Homeland Security Cybersecurity

The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. The center serves as the hub for the federal government's cyber situational awareness, incident response, and management center for any malicious cyber activity. (AP Photo/Cliff Owen)

U.S. Sen. Lindsey Graham warns that the nation is under attack from hackers working for hostile governments and cyber criminals, and that it has to do a better job of defending itself. That is an understatement at this point, but the South Carolina Republican is right to hammer it home.

So how do we go from talking about the complex problem of protecting our country to actually doing it?

It’s urgent that the U.S. move beyond sanctions that so far have failed to have the desired effect and commit America’s considerable technology and brainpower to improving cybersecurity. That must include developing the ability to strike back at attackers and any state sponsors. All of this will take a major commitment of resources, but cyberspace has become another battlefield with the potential for grave consequences for all Americans if we fail to act now.

These attacks include efforts to compromise critical infrastructure, particularly in the energy sector such as the electrical grid. Russian hackers already showed the cunning and skill to shut down Ukraine’s electrical grid for hours in 2016. The same hackers likely are to blame for disrupting a Saudi Arabian oil and gas plant in 2017.

Sophisticated hackers clearly want to do the same kind of harm, or worse, to the United States. They were detected planting malware in devices that control the U.S. electrical system, giving them the potential to seriously disrupt American life and endanger U.S. citizens. The nation’s infrastructure and industries also have been attacked by Iran, North Korea and China.

While the cyber theft of critical information and trade secrets is an ongoing problem, the most recent attacks, especially by Russia, raise the threat of real physical damage.

The shocking news to emerge from Sen. Graham’s hearing is that there is not much we can do about it at this stage because we are so vulnerable. It is going to cost trillions of dollars and take years to update information technology systems in federal, state and local governments and industry. The federal government alone spends an estimated $100 billion a year or more on IT and is still falling behind.

At a recent hearing of his Senate Judiciary subcommittee, Sen. Graham’s Democratic colleagues Sen. Richard Blumenthal of Connecticut and Sheldon Whitehouse of Rhode Island argued that the United States should respond in kind to attacks. Mr. Blumenthal bluntly said we need to “fight fire with fire” while Mr. Whitehouse proposed that the U.S. “hack back.”

Punishing cyber criminals and hostile nations with reciprocal action likely would force them to curtail their activities. It also would give citizens some much-needed confidence that their government is actively protecting them. But that might not be a viable option at this point.

The former general counsel of the National Security Agency, Stewart Baker, sounded that warning in a recent Washington Post op-ed. He quoted the nation’s top cyber warrior, Army Lt. Gen. Paul Nakasone, as lamenting that our adversaries don’t fear us because “the United States is so reliant on computer networks that we’re afraid to launch a tit-for-tat exchange in cyberspace.”

The solution, Mr. Baker wrote, is that, “We need better, more aggressive options to deter cyber attacks, since the ones we’ve come up with so far are clearly not deterring our adversaries.”

He suggested some technical options that could cause proportionate disruption in case there was a real, as opposed to threatened, attack. And he rightly called for a debate on what other options might be developed.

But there is a larger problem.

While Sen. Graham has performed a valuable service in drawing public attention to our new peril, it will take a major commitment of resources comparable to the NASA moon project or the development of American strategic forces to bring our information technology networks up to a high standard of security (they will never be entirely secure). The nation also must develop a new cyberwar doctrine that draws a red line against certain kinds of intrusions and declares them real acts of war to be met accordingly.

The only solution is a resolute effort to improve our defenses and warn our adversaries of their peril if they persist in attacking us. The threat to the myriad things we rely on in our everyday lives — from banking to energy to transportation to elections, as well as our national security — demands that we take bold action now.