The Common Good is Being Hacked

A stronger response on cybersecurity requires more unified action at home

A small but important story registered barely as a blip on America’s radar screen this month–a warning sign part of a broader security trend. 

Just a few weeks ago, computer hackers sabotaged a water treatment facility and tried to poison the drinking water going to 15,000 people in Oldsmar, a small Florida city south of Tampa. The attackers, still not publicly identified, tried to exploit vulnerabilities in technology by remotely increasing the levels of lye in the water. Quick action by plant managers averted a public health crisis–but the security incident pointed to a chronic challenge America faces. 

The attempted sabotage was just the latest in a series of cyberattacks and hacks targeting America’s critical infrastructure stretching back for at least a decade.  Russian hackers have probed U.S. power plants and manipulated controls, and Iranian hackers busted into the operations of several dams in America. Other countries like China and North Korea and terrorist groups have gotten in the cyber hack and attack game, also targeting infrastructure but also stealing data and personal information aimed at gaining some sort of leverage or earning money.  Political hacktivists like Wikileaks have also attacked the common good–operating with an anti-establishment and at times nihilistic agenda that they make clear

None of these incidents has resulted in widespread, catastrophic damage – yet. The scenes that unfolded after an usual cold spell hit Texas this month-people without power and clean water and some literally freezing to death-were similar to the doomsday scenarios painted by those warning about cyberattacks on America’s power grid and water supply networks.

True to form for these times, a handful of politicians on the right and left took to Twitter and responded to what happened in Texas by grandstanding in debates more focused on ideological divisions, rather than working to respond to problems facing millions of Texans in ways that bridge political divides.  But others rolled up their sleeves, did their jobs, and worked to take care of people in Texas, giving no thought to partisan differences with the patriot spirit we need on other fronts. 

Cybersecurity is an issue that has great potential to bring unified action in America–one that taps into the basic instincts to protect and take care of our own and defend against others who look to harm the common good. It is also an issue that pinpoints a vulnerability in open societies in Europe, Asia, and other parts of the world–a weakness that authoritarian governments like Russia and China aggressively seek to exploit.

Cybersecurity matters to daily lives

There are three main reasons why a national conversation to formulate a better plan to protect America on the cybersecurity front could get more traction than other national security questions that divide the country:

1.      Cybersecurity directly impacts the lives of nearly all Americans.  Nine in ten American adults use the Internet, and nearly all Americans live in communities that depend on critical infrastructure that is increasingly connected to the cyber realm.  Reports that countries like China are aggressively seeking to obtain medical and financial information of millions of Americans underscore how this set of issues matters to the daily lives of ordinary Americans (unlike some of the other distant and symbolic issues foreign policy elites obsessively debate). 

2.  Repeated warnings and regular incidents have raised awareness.  For several years, U.S. intelligence agencies have publicly warned about the threats – the last public Global Threats Assessment in 2019 featured cybersecurity prominently throughout a report that began with this stark warning:

“Our adversaries and strategic competitors will increasingly use cyber capabilities—including cyber espionage, attack, and influence—to seek political, economic, and military advantage over the United States and its allies and partners.  China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways—to steal information, to influence our citizens, or to disrupt critical infrastructure.”

Major incidents continue to occur – the Solar Winds hack by Russia targeting at least 18,000 U.S. government and private computer networks is what Brad Smith, the president of Microsoft recently called “the largest and most sophisticated attack the world has ever seen” from a software engineering perspective.  This attack and the damage assessment are still ongoing.

3. Most Americans say that cybersecurity is important as a policy issue.  A majority of Americans say they have been personally impacted by data breaches and support efforts by the United States to work with other countries to protect against cyberattacks. So, there is strong public support for doing more on this front. 

Complicating factors on cyber policy

Despite this awareness and appetite to do something about cybersecurity, four factors complicate America’s ability to mount a more effective national response. 

1.  Connecting the complexity of cybersecurity with strategic policymaking. There are different types of actions in cyberspace ranging from stealing data and emails to acts of war that use cyber tools to cause physical destruction. A broad range of actors use these tools, from individuals operating with criminal intent to non-state actors like terrorist networks and countries seeking to shape the international system. The United States uses these tools against others, too. 

Several gaps exist in the policymaking communities in thinking strategically about these many challenges.   Some experts look at the challenges from a more narrow lens like the technology or legal angle – but a new way of thinking is needed, one that connects these evolving cyber tools to strategic decision making.  At the start of the Cold War, new fields in academic and policy analysis were developed to game out the impact of nuclear weapons on decision-making – we need to see similar efforts to push more strategic thinking about cyber policy.

There are some encouraging efforts underway on this front – both inside and outside of government.  A report released this week by the American Edge Project offers an analysis that incorporates cybersecurity in a broader strategy for protecting America and maintaining its competitive edge in the world. But these efforts need to evolve with emerging dynamics like the impact of quantum computing. 

2.  Low public trust in institutions.  The broad lack of trust in institutions, from the government to the private sector, hampers responses.   The fact that both the Trump and Obama administrations struggled to respond to the multiple challenges in the cyber realm contributed to such public concerns.  America’s last president actively encouraged other countries to hack his political opponents and used those cyberattacks to his own political benefit – this has caused considerable damage to social and political norms and public trust in institutions.

3.  Developing a more coordinated “whole of government” approach.  An alphabet soup of U.S. government agencies is stepping up their responses on the cyber front. But just like what happened after the 9/11 attacks, it is unclear how all of the pieces fit together and if the various moves on the chessboard are coordinated. Just one recent example of the ad hoc nature of the response: in the closing days of the Trump administration, former Secretary of State Mike Pompeo approved the creation of a new Bureau of Cyberspace Security and Emerging Technologies in the department, a curious last-minute action.  A recent report by the U.S. Government Accountability office concluded that the department “did not demonstrate that it used data and evidence” in justifying the creation of this office. 

4.  Developing a more coordinated “whole of society” approach.   In America, cybersecurity is very much a shared public-private effort, with the private sector playing the central role in the frontlines of defense. After years of discussions between the government and private corporations, America is not much closer to striking the right balance between advancing the common good and enabling private corporate interests to create growth and maximize profit.  As technology security expert Bruce Schneier argues,

“The market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass[ing] off that risk to the rest of us, as individuals and as a nation.”

For years, the U.S. government has built legal and regulatory frameworks aimed at advancing the common good and supporting public safety in transportation, food, banking, energy, and the environment. A new set of laws and regulations could help create new incentives for the private sector to invest in stronger and more effective measures on cybersecurity. 

That’s a tall order for a country that is still trying to regain its footing after a year of the pandemic and economic pain at home and dealing with chronic political dysfunction. 

But America’s institutions are still capable of getting results.  One overlooked story from the 2020 elections was that the many warnings about foreign interference in America’s elections – including warnings of cyberattacks on election infrastructure and large disinformation efforts – did not come to pass

In many ways, the bigger challenges for America on the cyber front come from within and the prominent challenges to the legitimacy of America’s election and institutions. On the cybersecurity front, the effort to mount more effective defenses to evolving threats coming from overseas is very much linked to the challenge of rebuilding a sense of an inclusive nationalism and common purpose at home. 

To be stronger in the world on issues like cybersecurity, America needs to be stronger and more united at home.