Two major invasions of widely used U.S. software by rival hostile powers ring an alarm bell about the nation’s vulnerability to cyber attacks that could swiftly cripple the electrical power grid and cause other widespread damage to American lives. The attacks also highlight how vulnerable American businesses, institutions and governments are to the theft of vital secrets.
Indeed, it has been suggested that the recent attacks are a warning to President Joe Biden and may underlie the recent assertion by a Chinese diplomat that the United States no longer speaks from a position of strength.
Any solution will take time, be costly and need frequent improvement. But it is high time for Congress and the president to give this problem a top priority and provide the guidance and funds that will be needed.
Russia is credibly believed to have been behind the compromise of Solar Winds software used by many federal agencies and private corporations. China appears to be behind the compromise of Microsoft email software that, in the words of cybercrime specialist Brian Kreisler, has seeded “hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”
These attacks, according to the general in charge of the Pentagon’s Cyber Command, are a “clarion call” to address the nation’s vulnerability to cyber attacks. Army Gen. Paul Nakasone told Congress on March 25 that it needs to ask, “How do we ensure we have as a nation both the resiliency and the ability to act against these types of adversaries?”
Gen. Nakasone’s responsibilities include mounting cyber attacks on adversaries, an action that some advocates of retaliation have urged. But the model of nuclear deterrence, in which neither side attacks the other for fear of being destroyed in return, will not necessarily work against serious cyber attacks.
The “resiliency” urged by the general must include improved defenses against cyber attacks.
There are two broad types of cyber vulnerability. One is created by lax security practices of software users: a lack of password protection, easily solved passwords, not having security software to detect attacks, exposure to identity theft and using outdated software. There is already a good public education campaign warning against slipshod computer security, but it could be intensified along the lines of the World War II campaign known by its slogan, “Loose lips sink ships.”
Another type of vulnerability — the sale of software vulnerable to attack — needs careful attention. The software industry has long followed a pattern of selling new software before all of its vulnerabilities are known, then following up with “patches” to repair any performance defects, including security.
Software code breakers — criminals, foreign governments, even people who like to solve puzzles — are often quicker than the software manufacturer to find flaws that can be exploited. This pattern has clearly become a threat to national security, and it requires congressional action to eliminate, or at least sharply reduce, that threat.
Congress should consider whether software makers should be held liable for the losses — often in the billions — caused by the exploitation of flaws in their software. It should also consider whether a new federal agency is needed to review the security of all new software connected to the internet. It took similar steps to reduce risks to the public from negligent automobile manufacturing practices and the introduction of dangerous drugs.
Regulation of the automobile and drug industries has greatly reduced public dangers. It also imposes costs, but those can be justified when outweighed by the improvement in public welfare. Given the high price that’s already being paid due to cyber crime and cyber espionage, and the much greater damage that could occur in cyber warfare, we think there is a strong argument for government action to reduce our vulnerability.