration then issued a 76-page report in 2003 creating new bureaucracies to implement some 50 recommendations to prevent cyberattacks against America’s critical infrastructures. Presidential Directives 38 and 54 followed in July 2004 and January 2008, directing federal agencies to secure federal networks and supply chains.
President Obama issued Presidential Policy Directive 20, Executive Order 13636 and Presidential Policy Directive 21 in 2012 and 2013 to facilitate the construction of better defense systems and strengthen the security and resilience of critical infrastructures. The job of securing 16 critical infrastructures was delegated to about two-dozen federal agencies. In 2017, President Trump issued Executive Order 13800, once again directing a gaggle of federal agencies to identify capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructures.
There you have it. It has all been said and resaid many times, with the government deploying two-dozen agencies to share responsibility for lofty goals that have not sufficiently changed conditions on the ground. We find ourselves in 2021 faced with no option other than to use digital technologies that we understand may be hacked by persistent adversaries. And the problem only grows larger each day as systemic vulnerabilities are added faster than solutions can be developed. Averting our eyes will not deter the digital Armageddon that is out there.
We have not devoted enough resources to allow the experts to address what is the most severe problem we face as a country and a world. As a result, it is entirely possible that tomorrow morning, everyday events that we take for granted may be interrupted as power grids go dark, ATMs stop dispensing money, moving vehicles are hacked, financial markets disappear and water systems stop working. The problem will only be amplified by new technologies such as quantum computing.
The country and its digital systems and networks rely to a large extent on the neutralizing effects of mutually assured destruction. It worked with nuclear proliferation. But in cyberspace, it becomes more ineffective each day as technology gets faster, cheaper and more available to rogue nations, criminal cartels, terrorists and fanatics that are not a part of the family of nations. Anyone concerned about the future of cyberspace should carefully review the 182-page report and its 75 recommendations issued by the Cyberspace Solarium Commission in March 2020. It artfully and carefully illustrates the national security threat that cyberspace poses.
Today, we are left with the next best security alternative: ensuring that after a computer, network or system is destroyed, its functionality is rebuilt and restored as quickly as possible. This seems like a preemptive admission of defeat. Imagine if that were the approach used by the U.S. military.
Thomas P. Vartanian, formerly a bank regulator at two different federal agencies and then a private practitioner for four decades, is the executive director and professor of law at George Mason University’s Antonin Scalia Law School’s Program on Financial Regulation & Technology. He is the author of “200 Years of American Financial Panics.”