Why America would not survive a real first strike cyberattack today

By Mike Rogers, a former member of Congress who served as chairman of the House Intelligence Committee. He is now the David Abshire Chair at the Center for the Study of the Presidency and Congress and is a senior fellow with the Intelligence Project at the Belfer Center for Science and International Affairs at Harvard University. Follow him @RepMikeRogers.


Originally published in The Hill

If a full on “turn the lights off” cyber war were to happen today, we would lose. Think about that. We would lose a cyber war. With a few clicks of the mouse, and in just a few seconds, hackers in Beijing or Moscow could turn off our electricity, millions would lose heat, groceries would spoil, banking machines would not work, and people could not get gasoline. It would be what we have seen down in Texas, but on national scale and with no end in sight. That we have escaped a digital catastrophe thus far is not due to skill. It is due to blind luck and restraint from our adversaries.

Just a few weeks ago, hackers attacked a water treatment plant in Florida, trying  to increase the amount of lye in the water to toxic levels. A worker was able to prevent the contamination. Luck was all that stood between hackers and a potentially deadly cyber incident. If that were not enough, we are still uncovering the full scale of the Solar Winds hack nearly three months on from its first disclosure. At least nine federal departments or agencies and over 100 companies were compromised and, as the probe continues, it remains likely that more targets are identified.

Think about how significant this breach was. Hackers likely from Russian intelligence penetrated the software supply chain and used the software update feature to spread malicious code to more than 18,000 users. Their aim was to steal as much data and credentials as possible for their Russian interests and to undermine our own security. This almost certainly will be one of the broadest espionage efforts in history, like the Chinese theft of over 22 million background investigation records in 2015.

The Russian attack was launched from within the United States using our servers. This was an incredibly clever way to mask the origin and ensure that our intelligence agencies would not see a foreign attack, as they are barred by law from running inside our country. Once inside government networks, the hackers monitored the way we identify and intercept their systems penetration efforts and designed an attack that made it difficult to identify. These foreign hackers know about our weak spots.

The only thing that prevented the Russians from launching a destructive malware attack or inserting malicious code was the Russians themselves. They could have caused a major disruption across our government and private sector networks, changing or deleting data, planting viruses, or simply turning off the networks. Restarting the systems and deleting the offending code alone is not a solution. In 2016, the Ukranian electricity grid was targeted by the Russians and, until this day, the country is still finding and removing vulnerabilities left behind by Moscow.

We had to rely on Russian restraint rather than our defenses to stop what could have been a devastating offensive attack. Sadly, we have confused luck and the restraint of our adversaries with our own skill. Policymakers, business owners, and everyday citizens are numb to the regular attacks. We assume that if they have not yet been destructive or damaging then they will never be, and that our protections are sufficient. Nothing could be further from the truth. Our adversaries are moving forth with plans to cause massive disruption. Our country should harden our defenses and offer credible deterrents. If we simply wait, it will be too late.

We are just not prepared. For Solar Winds, the Russian hackers sat on our networks for almost a year before they were identified, taking advantage of both the law and our fragmented strategy in cybersecurity. We need a national cybersecurity director in the White House. We should harmonize our national approach to cybersecurity, deconflict the budgets, and stay laser focused on bolstering our networks from more attacks.

This is not only a government problem. We must move toward collective defense. The private sector should not be responsible alone to stop such attacks. Firms are neither prepared nor expected to defend from enemy bombers, but they are still expected to stop the cyber equivalent of that on this daily basis. Our vulnerabilities will continue to rise with machine learning, artificial intelligence, and the internet of things.

If we cannot get a handle on our vulnerabilities and protections today, what hope do we have in the future? The Iranians attacked our banks in 2012. Our water systems were targeted. The Russians were found in our electric grids and our government systems. Let us not wait until a major catastrophe occurs before acting. The administration needs to act. Our policymakers need to act. The countdown clock is ticking.

Mike Rogers

Author Bio