By Peter Mitchell
Problem Statement
For much of the 20th century the United States was considered to be a giant of world-security. Unmatched military technology along with strong tenets of discipline created a very effective fighting machine. What this machine failed to account for was the rise of the World Wide Web in the 1990s. America’s communication networks, the software we utilize on a daily basis, and the technology that now pervades homes, businesses, the government, and our pockets is riddled with exploitable loopholes, backdoors, and bugs that can be manipulated to steal not just money or privacy, but the cash-crop of the 21st century: data. It is theorized that by 2025 hackers will cost the global economy upwards of $10 trillion (Morgan 2021 Report: Cyberwarfare in the C-Suite). The most visible of these attacks is ransomware, in which hackers lock companies, individuals, or groups out of their own personal data until a ransom is paid. In 2019 hackers made over $11 billion dollars so this tactic clearly has efficacy. America has made itself a massive target for hackers, in a survey of United States based companies, 82.6% alleged they had been compromised by at least one attack in 2020 (CyberEdge Group 2020 Report). Much of the United States and its top level systems used by corporations and government facilities are deeply intertwined, using the same software and similar hardware, meaning that our cyberinfrastructure is deeply vulnerable.
Background
Cybersecurity is the protection of devices, data ,networks, and processes from disruption, theft, harm, or misuse. In December of 2020, a hack of massive proportions was discovered in the United States, one the country was unequipped to address. In March of 2020 files containing malware were sent out among an update to the company SolarWinds’ Orion network monitoring and security software. The update was then downloaded by around 18,000 of the company’s 33,000 customers including the Center for Disease Control, the State Department and the Justice Department, as well as numerous other governments, and companies both domestic and foreign. The hack had been operational for 9 months before it was noticed and the amount of data that was accessed is currently unknown. In terms of the sophistication, scale, the incredible ability of the hack to change itself, as well as the targets involved, it is highly likely that this attack was carried out by a rival country, rather than hacker groups or individuals (The Guardian).
The problem that arises from this vulnerability, described above, has multiple prongs. Firstly there are some questions that must be asked; How did this go undetected for so long? Why was this detected by a private company and not detected by the federal government’s own IT security professionals? These questions can all be answered relatively simply by diving into who is responsible for U.S. cybersecurity. CISA, Cybersecurity and Infrastructure Security Agency is responsible for most of the cybersecurity enforcement in the United States. The agency is a part of the Department of Homeland Security, but takes the back seat in much of the legislation surrounding security. Part of the problem is that Cybersecurity does not have nearly the visible impact as traditional, boots-on-the-ground, security. When national security is at risk it is easy to point at a tangible group or person and identify that as the problem. In cybersecurity there is a huge lack of general knowledge about data security as well as the role of the federal government in ensuring privacy and good-faith practices. It is far too easy for corporations and the government to cut corners when it comes to the software and hardware used by these sectors. It is often barebones and mass-produced with security as a secondary or even tertiary concern. It is also worth noting that the hack could very well have been discovered already by government agencies but the information was not made public for a variety of reasons. Perhaps security agencies were making use of a similar exploit and did not want this to be patched. The other possibility is that these agencies simply were not looking for a seemingly benign patch of government software to be the source of a massive hack.
Proposed Solution
The easiest recommendation is that CISA needs to remake its image in order to make it a household name. Cybersecurity incidents are so incredibly common, the aforementioned 82.6% of companies that have been attacked, that it’s important for Americans to know who is responsible for their security. An ad campaign, not dissimilar to those used by the military in the modern day, would aid the agency with name recognition and overall recruitment. These programs, many of which Americans are likely familiar with have utilized mass media such as TV, radio, social media, and other platforms and have been found to generally be an effective marketing strategy (Dertouzos and Garber). As Americans’ awareness of this issue grows it becomes increasingly possible for greater support for funding to occur for the agency, allowing their recommendations and actions for security to become more robust, and more impactful overall. Such a campaign would also put the issue of cybersecurity at the forefront of American minds, bringing the end goal of making a more digitally cautious and secure populace far closer to reality. It would not simply be in a businesses best interest to secure their data, but families, individuals and organizations would all be more likely to take their technological security more seriously, beyond simple passwords and firewalls. Individuals should be more aware of what networks their devices connect to, i.e.: coffee shops, malls, etc. As well as being wary of granting apps and software unreasonable access to their devices and their data, i.e., always-on cameras, microphones, website tracking data, etc. Cybersecurity is an issue that affects every American, yet it is an issue that many Americans lack the digital literacy to understand. These campaigns would seek to both educate citizens on healthy usage and security in the digital age, as well as seek to increase their knowledge of the proper channels, such as governmental agencies, like CISA, that are responsible for ensuring these ideals and their oversight.
Bibliography
Einaras von Gravrock, Chief Executive Officer and Founder. “Who Should Be in Charge of Protecting Our Personal Data?” World Economic Forum, www.weforum.org/agenda/2019/01/who-should-take-charge-of-our-cybersecurity/
Lawson, S., & Middleton, M. K. (2019). Cyber Pearl Harbor: Analogy, fear, and the framing of cyber security threats in the United States, 1991-2016.
Wysopal, Chris. “Council Post: Why U.S. Critical Infrastructure Needs Greater Cyber Resilience.” Forbes, Forbes Magazine, 7 Feb. 2020, www.forbes.com/sites/forbestechcouncil/2020/02/07/why-we-need-greater-cyber-resilience-of-u-s-critical-infrastructure/?sh=2366c630cb45.
Fox, Ben. “Suspected Russian Hack Fuels New US Action on Cybersecurity.” AP NEWS, Associated Press, 19 Feb. 2021, apnews.com/article/us-cybersecurity-hacks-solarwinds-4ae46954c9fd6cb881207d5384c2b250.
Willing, Markus, et al. “Analyzing Medical Device Connectivity and Its Effect on Cyber Security in German Hospitals.” BMC Medical Informatics and Decision Making, vol. 20, no. 1, Sept. 2020, p. 246. EBSCOhost, doi:10.1186/s12911-020-01259-y.
Limnéll, Jarno, and Martti Lehto. The Importance of Strategic Leadership in Cyber Security: Case of Finland. Academic Conferences International Limited, Reading, 2019. ProQuest,
PORCH, ALICE M. “Spoiling for a Fight: Hacking Back with the Active Cyber Defense Certainty Act.” South Dakota Law Review, vol. 65, no. 3, Nov. 2020, pp. 467–488. EBSCOhost, search.ebscohost.com/login.aspx?direct=true&AuthType=ip,uid&db=lft&AN=147330722&site=ehost-live&scope=site.
Keating, Joshua. “I Became a Virtual Resident of a Country I’ve Never Been To. So What Do I Do Now?” Slate Magazine, Slate, 16 June 2015, slate.com/technology/2015/06/estonia-digital-citizenship-i-am-an-e-resident-of-a-country-ive-never-been-to.html.
Morgan, Steve. “2021 REPORT: CYBERWARFARE IN THE C-SUITE.” CyberSecurity Ventures, 13 Nov. 2020, cybersecurityventures.com. Dertouzos, James N., and Steven Garber. “Effectiveness of Advertising in Different Media: The Case of U.S. Army Recruiting.” Journal of Advertising, vol. 35, no. 2, 2006, pp. 111–122. JSTOR, www.jstor.org/stable/20460731. Accessed 22 Mar. 2021.