By Jamil Farshchi* and Samantha F. Ravich**
The next seismic event we face as a country may be a cyber pandemic. Funded by a foreign government, led by a terror organization, or carried out by a lone wolf with a laptop and a bit of skill, a major cyber event would spread faster and further than a biological virus, with potentially an equal or greater impact on our economy and way of life.
Imagine a widespread attack on our electrical grid that engulfs an entire region of the country: cell phones become useless, gas stations are out of order, restaurants and grocery stores close, air travel is grounded, supply chains are disrupted, financial systems shut down, and e-commerce comes to a standstill. Or, equally as disastrous, hackers could attack our water utilities, causing serious health consequences and public panic.
We’ve seen smaller iterations of this play out in recent months with a surge of cyberattacks. Hospitals in California, New York, and Oregon had their computer systems held for ransom, freezing medical records and delaying lifesaving care. Hackers breached local government offices in Louisiana, forcing the state to call in the National Guard for help. At least 16 school districts in a half-dozen states had their networks hit, causing delayed reopening or canceled classes.
And, just last month, the stakes were raised again when a who’s who list of organizations — including the Pentagon, the CDC, and Fortune 500 companies — were found to be using software from SolarWinds that was secretly infected by Russian hackers, highlighting a seismic weakness in our nation’s cybersecurity and presenting a clear and present danger to our way of life.
As two experts who have witnessed the cascading impacts of crises from the front lines of industry and government, we know the importance of cyber defense and the impact that a major event could have on our country.
That’s why we’re calling on President Biden to mitigate the looming cyber threat in the first 100 days of his administration. Here’s how:
First, the president should nominate a National Cyber Director and begin staffing the office to bring together the full resources of the federal government and the private sector around a united cybersecurity strategy. A whole-of-nation approach to cybersecurity is required to deter our adversaries and strengthen our homeland — and American businesses must be a key partner in this fight. The private sector has a tremendous amount of knowledge and capabilities to bring to the table, which is why the National Cyber Director must engage deeply with the business community on how to protect American companies, accelerate intelligence sharing, and leverage new technologies to strengthen our cybersecurity posture. Bolstering direct collaboration between the White House and business leaders on cyber matters is how we build better resiliency and defend against our adversaries with greater speed and agility.
Second, the new administration must make it a priority to lead the way in setting new international information and communications technology standards. Much of today’s fragmented standards place an unnecessary burden on American businesses — stifling issue response and reducing real transparency for consumers. Compared to other countries, the United States is not participating as much or as effectively in global forums where these types of international standards are set. As Sen. Mark Warner (D-Va.) recently said, “We used to flood the zone at all these technical conferences. We are not doing that anymore.” But other countries like Russia and China are. American interests and security are strengthened when international standards are developed and set with active U.S. participation.
Third, the new administration should work quickly with Congress to establish a Joint Collaborative Environment, a mechanism by which the federal government can share with the private sector classified and unclassified cyber threat information, insights, and other relevant data — to the greatest extent possible. Today’s aged and fragmented approach to intelligence sharing must change. When it comes to winning in cyberspace, speed matters, collaboration matters, and communication matters. The private sector needs faster access to intel to preempt cyber threats, fast-twitch engagement to mitigate attacks in the heat of the battle, and stronger, ongoing communication with partners from government to collectively elevate our defenses. Through this common environment, we can build a coordinated public-private approach to cybersecurity.
Fourth, the president must address the security of our technology and communications supply chain as a result of SolarWinds breach. As Sen. Ben Sasse (R-Neb.) recently said, “There’s just a hard truth that we’re decades behind where we need to be for cyber.” The grim reality is that there are a countless number of third-party vendors just like SolarWinds who have the data, access, and trust of American businesses and countless government institutions. That’s exactly why the U.S. government needs to take immediate steps to build a trusted supply chain, which include activating a lead agency to support supply chain risk efforts; mapping how and where key vendors are used in our digital infrastructure; and accelerating better intelligence sharing, risk assessments, and product testing. As we’ve seen, the consequences of failing to protect our technology and communications supply chain has far reaching implications.
These recommendations, alongside a bevy of others from Sen. Angus King (I-Maine), Rep. Mike Gallagher (R-Wis.), Rep. Jim Langevin (D-R.I.), Sen. Sasse, and the bipartisan Commissioners of the Cyberspace Solarium Commission, are mission-critical for our country.
Congress took a critical first step in the National Defense Authorization Act by requiring the U.S. government to develop Continuity of the Economy plans to restart the economy after a widespread attack.
We can no longer accept a status quo where our adversaries relentlessly attack our way of life, where businesses are forced to fend off nation states by themselves, and where a battle is waged without investment commensurate with the national security risks we face. President Biden has the opportunity to lead us into a new era of American cybersecurity. We stand ready to help him.
*Jamil Farshchi is the Chief Information Security Officer of Equifax. Samantha F. Ravich, Ph.D., serves as a Chair of the Foundation for Defense of Democracies Center on Cyber and Technology Innovation and is a Commissioner of the U.S. Cyberspace Solarium Commission. She previously served as Deputy National Security Advisor.