Taking a Step Back on Defense Department Hacks | Commentary
Just when you thought it was safe to tread back into the cyber-waters, The Washington Post discloses that a large number of U.S. Department of Defense programs have been compromised by Chinese hackers. The list of “compromised” systems detailed by the Defense Science Board is somewhat breathtaking: missile defense systems, next-generation fighter planes, unmanned aerial vehicles and even conference attendee information. You can almost hear the “gulp” from inside the Pentagon.
But before Washington does what Washington does best (hold hearings, call for heads, legislate at breakneck speed), let’s take a step back and think strategically about this situation. This isn’t really a new story. The Pentagon has been saying for some time now that some of its major weapons systems have serious cyber-vulnerabilities. Nor has Congress or DOD been asleep — a significant amount of money and effort has been poured into shoring up cyber-defenses. To tackle this problem, we must start with the right questions and thoughts:
1. Panic is not called for: Not all breaches are created equal. Just because a DOD system was breached, does not automatically mean that vital information has been stolen and is gone for good. A thorough forensic investigation is needed to determine what exactly was stolen and when. Frankly that has probably already been done, and it may well be that the “compromised” systems have already had fixes installed.
2. Ask the right questions: Inevitably, questions will swirl around “how could this happen?” Reality check: More breaches will happen because no defense is or can be perfect. A better line of inquiry will focus on the forensic analysis and lessons learned. How long did it take for the breaches to be discovered? Hours, days or weeks is okay; years or even months is bad. Once the breaches were discovered, was information about them effectively shared with potential targets? DOD and Congress should be focusing on whether everything was caught and what lessons were learned.
3. Don’t fight the last cyber-war: Viruses may be yesterday’s news. Less sophisticated cyber-attackers are likely to use viruses we already know about, and DOD is well-prepared for them. The focus should be on fighting the more sophisticated, previously unseen threats. Various terms are used for such attacks (signature-less, zero day, etc.), but the common theme is that advanced adversaries come up with entirely new ways to conduct attacks that evade traditional protections. We need to focus on new, creative ways to protect their systems, such as allowing systems to only execute specific commands (“whitelisting”) or using technologies that test programs in a safe environment to tell whether they pose a threat (“detonation chambers”). We have to make sure we are not just plugging existing gaps at the expense of keeping up with new threats.
4. Procurement reform is becoming an irresistible force: DOD and others are starting to put in place cybersecurity standards in acquisition planning and contract administration. Undoubtedly contractors are already spending lots of money to protect themselves, but the scope of breaches makes it clear that it is time for some uniformity and baseline cybersecurity expectations. That is a good discussion for Congress, DOD and industry to have so that such procurement requirements do not become unduly burdensome. No doubt breach notification for government contractors will become commonplace, but perhaps so will “safe harbors” for contractors who voluntarily notify their customers of a breach and have in place methods to rapidly mitigate them. More than anything, procurement reform can’t be all stick, as that only creates a climate of fear.
5. This is a lesson for everyone: Put simply — if the Pentagon can be hacked regularly and for so long, every business is vulnerable. Companies cannot assume that they are “too small” or don’t have anything of interest to be stolen. Boards, audit committees, the C-suite, and other leadership need to make cybersecurity a top priority. And even if you don’t have much information of value, you could easily represent an unlocked backdoor to the cyber-vault. Finally, Wall Street — breaches are occurring all the time. When investing dollars in companies, ask questions about the efficacy of the company’s cybersecurity program and see if their intellectual property and trade secrets are still, well, secret. The Securities and Exchange Commission might not be able to force such disclosures (yet), but analysts and investors can have an easier time getting to the truth.
The bottom line is that we are vulnerable and will continue to suffer cyberattacks. Many will fail, but some will succeed. If we ask the wrong questions and seek the wrong solutions, things will get worse. So let’s all take a deep breath and think strategically about what to do next.
Brian Finch is a partner at Dickstein Shapiro LLP and an adjunct professor at George Washington University Law School.