Biden Pledges Tough Response To Cyberthreats. Experts Say It Won't Be Easy

Feb 12, 2021
Originally published on February 12, 2021 10:35 am

Last year, cyber expert P.W. Singer was asked to write the introduction to a big government report by a group called the Cybersecurity Solarium Commission. Instead of the usual bland summary, Singer produced a fictional account of what Washington, D.C., might look like in the aftermath of a devastating cyberattack.

"The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals," wrote Singer and co-author August Cole. "All around the Mall you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into crowds of innocents like fiery meteors."

Of course, none of this actually happened. But when the report was released last March, Russian hackers were allegedly burrowing their way into the computer networks of U.S. government agencies and private companies.

The so-called SolarWinds hack was not discovered until December, and now President Biden's administration is assessing the extent of the damage. In broad terms, Biden is talking tough about cyberthreats.

"We've elevated the status of cyber issues within our government," Biden said in a major foreign policy speech on Feb. 4 at the State Department. "We're launching an urgent initiative to improve our capability, readiness and resilience in cyberspace."

But Biden hasn't divulged the details and cyber experts say getting a handle on the threats from Russia, China and elsewhere will require a major, sustained effort that will take years.

The SolarWinds hack "was an egregious attack on our government and and also in the private sector. It exposed vulnerabilities that, frankly, we should have known we had," said Maine Sen. Angus King, who's a leading voice on cyber issues and was co-chairman of last year's big cyber report.

Creating deterrence

King, an independent who caucuses with the Democrats, said the U.S. must get better at preventing such intrusions and also develop a strategy to hit back hard.

"If someone is punching you and they have no fear of ever being punched back, why would they stop punching you?," King said. "I want somebody in the Kremlin at the table to say, 'Boss, I don't know if we ought to do this because, you know, they're going to whack us.'"

Deterrence has so far proved elusive to successive administrations.

Former President Barack Obama was cautious when responding to cyber attacks, expressing concerns about U.S. counter-moves that could touch off a cycle of escalation and unintended consequences. Former President Donald Trump gave the U.S. intelligence community greater latitude to take action, but never made cybersecurity a top priority, his critics said.

Biden is winning early praise for bringing highly-regarded cyber experts into his administration. He plans to have a cyber director in the White House — a position Trump eliminated.

"I think the Biden-Harris administration really gets high marks so far," said April Falcon Doss, who worked previously at the National Security Agency and on the Senate Intelligence Committee. She's also the author of Cyber Privacy: Who Has Your Data And Why You Should Care.

Foreign and domestic threats

She still sees many tough challenges ahead. On the international front, Russia has been blamed for several major hacks in recent years. China has been accused of systematically stealing cutting-edge technology from a wide range of U.S. companies and universities.

Biden's team has also inherited a raging debate on how to handle domestic disinformation and conspiracy campaigns on-line. And Falcon Doss notes that these foreign and domestic challenges can overlap.

"If someone is pushing QAnon conspiracy theories, is that really coming authentically from [domestic] users of the platform, or is it being pushed by the military intelligence service of a foreign government that is an adversary of the U.S.?" said Falcon Doss.

Sen. King wants the Biden administration to be ambitious. He believes the U.S. should lead an effort to set global rules.

"We need to develop a kind of cyber Geneva Convention that establishes norms and standards worldwide," said King "If a country or a group violates those norms, then you have worldwide sanctions, a worldwide response."

Some cyber experts support this idea in principle. But there's a good deal of skepticism that such an agreement could be implemented in practice.

Nations, private groups and even individuals have learned that cyber attacks can be relatively low-cost and easy to carry out. In addition, the victim often faces a challenge in proving who's responsible, and an even more difficult time imposing formal punishment.

"Achieving international agreement on norms is unlikely to happen any time in the near term," said Falcon Doss, who argues it's more likely that the U.S. will have to act unilaterally in many cases, and will have to consider a range of responses, like financial sanctions, that aren't limited to the cyber realm.

Meanwhile, P.W. Singer says he's busy writing more fictional accounts about future cyber attacks. He says his stories are based on actual research, and he calls this work "useful fiction."

"You use the power of story to carry across real-world lessons. So it's not science fiction. There is original, non-fiction research, a non-fiction point to make," he said, adding that he's involved with projects that include the U.S. and Australian militaries, as well as large cyber companies.

To drive home that point, a hacker attempted to poison the water supply last week in Oldsmar, Fla. — a case similar to the fictional poisoning of the Potomac River that Singer wrote about last year.

Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

Among his many challenges, President Biden has to deal with that recent and serious cyber breach, allegedly by Russia, that's still under investigation. Meanwhile, there's ongoing debate about how to handle disinformation and conspiracy campaigns online.

NPR's Greg Myre tells us how the president is approaching this national security threat.

GREG MYRE, BYLINE: Last year, P.W. Singer was asked to write the introduction to a big government report on cybersecurity. Instead of the usual bland summary, Singer, a cyber expert, produced a fictional account of Washington, D.C., in the aftermath of a devastating cyberattack.

P W SINGER: (Reading) The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals.

MYRE: He imagined carnage on the National Mall.

SINGER: (Reading) All around the Mall, you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into the crowds of innocents like fiery meteors.

MYRE: Of course, none of this actually happened. But when the report was released last year, Russian hackers were quietly burrowing their way into the computer networks of U.S. government agencies and private companies.

The so-called SolarWinds hack was not discovered until December. And now the Biden administration is assessing the extent of the damage.

ANGUS KING: That was an egregious attack on our government and also in the private sector. It exposed vulnerabilities that, frankly, we should have known we had.

MYRE: Senator Angus King is a leading voice on cyber issues. He was also co-chairman of last year's big cyber report. King says the U.S. must get better at preventing such intrusions and it must find a way to hit back - hard.

KING: If someone is punching you and they have no fear of ever being punched back, why would they stop punching you? I want somebody in the Kremlin at the table to say, boss, I don't know if we ought to do this because, you know, they're going to whack us.

MYRE: Biden is winning early praise for bringing highly regarded cyber experts into his administration. And he plans to have a cyber director in the White House, a position former President Trump eliminated.

APRIL FALCON DOSS: I think the Biden-Harris administration really gets high marks so far for the actions they're taking around cybersecurity.

MYRE: April Falcon Doss worked at the National Security Agency and is the author of "Cyber Privacy." She still sees tough challenges ahead. Some of the hardest questions could involve foreign adversaries like Russia and China intersecting with domestic issues like online conspiracy theories.

FALCON DOSS: If somebody's pushing QAnon conspiracy theories, is that really coming authentically from users at the platform or is it being pushed by the military intelligence service of a foreign government who's an adversary of the U.S.?

MYRE: Senator King wants the Biden administration to be ambitious. He believes the U.S. should lead an effort to set global rules.

SINGER: We need to develop a kind of cyber Geneva Convention, if you will, that establishes norms and standards worldwide. And if a country or a group violates those norms, then you have worldwide sanctions, worldwide response.

MYRE: Meanwhile, P.W. Singer says he's busy writing more fictional accounts about future cyberattacks. He says his stories are based on actual research. And he calls this work useful fiction.

SINGER: You use the power of story to carry across real-world lessons. So it's not science fiction, let's dream it up. It's - no, no, no, no - there is an original nonfiction research, nonfiction point to make.

MYRE: His hope is that these doomsday scenarios don't become reality.

Greg Myre, NPR News, Washington. Transcript provided by NPR, Copyright NPR.