The Implications of Publicly Disclosing Cyberattacks
Officials must weigh the benefits and risks on a case-by-case basis.
For decades, cyberattacks, counterterrorism events and acts of espionage happened in secret—and stayed there. Even when an attack was not successful, news of its existence remained behind closed doors. Government officials typically avoided public revelation and discussion of attacks, working to remediate incidents quickly, either covertly or diplomatically.
That is why it was so remarkable when the federal Cybersecurity and Infrastructure Security Agency openly discussed a state-sponsored hacking group's attempt to breach the Port of Houston, one of the most prominent port authorities in the country. During a Senate Homeland Security and Governmental Affairs Committee meeting, CISA Director Jen Easterly spoke openly about hackers exploiting a zero-day vulnerability.
This disclosure would have been unheard of a few years ago, as an unsuccessful attack on critical national infrastructure would have only been the subject of whispers—if discussed at all. But this was the right call, given the circumstances of the incident. And the U.S. government should continue down this new path of more openness around thwarted attacks.
The obvious question is: Why change now?
There is one obvious answer: deterrence. Public acknowledgment sends a message to the aggressor: We saw you and we caught you. It tells cyber enemies—namely nation-state antagonists—that they need to think critically before launching a cyberattack. And, in a setting as public as a Senate committee hearing, that message travels far beyond the aggressors behind a specific incident.
Such a disclosure means it is unlikely that we will see an attack of similar nature in the future. This classic strategy harkens back to similar game theory discussions during the Cold War. Suppose both parties obtain nuclear weapons and have their fingers on the button. Then, both are deterred from acting, fearing action from the other.
There are other benefits to open discussion of attack mitigation, of course. For one, it signals to American citizens that their taxpayer dollars are working and the country's cyber defense is strong.
But with those benefits also comes risk. The more we reveal about foiled cyberattacks, the more information we yield to hackers, who can use it to evolve their methods and become more sophisticated in their attacks.
So which prevented attacks should we broadcast and which should we keep classified?
To effectively answer, we must consider critical national infrastructure. Whether the goal is financial gain or business disruption, this sector is a primary target for nation-states and cyber-criminal groups despite the Biden administration's efforts to make certain industries off-limits. Successful attacks can cause significant consequences, threatening the water supply, energy access or even human life.
That is why public communication was a smart decision in the case of the Port of Houston attack: It allowed other CNI institutions to learn from an effective defensive strategy. In this case, the broader learnings from a national security education standpoint outweighed the potential learnings from the aggressor.
Broadcasting the prevented attack also encourages infrastructure operators to work directly with the government to bolster their defenses. Since over 85% of critical infrastructure is owned and operated in the private sector and 100% of the nation is dependent on these industries, cooperation with the government is crucial.
Not all attacks have a clear mandate for public discussion; we need to evaluate them case-by-case. In the future, the U.S. government needs to continue to disclose attempted attacks on critical infrastructure to expand education, encourage government cooperation, and expand global cybersecurity deterrence. For a true U.S. cyber strategic advantage, officials need to be thoughtful: weighing whether organizations can learn a broader, big picture lesson from the details of the attack or if explaining our successful defense will give attackers the advantage.
Justin Fier is director of cyber intelligence and analytics at Darktrace.