Facing the Hard Truth of Our Cyber Insecurity
What’s New: Recent cybersecurity incidents illustrate that, despite decades of awareness, the US remains systemically vulnerable to online threats.
Why This Matters: Indifference, paralysis, and distraction are causing the US to assume mounting risks that are more complex and more costly to mitigate.
High-level concerns about American cybersecurity date back to 1983, when then-President Reagan — after watching the movie WarGames — asked his National Security Council, “Could something like this really happen?”1
Three days later, then-Chairman of the Joint Chiefs of Staff General John Vessey told Reagan that, “The problem is much worse than you think.”2
Since then, dozens of official reports and assessments — each more urgent than the last — have catalogued the nation’s cyber vulnerabilities and called for action.
Most recently, the US Cyber Solarium Commission issued this stark warning:
“Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions … The reality is that we are dangerously insecure in cyber.”
This assessment has been proven true in just the last several weeks, as we have learned more about the massive “Holiday Bear” hack that compromised hundreds of government and private networks and of last week’s attempted compromise of a water treatment facility in Florida.
Also last week, some of the nation’s top cybersecurity professionals were again warning Congress that drastic action is needed.
What I’m Thinking:
Things have gotten better. An honest assessment of the situation must admit that remarkable gains have been made, especially over the last two decades. The 2021 National Defense Authorization, for example, includes several of the Solarium Commission’s recommendations that will now be put into practice. The establishment of the Cybersecurity and Infrastructure Security Agency (CISA) has also greatly enhanced our well-being and sets the conditions for future improvements. But, we are far from secure.
All the easy choices have been made. During his testimony, former CISA director Chris Krebs told lawmakers that, even though the agency has an annual budget exceeding $3 billion, more resources and authorities are needed to meet even the basic demands of securing government systems. Those concerned about wasteful government spending and general incompetence may understandably question this claim and resist this call. But, if they do, they must also be prepared to accept the accumulating risks of an ever-growing — and systemically insecure — American “threat surface.”
A fundamental re-think is required. We cannot “hack” the nation’s cybersecurity. By this I mean that there are no shortcuts, there are no “cheap” solutions, and there are no paths forward that do not require meaningful tradeoffs. More specifically, government and industry leaders must understand that there is no scenario where the US is able to secure its cyber interests absent a deep integration of the private and public sectors in both information security strategy and policy. Cybersecurity is a challenge you manage, not one you solve and we will not effectively manage this challenge until we accept its scope, consequences, and resource requirements.
Biden To Sign Executive Order on Semiconductors
What’s New: The White House says President Biden will soon sign an executive order (EO) to address a shortage of semiconductors.
Why This Matters: Semiconductors — the “brains” of every digital thing from watches to aircraft — are an increasingly constrained resource and are at the heart of geopolitical technology competition.
A shortage of semiconductors has become apparent across multiple sectors of the economy.
Several car makers — including Ford, Subaru, and Toyota — are slowing down some assembly lines because they cannot acquire needed chipsets.
[The shortage] “is one of the central motivations for the executive order the president will sign in the coming weeks to undertake a comprehensive review of supply chains for critical goods,” said White House Press Secretary, Jen Psaki. “The review will be focused on identifying the immediate actions we can take — from improving the physical production of those items in the U.S., to working with allies to develop a coordinated response to the weaknesses and bottlenecks that are hurting American workers.”
What I’m Thinking:
This is about more than cranking out cars. Semiconductors will enable virtually every technology shaping our collective future, from fifth-generation wireless networks to hypersonic missiles. This means that any nation seeking to ensure its ability to realize and benefit from these technologies must think about how it will guarantee access to these chips – even in the face of economic or geopolitical disruption.
General-purpose chips are still important, but tailored AI chipsets are where the game is going. Between the 1960s and the 2010s, general-purpose semiconductors have doubled their transistors while shrinking their overall size roughly every two years. Now, however, with state-of-the-art transistors being only several atoms wide, this evolution appears to be slowing. This is important because AI applications are ravenous when it comes to data processing power and speed. Put simply, AI currently requires specialized microprocessors to perform its most consequential and promising applications – including those forming the future foundation of national security and economics.
This is all part of the new “great game.” As their Made in China 2025 strategy and other plans make clear, the Chinese Communist Party (CCP) has concluded that having a domestic capability to design and manufacture critical technologies is a prerequisite for realizing their national ambitions. Washington, likewise, understands that making its own semiconductor supply chains more resilient is essential for its national security and economic competitiveness, as is stopping (or at least slowing) the development of domestic Chinese capacity for advanced chip design and manufacturing. The American urgency for securing microchip supply chains is further underscored by a growing awareness of how China uses its “private” companies as extensions of the CCP’s espionage capacity.
Commerce Pick May Forecast Approach on Chinese Tech
What’s New: President Biden’s pick for a high-level appointment at Commerce may indicate how he wants to approach tech competition with China.
Why This Matters: According to the Wall Street Journal, the President’s choice for undersecretary for industry and security is down to Mr. Kevin Wolf — a highly regarded export-control lawyer and former Obama official — and Mr. James Mulvenon — an expert on technology and the Chinese military at the Defense contractor SOS international, LLC.
Mr. Wolf’s “hall file” is that he is a wicked-smart lawyer with an almost encyclopedic knowledge of export regulations. Some observers, however, are worried by the fact that, in private practice, he has assisted several American companies to win exemptions to the US blacklist on tech exports.
Mr. Mulvenon, on the other hand, is said to believe that Washington and Beijing are fighting one another for technological dominance and that a hard-line on tech exports is essential, even if it hurts corporate bottom lines.
“This job has transcended the world of narrow export-control policy-making and is now squarely at the center of U.S.-China security and technology competition,” said Evan Medeiros, a former Obama administration China expert who is now at Georgetown University.
What I’m Thinking: Helping American companies to legally do business is not disqualifying. But, it is also true that “personnel is policy,” and so it’s reasonable to see this pick as indicative of the administration’s broader approach. So, here’s hoping Team Biden chooses their appointee wisely and, even more importantly, chooses wise policy.
That’s it for this Monday Brief. Thanks for reading, and if you think someone else would like this week’s newsletter, please share it with your friends and followers.
Have a great week!
Kaplan, Fred M. 2016. Dark territory: the secret history of cyber war.