The recent ransomware cyberattack on the Colonial Pipeline in the US has exposed how vulnerable critical infrastructure is to hackers, whether they are motivated by money or politics. What can we do about this?
Part of the way forward is acknowledging that there is no longer a distinction between cyber and physical security. The world runs on tech, so people are right to worry about it, Microsoft President Brad Smith said during a livestream discussion on cybersecurity hosted by GZERO Media and Microsoft. The conversation, "Beyond SolarWinds: Securing Cyberspace," held in collaboration with the Munich Security Conference as part of their "Road to Munich" series, was moderated by former US Homeland Security senior official Juliette Kayyem.
The latest attack is different in scale, but not new. And one of the reasons these hacks are likely to become more frequent, he added, is that our defenses are not keeping up with the threats.
Ian Bremmer, president of Eurasia Group and GZERO Media, agreed. Cybersecurity, he explained, is a top risk because there is new tech and no architecture to stop cybercriminals. Moreover, the US relations with the two other countries with similar cyber-offensive capabilities — China and Russia — are at their worst point in decades, with no chance of a reset anytime soon.
Two months before the Colonial Pipeline hack, the cybersecurity buzz was all about SolarWinds, another major cyberattack on thousands of firms, including US government agencies, blamed on Russia. Smith said that SolarWinds showed how sophisticated hackers have become, and Wilson Center President Emerita Jane Harman added that the US bungled its response because a private firm found out before anyone else.
The silver lining from both attacks, Harman noted, is that they pushed the Biden administration to issue an executive order that mandates private corporations to immediately inform the government of such cyberattacks.
Meanwhile, the US needs to rethink its military procurement. For Ian Bremmer, the Pentagon spends a lot on tech to upgrade legacy hardware, but nowhere near enough on cyber — the opposite of what China's doing. That's right, Harman noted, but the DOD and Congress will likely push back.
The wider problem, however, is that we now live in the world where governments are not solely responsible for defending our critical infrastructure, Smith said. How the private sector responds is equally important.
Biden's executive order, he added, is no panacea but it is the most significant step forward in decades because it mandates companies that do business with the federal government to take this issue a lot more seriously. And that'll influence how software is developed across America because the federal government contracts out so much of its IT work.
More broadly, the chances of a more sustainable solution to the problem lie in more international cooperation, said Wolfgang Ischinger, chairman of the Munich Security Conference.
Although governments no longer have the monopoly on power to do harm to each other, the US should still reach out to its allies to fight cybercrime together. This may sound like a dream right now, he admitted, but then again so did nuclear disarmament at the height of the Cold War.
For Smith, who has long called for a Cyber Geneva Convention to set global norms, the reasons now are the same as in the aftermath of World War II: we have a moral and legal responsibility to protect civilians, who are ultimately the most vulnerable to the consequences of cyberattacks.
"Beyond SolarWinds: Securing Cyberspace," a Global Stage live conversation on cyber challenges facing governments, companies, and citizens, was recorded on May 18, 2021, and was held in collaboration with the Munich Security Conference as part of their "Road to Munich" series. Sign up for alerts about more upcoming GZERO events.