In a CNN report released yesterday, U.S. officials determined that Russian hackers penetrated the unclassified network of the White House, which serves the executive office of the President. According to the report, this attack stems from the State Department’s e-mail system breach that occurred over much of the last year. Although the information infiltrated was not classified, CNN reports, it was still highly sensitive, providing real-time specifics of the President’s schedule. This intrusion highlights another reason new steps must be taken to protect U.S. systems and deter aggression by malicious cyber actors.
When confronted with this hack, National Security Council spokesman Mark Stroh stated, “We took immediate measures to evaluate and mitigate the activity.” However, neither the White House nor the intelligence community has commented on reported link to the Russian government or to Russian entities. Yet, given Russia’s advanced cyber capabilities, they certainly could have been behind this breach. This sort of activity is nothing new; it is merely the 21st-century version of espionage that all states engage in.
If our federal government cannot protect itself from malicious activity in its own systems, how can the rest of the U.S. expect to be protected by the same sorts of cybersecurity regulations? The federal government was breached numerous times in the past several years, simply reinforcing the fact that federal cyber regulations cannot solve U.S. cybersecurity woes. Imposing regulations on the private sector only harms its ability to innovate new cyber defenses and can create a mindset of compliance rather than security, making it more difficult to be cyber-secure.
It is clear that the U.S. must do more than simply play the waiting game until an adversaries’ infiltration is made known. To promote cybersecurity, further cyber legislation needs to focus on facilitating information sharing between the public sector and the private sector. Rather than minimally effective regulations, legislation should encourage private-sector efforts that promote awareness, education, and training so public and private employees can take more effective precautions to protect themselves and their companies. A limited, defined set of cyber self-defense standards would also allow willing companies to better protect and innovate in cyberspace, going beyond just complying with obligations.
According to the 2015 Index of U.S. Military Strength, the most damaging and intricate cyberspace threats emerge from nation-states and their associated actors. Russia is one of those most capable of cyber infiltration, and it has substantial help from non-government and criminal “patriotic hackers” that have infiltrated the U.S. before the State Department discovery. In 2012, a Russian entity targeted the international energy sector, manufacturers, and defense contractors. Even worse, because of Russia’s advanced cyber techniques, they are often able to gain access to U.S. systems and remain undetected for months and even years. To stop such aggression, the U.S. must punish these actions and ensure that the attacker pays a price. Public naming and shaming; ceasing unnecessary security cooperation; travel, commercial, or trade restrictions on law breakers; and other actions could be used to deter additional cyber aggression by nation-states.
What remains evident is that the U.S. needs to rethink cybersecurity and encourage increased sharing and participation between the public sector and the private sector to best protect American interests. We also must be prepared to take public steps to deter future cyber aggression by nation-states such as Russia.
Jennifer Guthrie is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.