- The federal government includes the private sector in its purview of cybersecurity intentions, which sets cyber standards and invests in next-generation technologies. Significant costs will go into aiding local governments divesting in — "and in some cases rip out and replace" — risky vendors," said Rep. Mike Gallagher, R-WI, said during the Billington CyberSecurity Defense Summit Thursday. Currently, the government doesn't know how deep those existing investments are.
- Forcing companies to buy exclusively U.S.-based technology solutions is a non-option, though. The supply chain will never be solely domestic, which means companies and government need a "buy ally" framework, said Gallagher, who is co-chair of the Cyberspace Solarium Commission (CSC).
- Funding and investments in allies build that trusted supply chain, not only in the sense of supporting private industry but the analysis required for understanding what makes a partner trustworthy, said Suzanne Spaulding, senior advisor for Homeland Security, director of the Defending Democratic Institutions Project, during the panel.
As private industry becomes intertwined with geopolitics via cyber, governments will have to grapple with how they balance national security, business continuity and intellectual property protection. For some in the private sector, cooperation can feel like a battle of conflicting interests between the sectors.
Adversarial behaviors, like the SolarWinds or Microsoft Exchange hacks, are not the only activities that define a cyberpower. Cyberpower is also influenced by technology decisions or policies countries make. For example, the U.S.' unwillingness to deploy China-based Huawei juxtaposed to China's interest in Huawei's international presence.
Chris Inglis, distinguished visiting professor in cybersecurity studies at the U.S. Naval Academy and President Joe Biden's pick for national cyber director, would like to see Congress adopt more of the CSC's recommendations that bolster contributions to the private sector.
The government, separately, should have "its own house in order," while increasingly engaging with private industry, he said during the panel.
The combination of investments and supply chain scrutiny could improve the U.S. international cyberpower standing.
The dominant cyberpowers of the world are the U.S., China, Russia, Israel and the U.K., according to research from Harvard Kennedy School's Belfer Center. To achieve "cyberpower" status, countries need a combination of capability and intent, not only offensive measures.
Belfer Center researchers measured the top 10 countries based on cyber power based on publicly available data around 27 indicators. The U.S. ranked first, followed by China, the U.K. and then Russia. Russia ranked as the top country for surveillance activity, the U.S. for control and China for commercial. The U.K. dominated in defense, offense, intelligence and norms.
Sophisticated operations are not always needed for an adversary to achieve its goals. For example, Russia's SolarWinds compromise was a patient, subtle attack, whereas China's Microsoft Exchange exploitation was a chance opportunity after the vulnerability became public.
Russia's overall fourth place ranking is due to it's very specific objectives, with strong capabilities solely dedicated to those goals. Russia's intentions typically fall in line with trust erosion, according to the Belfer Center's research. Threat groups intend to undermine trust-based systems used domestically and abroad, using disinformation campaigns or corrupting software updates, as it did with SolarWinds Orion.
The extent to which the U.S. can strike back is limited. The U.S. is not prepared enough to act offensively, said retired Gen. Keith Alexander, founder and CEO of IronNet, and former commander of the U.S. Cyber Command, during the Thursday summit.
"You're not ready for a fight in cyberspace, you have more to lose than they do," he said, referring to U.S.-owned IP.
Alexander sees a solution in collaborating with companies under the defense industrial umbrella, with input from smaller companies. "What we learned from SolarWinds is, their objective was the federal government," he said. "I don't think their target was 18,000 companies. In fact, that would be crazy to try to deal with 18,000 companies … but they got more than they bargained for."