Following a long election week, U.S. cybersecurity proved resilient — and uneventful.
"The cyber dog, in this case, didn't bark as loud as we were worried. And I think the question is, why?" said Sen. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission, in a press briefing Friday. "What we don't know is the extent to which the adversaries were poised to attack us … [or] they had just decided it wasn't worth it."
While details of "what was done" are limited, "my sense is that there were things done that, again, provided a deterrence effect," said King.
Despite a relatively calm Election Day on the cyber front, security professionals are not naive. "We're still in a dangerous period over the next several weeks, if not months," said King.
The election, the pandemic, and recession were a cybersecurity pressure test. With President-elect Joe Biden named Saturday, "we want to build on the work that's been done that got us to this stage," said King. Part of that is the White House accepting the recommendation for a "much more vigorous central coordinating role," or a National Cyber Director.
A lot of existing interagency coordination "has not taken place at the White House level," including Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs, and Director of the U.S. National Security Agency Paul Nakasone, said King. More coordination is needed, and a National Cyber Director, proposed by the president and confirmed by the Senate, would ideally break down any silos.
Countdown to Nov. 3
Officials from the CISA say the election security has been underway for 3 ½ years. Following the 2016 election, King attended hearings and met with "secretaries of state and election officials who were very resistant to the efforts of the federal government to engage with them on cybersecurity," he said.
In January 2017, former Secretary of DHS Jeh Johnson called for sub-sectors of critical infrastructure to include election infrastructure. The statement was met with opposition, fearing a "federal takeover of the election," said King.
Election security falls to individual states, however the federal government has made concerted efforts to cultivate a more robust cyber network — a network that leans heavily on the private sector too.
The weeks leading up the election, CISA released several alerts to industries, outlining technical suggestions to ensure resilience. In October, CISA alerted the public of Iranian activity posing a threat to election integrity. On Nov. 3, CISA Director Chris Krebs praised the quick 27-hour turnaround time to notify state officials of fraudulent emails.
While 27 hours was an accomplishment, warfare works fast in cyber. The Commission detailed the role the private sector plays in "layered cyber deterrence" in its report.
"National defense therefore takes a very different shape in cyberspace, where the government mainly plays a supporting and enabling role in security and defense and is not the primary actor. The U.S. government and industry thus must arrive at a new social contract of shared responsibility," the report says.
On the offense
King highlighted the U.S.'s deterrence by denial, which includes cross-sector collaboration. Within deterrence is the concept of defending forward, which is intended to "reduce the frequency and severity of attacks in cyberspace that do not rise to a level that would warrant the full spectrum of retaliatory responses," according to the report. It's a method that extends U.S. cyber activity outside its borders.
Defending forward is considered a defense mechanism, and has a "leveling effect" on adversaries, said Chris Inglis, professor of cybersecurity studies at the U.S. Naval Academy and a Commission member at an event in Washington in March. "What we really mean is [to] defend early."
Defending forward is dependent on unity and requires information sharing across sectors. Such cooperation was seen in Microsoft's pursuit of Trickbot's operational infrastructure in October. Microsoft obtained approval for the offensive measures it took, which are ongoing.
The operation involved officials at every level, within government and private business, said Mike Puglia, chief strategy officer at Kaseya, in an email. "The U.S. Cyber Command also conducted operations against TrickBot to damage and disrupt the organization itself as well as the group's cybercrime as a service operation."
Because Trickbot has multiple arms of operations, defending forward is an ongoing effort. But offensive security is dangerous.
Defending forward can carry an impact on foreign relationships, said Tim Maurer, director of the Cyber Policy Initiative and a senior fellow at the Carnegie Endowment for International, in a March event in Washington.
Cyber is a "field that's pretty apolitical," but offensive strategies run the chance of escalating tensions, said Maurer. Likewise, it could impact U.S. allies. A foreign entity might not interpret some strategies as the U.S. is trying to be more assertive and saying "enough is enough."
The Commission argues that the U.S.'s "inability or unwillingness to identify and punish our cyber adversaries" is "signaling that interfering in American elections or stealing billions in U.S. intellectual property is acceptable." While the Department of Justice has filed indictments for individuals in recent months, sanctions aren't enough.
While the U.S. leans into offensive security, the private sector has the resources to perform forward-leaning operations. It's just a matter of how far it can lean into the deterrence strategy.
King wants to see more offensive measures moving forward. But in a hearing with General Keith Alexander, former Commander of the U.S. Cyber Command and director of the National Security Agency, King asked "is anything that we're currently doing, likely to change the calculus of our adversary, when deciding whether to attack us?" Alexander said no.
"A lot of what the work that we've been doing has been changing the answer to that question," said King. Microsoft's actions, and others like them, will be judged by history. "We'll have to do some deep after-action review in the next year, as to whether deterrence worked" and whether or not it was at the root of decreased cyberattacks, he said.