It was the nightmare scenario that some have been warning about for years; not a militant attack on our shores, but a covert infiltration into our systems. Early in 2021, a presently-unknown actor remotely accessed a water treatment plant in Oldsmar, Florida and attempted to raise the level of sodium hydroxide to incredibly dangerous levels. A plant employee noticed the activity as it happened in front of his eyes, and the attempted poisoning of 15,000 people was stopped even before automated alerts would have notified workers of the change. The investigation remains ongoing, and authorities aren’t publicly suggesting a perpetrator yet.
Fallout continues from another dangerous breach of a software company, SolarWinds. Malicious actors, likely Russian according to US intelligence agencies, compromised SolarWinds software, which was subsequently downloaded onto customers’ systems in a software update. These customers included many government agencies and countless private companies. The initial hacking went unnoticed and unreported for months, exposing unclassified networks at the US Departments of Treasury, State, and Homeland Security (DHS). The full extent of the damage may not be fully understood for years.
Older incidents continue to resurface as well, as the Department of Justice (DOJ) unveiled charges against three North Korean military hackers, an extension of DOJ’s charges in the 2018 Sony hack. DOJ also charged the hackers with schemes to steal over $1.2 billion from banks across multiple continents and the theft of over ten million dollars worth of cryptocurrency.
The Trump administration received mixed reviews on its actions concerning cyber issues. There were some positive moves, like the elevation of the Cybersecurity and Infrastructure Security Agency (CISA) within DHS and new authorities at the National Security Agency and US Cyber Command. However, the administration faced criticism over removing the position of National Security Council cyber coordinator, shrinking cyber offices at the State Department, and making bizarre statements, such as the intent to form an “impenetrable Cyber Security unit” with Russian President Vladimir Putin (who was “personally involved” in the interference in the 2016 US election).
Trump’s insistence on using DHS as a partisan immigration and protest-busting police force crippled the Department’s ability to grow into its necessary role as a key defender of domestic critical infrastructure, including digital networks. Trump also ultimately fired CISA Director (and UVA alum) Chris Krebs for repeatedly debunking Trump’s lies about widespread voter fraud in the 2020 election.
The new Biden Administration has pledged an increased focus on cybersecurity issues. New DHS Secretary Alejandro Mayorkas has already taken steps to elevate cybersecurity as a key homeland security mission. DHS’s CISA will likely focus on relationships with private sector and civilian networks, including state and local governments.
Cybersecurity is also a hot topic on Capitol Hill. Many members of Congress are increasing their focus on cybersecurity issues. The House Homeland Security Committee and Senate Intelligence Committee both held hearings in mid-February on the SolarWinds breach.
Can we prevent cyber attacks from foreign actors, and if so, how? Debate continues in academic, strategic, and intellectual circles about whether “cyber deterrence” is a legitimate strategy or folly. Discussions about how nation states should act in cyberspace are ongoing, but the conflict has been bubbling below the surface for some time.
The latest Department of Defense Cyber Strategy calls for a “defend forward” posture and for the military to “persistently contest malicious cyber activity in day-to-day competition.” Those efforts include action against Iran’s Islamic Revolutionary Guard Corps as retaliation for an attempted disinformation campaign surrounding the runup to the 2020 election.
Privately owned technology companies are integral to the cybersecurity conversation because of their economic power, influence over the public, and integration in the government. Protection of and cooperation with the companies that develop the ubiquitous software, hardware, and infrastructure that is used coast-to-coast is essential. Most Americans may not believe that they are on the front lines of conflict with overseas rivals and sophisticated criminals when using these platforms, but they are.
Ensuring the protection of private systems is also essential for protecting users’ personal information. Many people are unaware of how much of their personal lives exist online and in the hands of private companies. These platforms have their own motivations and benefit from diminishing privacy. Some platforms make huge profits off of selling the information that people sign away. This practice most infamously revealed itself in the Cambridge Analytica scandal. Access to personal data is also part of the concern over TikTok, the Chinese-owned social video phenomenon. Users might mindlessly scroll right now, but they face potential blackmail or extortion issues down the road as the app potentially compromises their browsing history or cellular data.
Relations between Silicon Valley and Washington DC ebb and flow, but tech companies have an outsized role in our national security and must be treated as partners in this fight. Major firms will have to take a variety of steps to try to remediate the damage from SolarWinds, with options ranging from starting over with brand new hardware to expanding “bug bounty” programs where companies pay hackers to find weaknesses for them.
Even as our new governance mechanisms and structures develop, there is not a minute to waste on taking the necessary steps needed to move towards a more cyber secure and resilient nation. Our efforts must start at home, where the next steps are mountainous but plain. This work must start with educating individuals to make smart decisions with every piece of technology they use. The greatest risk vector in cybersecurity will always be the human being clicking on the link they shouldn’t. It was a fairly low-tech phishing email that unleashed the DNC email scandal of 2016.
Governments at every level and private sector companies must begin the long recovery process after the SolarWinds breach. We were unacceptably vulnerable, leading us to be unaware of this breach for too long. Our defenses need to be rebuilt, strengthened, continually monitored, and reinforced. Although these attacks are not visible, they have the potential to be as militant and dangerous as terrorist attacks. The American way of life drastically changed in response to World War II and the September 11th, 2001 attacks. The same urgency must be adhered to now. All of us must make choices about how much ammunition we want to give our adversaries, and what conveniences we are willing to sacrifice in order to secure our infrastructure, information, and democracy. Only the federal government can truly lead a whole-of-nation effort on cybersecurity, and that starts with President Biden.
The views expressed above are solely the author's and are not endorsed by the Virginia Policy Review, The Frank Batten School of Leadership and Public Policy, or the University of Virginia. Although this organization has members who are University of Virginia students and may have University employees associated or engaged in its activities and affairs, the organization is not a part of or an agency of the University. It is a separate and independent organization which is responsible for and manages its own activities and affairs. The University does not direct, supervise or control the organization and is not responsible for the organization’s contracts, acts, or omissions.