The lessons of Ukraine argue for increased openness about public and private sector cyber attacks, two congressmen said on Monday.
A bipartisan pair of lawmakers Monday suggested the model Ukraine is employing to combat Russian hacking may be useful for U.S. industry and government agencies if laid out properly.
“Ukrainians are effectively combating hacking and other cyber attacks by the Russians by basically doing two things: radical transparency about the attacks that are happening in the private sector, in the public sector, and everywhere; and then radical sharing to make sure that everybody can learn from the attacks that are going on,” Rep. Raja Krishnamoorthi, D-Ill., said in a panel discussion hosted by IT management firm SolarWinds at the Rayburn House Office Building.
“And when you share, you usually get information in return as well,” added Krishnamoorthi, who sits on the House Permanent Select Committee on Intelligence.
Rep. Darrell Issa, R-Calif., who sits on the House Foreign Affairs Committee, said lessons learned since Russia invaded Ukraine nearly 16 months ago suggest more information sharing among industry-leading companies and federal agencies leads to better cyber outcomes.
“What we’ve learned in Ukraine has to become an American imperative, which is that there can’t be defense secrets that we keep because we don’t want [adversaries] to know that we know,” Issa said. “At this point, we’re past that.”
Issa said increased engagement with leading cellular communications providers as well as IT infrastructure and cloud computing firms would be a necessity for any nationwide cybersecurity solution. Issa singled out China as America’s greatest cybersecurity adversary, and both he and Krishnamoorthi said about 67% of all attacks on U.S. systems originate in China.
“We can’t do it unless we have an America-wide solution — one that points to China but doesn’t exclude the rest of the world,” Issa said.
The congressman's remarks come three months after the Biden administration released its national cybersecurity strategy, which in large part seeks to shift cybersecurity accountability from users and small organizations to large tech companies. The Cybersecurity and Infrastructure Security Agency, or CISA, will play a key role in executing the strategy across the federal landscape in two ways, according to Eric Goldstein, the agency’s executive assistant director for cybersecurity.
“The first is moving to persistent collaboration at the speed of the adversary,” Goldstein said. “And what that means is that we need a model where the government, with our industry and …our international partners, are seamlessly and frictionlessly working together, day in and day out, to combat the threats that we're seeing today, and getting ahead of the ones that we're seeing.”
Adversaries will work to exploit “any gaps or weaknesses in that collaborative framework,” Goldstein said, which necessitates that companies across sectors, along with the NSA, FBI, U.S. Cyber Command, the Homeland Security Department and international partners “work together” lest the weakest link breaks the cybersecurity chain.
The second shift called for in the national cyber strategy is the shift in burden. Small organizations — like a school district or water utility company — can’t be expected to protect themselves against highly resourced adversaries like the Chinese Communist Party, Goldstein said.
“And so we need the government to do more. And we need those tech providers with the scale and maturity and the competence to do more as well,” Goldstein said. “If we can move to a model where the tech we are using is safe by design and default, and we’re collaborating across partners at speed and at scale, that’s how we stay ahead of the threat, the magnitude of which we’re facing.”
Sudhakar Ramakrishna, SolarWinds President and CEO, said that sort of “secure by design, secure by default” end state has been a framework for his company since his tenure began in January 2021 — one month after Russian hackers injected malware into its Orion products, breaching 9 federal agencies and dozens of companies.
“You don’t think about the airbag in a car after the car is manufactured,” he said. “You think about that — and the safety of it — as you’re designing. The software [providers] and industry need to think about security like quality. You want the customer to get a great quality experience, and therefore a great security experience as well.”