When the Cybersecurity and Infrastructure Security Agency — or CISA — launched the Shields Up campaign early this year, it did so with one goal in mind: to help individuals and organizations defend against cyber intrusions, particularly from Russia. Through its sharing of best practices, tools, and resources to prepare for, respond to, and mitigate the impacts of potential cyber incidents, CISA and its counterparts at FBI and other federal agencies have worked with industry and the American people to maintain a heightened cybersecurity posture in the face of continuing cyberthreats stemming from the current crisis.
Through this extensive coordination across the public and private sectors, underpinned by the Biden administration’s elevation of cybersecurity as a core national security imperative, this approach is working. Despite relentless Russian cyberattacks on Ukrainian networks, which have had spillover impacts on the networks of other European nations, the U.S. has not to date suffered a major Russian state-sponsored attack. But, as we in the cyber world are well aware, the prospect of cyberattacks here at home — whether by Russia or other malign state and non-state actors — will not dissipate anytime soon, raising the important question: When will we be able to put our shields down?
In today’s complex, dynamic, and dangerous cyberthreat environment, the answer is that our shields will likely be up for the foreseeable future. But while we will never stop defending cyberspace, maintaining a maximum alert posture is not sustainable over a long period of time, and could lead to vigilance fatigue —the opposite of what we are aiming for in building a collective cyberdefense.
How, then, should we maintain our cybersecurity posture in the long term? We need an approach that is as audacious as well as actionable, protective as well as practical.
First — the government must continue to work with private sector leaders to make the necessary investments in cybersecurity. When empowered by their leadership, security teams at companies across the business world can take meaningful steps to improve the resilience of their systems so that they have some natural ability to prevent cyber intrusions. This work will ultimately raise the cybersecurity baseline of our nation and make us collectively more secure and resilient to cyberthreats — including both the current threats from Russian cyber actors as well as ongoing and future threats from other nation-state adversaries and criminal groups.
Second — there will certainly be times when we must respond to periods of elevated threats with a heightened sense of alertness and associated measures to detect, respond to, and recover from potential cyberattacks. Recognizing that responders are more effective when provided with specific, actionable information, a cyber alert and advisory framework that provides timely warning and recommended actions is the natural successor to today’s “all-on” Shields Up approach.
As part of this framework, we should aim to tailor warnings about cyber incidents to the specific threat being addressed. Cyber incidents, like weather events, can range from the large-scale to the local. When a cyberthreat arises that is both severe and wide-ranging, a general warning to the American people will be warranted. But when a more localized threat arises — local in terms of geography, sector, and/or system — in which case a far more targeted warning must be issued, comprising actionable guidance with corresponding specificity. With this new normal baseline — marked by continuous investments in resilience, and an alert system primed to catalyze the right response by the right people at the right time — we will all be better off.
Cybersecurity requires a whole-of-government and whole-of-society effort. We all must double down on our investments in the inherent resilience of our systems. For individuals, this means implementing multi-factor authentication on accounts with sensitive data, updating software, and using strong passwords. For businesses and organizations, this means devoting the time and resources to reducing the likelihood of a cyber incident before one happens and to putting sound plans in place to detect and mitigate damage in the event that one does happen. And lastly, those with the expertise and knowledge of the cyberthreat landscape have an obligation to complement and assist in these efforts, and to do so in a way that gives individuals and organizations confidence in their ability to respond. We all have roles and responsibilities in cyberspace, and we can and must work together to strengthen our collective defense.
While it may feel as if we are living in a new normal marked by cyberattacks constantly in progress or on the horizon, we must use this moment to seize the opportunity to make fundamental improvements in the cyber ecosystem. This “new normal” invites us to recognize that cyber criminals and nation-state adversaries will fail if we — the government at the federal, state, and local levels, industry, academia, non-profits, and all of us as individuals — work together to secure our networks, systems, data, and way of life from cyberthreats.
With each of us playing our part, we can make it so that our adversaries will have to beat all of us to beat one of us.