Nebraska Sen. Ben Sasse often speaks in sports analogies, so when he talks about the need for better U.S. preparation for cyberwarfare and cyberthreats, he describes it in a way relatable to most Nebraskans.
He says America needs a “playbook,” a broad framework of how to respond defensively and offensively to growing threats in cyberspace, including this week’s Russian hack of U.S. government agencies and businesses.
He knows Nebraska’s Cold War veterans understand when he says the U.S. needs the level of military, economic and foreign policy planning for cyber that President Dwight Eisenhower used to compete with a nuclear Soviet Union.
It’s why he says he modeled his 2018 legislation creating the Cyberspace Solarium Commission after Eisenhower’s 1950s Solarium Commission, a group that designed the outlines of American strategy for the Cold War.
The new group is already having some success. It got 25 of its March cyber recommendations into the next National Defense Authorization Act, which passed this month by a margin large enough that it could overcome a threatened veto from President Donald Trump over an unrelated issue.
Chief among the cyber group’s recommendations adopted by Congress: Establish a Senate-confirmed cyber director within the White House, meant to press agencies to coordinate about their online threats and needs.
Another key addition would allow U.S. cybersecurity sleuths to actively hunt intrusions in regular government servers and systems in the same way they look for intrusions and trouble in Department of Defense systems.
Said Sasse: “These are life and death threats (in cyberspace), and (people) understand that we’re not doing enough to protect Americans from these new and emerging threats.”
Sen. Angus King, an independent from Maine who chairs the cyber commission that Sasse serves on, described its work to the New York Times this week as “incredibly important.” Cyber Solarium Executive Director Mark Montgomery called the new defense bill “the most comprehensive cyber security legislation Congress has ever passed.”
Sasse said the days of old-fashioned war are over, with wars able to be won exclusively by lethal force. Modern wars will include a cyber component targeting militaries, economies, politics and people.
Americans got a taste of the stakes this week, when federal officials disclosed a months- and possibly years-long Russian hack of government and business networks that could cost billions of dollars and take months to untangle.
Sen. Deb Fischer, R-Neb., expressed alarm this week about the hackers potentially gaining access to the systems of the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.
She said the attack “reinforces the need to modernize our nuclear enterprise in order to ensure it remains safe, secure and effective in the face of evolving threats.”
Rep. Don Bacon, R-Omaha, a retired Air Force brigadier general, said: “My experience in cyber defense is that a chain is only as strong as its weakest link, and this latest cyber intrusion shows that our non-(Defense) networks remain exposed.”
Lawmakers and experts said that if the new cyber measures included in the defense bill had been in place, they could have helped the government detect the intrusion earlier. Instead, the hack of Texas tech company Solar Winds was discovered by a business, FireEye. King told the Times that the defense bill’s provisions “might have protected us.”
“We’ll recover from it,” Montgomery told The World-Herald on Friday about the hack. “The real question is are we going to take the appropriate action to keep the next one from happening?”
Because this new type of war targets non-state actors — think business and university research, hospital information and utility systems — it requires broader thinking about what to defend and how to defend it, Sasse said.
Sasse, a member of the Senate Intelligence Committee and a potential 2024 presidential candidate, describes China as the nation’s top cyberthreat, despite Russia’s higher-profile moves in Crimea and against the U.S.
“There’s just a hard truth that we’re decades behind where we need to be for cyber,” Sasse said. “When the next war breaks out, we’re going to start with China already on second base.”
Unlike with traditional weapons systems, where the U.S. has a clear advantage over its competitors, other countries can do massive damage with fewer people and less money in cyber, broadening the threat they pose.
This is one way that rogue nations like Iran and North Korea can disrupt larger foes, he said, which makes the risk more pressing than many know.
To reduce the number and scale of future attacks, America must make it clear that it will inflict real and painful costs, short of war, on those who attack it in cyberspace, Montgomery said. The Russian attack on Solar Winds and Chinese industrial espionage have happened because those countries didn’t think their actions would “provoke a U.S. response.”
American leaders also need to prepare for potential attacks, including an economic attack on the nation’s financial systems, including banking and the stock market, Sasse said. The commission pressed leaders to think about how they’d keep the economy moving if banks and the financial system were suddenly inaccessible for two weeks because of a cyberattack.
The commission has called for a “continuity of economy” plan, much like leaders during the Cold War and after the 9/11 attacks designed “continuity of government” plans in case of nuclear, biological or terror attacks.
Sasse says he would like to see Congress put in place a joint cyber planning office tasked with making sure more of the federal government is ready for cyberattacks, working with the federal Cybersecurity and Infrastructure Agency, which operates under Homeland Security oversight.
His group has made more than 80 recommendations in all.
But he says the inclusion of commission recommendations in two straight defense bills shows that people in the Pentagon and other agencies are realizing the need to coordinate better across the bureaucracy.
A key next step, Sasse and others said, is getting the federal government used to investing in human capital, people with unique technical skills, in the way the Pentagon invests in weapons systems.
Long term, the goal is a “comprehensive approach to cyber defense and threatened offense” that deters countries and smaller, non-national actors in much the same way it kept the U.S. and Soviets from nuclear war, he said.
“We have this giant aircraft carrier not headed to the right destination,” Sasse said, describing how government leaders, even in national security, favor incremental changes. “We need a more serious turn.”