“Throughout American history, nation states wielding armies and weapons that we could see and track posed the greatest security threats to our country. Those threats have not dissipated, but they have been joined by an array of increasingly complex and invasive security challenges, especially with regard to cyber attacks,” proclaimed Senator Maggie Hassan (D-NH), who sits on the Senate Homeland Security and Governmental Affairs Committee and is a member of the Senate Cybersecurity Caucus, in her closing keynote address at Hack the Capitol 3.0. Today, our nation’s adversaries and other bad actors have the capacity to cause significant harm to our democracy, disrupting the well-being of our financial, manufacturing, defense, health care, communications, and education infrastructure “without even firing a shot,” said Senator Hassan. Hack the Capitol 3.0, hosted in partnership by the Wilson Center’s Science and Technology Innovation Program, The ICS Village, Cyber Bytes Foundation, and R Street Institute on September 16, 2020, was a day-long virtual conference convening experts from government, industry, and the press to discuss these cyberspace vulnerabilities in critical infrastructure.

A key consideration in cybersecurity today is deterrence by denial, especially at the lower end of the threat spectrum. Making the US a harder target to attack in cyberspace will involve filling key infrastructure gaps. Throughout the event, experts voiced the critical need for central guidance from the government, as the current scoping of the industry is bent on a decentralized private practice. This must be coupled with better cybersecurity and awareness training -- not just for professionals, but for the public. You are, after all, only as strong as your weakest link. These issues particularly come to light when considering current concerns in cybersecurity, such as the upcoming election.

A Need for Central Guidance: Unified Public-Private Response 

To better support private industry, one vital consideration is the necessity of a stronger US cybersecurity framework with regards to government leadership. Given that over 80 percent of US critical infrastructure is owned and operated by the private sector, there must be a shift in the current government understanding of its responsibility in cyberspace “to support the sight of the private sector, not the other way around,” said Representative Gallagher (R-WI), who co-chairs the Cyberspace Solarium Commission. The US’ existing structure -- which is to say, decentralized structure -- leaves gaps in communication and strategy implementation. There is a need for streamlined communication between government agencies responsible for different parts of the cyberspace issue.

As noted by Rick Driggers, Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security, “[Government] agencies need to make sure that we're delivering more to the community [by] understanding what their needs are, what their requirements are, and what they’re asking the government to do.” How effective our government agencies are at mitigating cyber risk depends on the quality of interagency relationships themselves. “It’s an ongoing marriage that requires counseling on a weekly basis as most large bureaucratic things do,” said Driggers.

That’s not to say that there aren’t always going to be competing priorities between government (namely law enforcement and the intelligence community) and the private sector. However, the US has a responsibility to pull agencies together and engage industry with a unified voice to share useful intelligence rather than “just demanding all of their information,” as Rep. Gallagher said. Government must, in other words, be communicating with the private sector continuously instead of only when industry information is needed, which has been a critical task of the Cybersecurity and Infrastructure Security Agency (CISA) since its establishment in 2018.

One way forward suggested at Hack the Capitol was the creation of a central position that leads national-level coordination of cyber strategy and policy. For example, the development of a National Cyber Director within the White House, as proposed in H.R. 7731, The National Cyber Director Act. While some critics argue that the creation of a National Cyber Director position adds yet another bureaucratic layer to an already over-bureaucratized national security and cyber response framework, Rep. Gallagher argued the opposite. “We thought it was the least bureaucratic approach out there. I think building another separate cyber agency or taking CISA away from DHS is both politically impossible and more bureaucratic while the most bureaucratic and costly option is doing nothing, because our view as a commission is that doing nothing will result in a massive cyber attack.”

The push to create this type of centralized authority garnered cross-sector support. “It needs to be done -- it has to be done. We have got to have somebody at the White House -- at the Executive Branch level -- that’s coordinating across all of the government and all of the private sector initiatives from a policy perspective,” stated Mark Weatherford, Chief Strategy Officer of the National Cybersecurity Center and former Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.

Beyond a centralized position, one need from the government was an increase in promoting interoperability and innovation in this space through funding, incentivising, and investing in cybersecurity for industrial control systems. Sean Plankey, Principal Deputy Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the U.S. Department of Energy, suggested continuing to support the cybersecurity initiatives of municipalities and co-ops -- such as major metropolitan cooperative providers of electricity and water -- utilizing CISA’s holistic approach and authority to unify sector-specific agencies to safeguard our essential systems. 

And while reflecting on his term as Under Secretary for Cybersecurity at the U.S. Department of Homeland Security, Mark Weatherford pinpointed a similar issue that he wished he addressed: adequately funding the nation’s Information Sharing and Analysis Centers (ISACs), which help critical infrastructure owners and operators protect their facilities, personnel, and customers from cyber and physical security threats among other hazards. Each of the US’ 16 critical infrastructure sectors has a designated ISAC with its own designated government-supported organization. While some ISACs are self-funded, such as the financial services ISAC (which is largely supported by the banking industry), many are underfunded -- making  it inherently difficult for these ISACs to generate support and coordinate among their respective sector’s stakeholders. Weatherford reflected, “My biggest regret is that I didn't at some point say, ‘Wait a minute, let's take some of my DHS funding and start supporting every one of the ISACs.’” Moving forward, we must ensure the full support of ISACs and other entities responsible for US critical systems to effectively manage the information-sharing space and support their unique status under the National Defense Authorization Act. 

Investing in Human Capital

American cybersecurity leadership is dependent on one other critical aspect of cybersecurity infrastructure: people. Public consumers, due to the prevalence of home devices, should be considered a part of the infrastructure that needs to be protected. As Matthew Dunlop, Vice President and Chief Information Security Officer at Under Armour, noted, “Cybersecurity is a long game and we have done virtually nothing to protect cybersecurity in the long-term. We put phones in the hands of kindergarteners and elementary schoolers, but we don’t do anything constructive in terms of their education.” 

One potential solution is public education, on par with other public education campaigns, “a concerted, almost public relations effort to educate our kids on the nature of disinformation in cyberspace, basic cyber hygiene, and cyber literacy,” stated Rep. Gallagher. Outreach and education could prepare government, industry, and the public with the knowledge necessary to protect their valued resources. Cybersecurity literacy should begin at an early age, planting the seeds of awareness and developing the next generation of cyber leaders.

Part of the problem seems to be the existing tactics used in both cybersecurity literacy as well as in recruitment for that next generation of cyber experts. In both cases, cybersecurity is seen as a nebulous, intimidating, blackbox. Cyndi Gula, Managing Director and Co-Founder of Gula Tech Adventures, suggests being “able to talk to the public in a way that’s not scary” about the commonly perceived monolith that is cybersecurity, breaking down the abstract domain into digestible pieces. “We need to stop calling cyber ‘cyber’ and start calling it ‘data care’ to make it sound more approachable,” Gula added, “We need people to understand that cyber is not just one thing and there are so many places to go -- offense, defense, etc.” 

This would also help mitigate cybersecurity’s other problem: recruitment. “We talk about this workforce gap and we lose people because they are intimidated,” Dunlop pointed out. In a field not known for its transparency or approachability, efforts to unblackbox cybersecurity professional careers for broader audiences would widen the pool of recruitment, ensuring a healthy pipeline in the workforce in the long-term.

Navigating the Ever Changing Threat Landscape

During his lunchtime keynote address, David Sanger, Chief Washington Correspondent for The New York Times and author of The Perfect Weapon, written at the Wilson Center as a Distinguished Fellow, left the audience with an interesting metaphor about the US’ unique security condition. “It's hard to throw rocks when you live in the glassiest house there is and we live in the glassiest house,” said Sanger, “We live in the house that is most connected to the internet. We live in the house where people have the highest chance of getting disconnected from something that they really care dearly about.” In the US, most internet capacity is in the private sector, which presents a unique security paradox in the context of other global efforts.

Stemming from this unique security paradox are new norms and strategies surrounding deterrence, and in the lead-up to November 3rd, the US’ explicit capacity to signal to our competitors that election interference will warrant consequences. “Any country that plays a divisive role in our election infrastructure or in the disinformation space might pay a significant price for it,” said Sanger. As the self-designated gatekeepers between stories anchored in truth and those prioritizing overhyped alarmist headlines, the press can play a critical role in this type of signaling. For instance, Sean Lyngaas, Senior Reporter at CyberScoop, reflected on a pressing issue in the run-up before the elections -- security concerns surrounding mail-in ballots. 

Although not a “traditional infosec story,” as Lyngass called it, CyberScoop published an article explaining voting by mail, the logistics around it, the rarity of voter fraud cases, and the capacity of the US Postal Service. “We felt it was our duty to do that even though it's very much not a top story for us,” said Lyngass. Kim Zetter, a freelance journalist and author of Countdown to Zero Day, echoed that sentiment, citing the explicit responsibility of an infosec journalist to “rock the balance… between what’s really significant, what's important, and... explaining the “why” to readers and to editors,” to avoid the public disservice of publishing redundant, unoriginal stories across different media outlets.

What’s more -- the stakes are especially high in the context of an election year, particularly one where cybersecurity professionals have growing concerns about the spread of disinformation. “There have been stories that I've shelved that I would've done in another election year, but I'm not doing this time around because there is that concern of trying to balance… between trying to inform people so that no one is taken by surprise about certain things, but also being cognisant of timing for certain stories,” said Zetter. A former staff writer for Wired, Zetter added, “The better service, rather than sort of spinning out all of these scenarios that could happen, is addressing the misinformation and correcting that and informing people.”

Looking Ahead

Beyond the election, experts emphasized the importance of rebuilding a bipartisan foreign policy consensus -- at the very minimum, with regard to cybersecurity. Bipartisan bills and legislation, such as the Modernization Centers of Excellence Program Act introduced by Senator Hassan and Senator Portman (R-OH), “are just the very first steps we need to take, and we have to continue to develop new strategies to develop and improve our cyber defenses to further scale up our cyber capabilities,” said Senator Hassan. Cybersecurity is in the early stages of what promises to be a long term competition -- “the stakes of which are existential,” said Rep. Gallagher. 

“Even where we disagree,” Rep. Gallagher concluded, “we should all be waking up with a sense of urgency to the challenge, not only in cyberspace, but the challenge geopolitically right now.”



This is just a snapshot of some of the incredible discussions that occured at Hack the Capitol 3.0. For more coverage, visit ICS Village's YouTube channel.