Recent cyber attacks that have done damage to critical infrastructure have raised concerns about escalation to real-world military response. The Biden administration addressed this directly last week, as the president told the country that he believed a significant cyber attack by a major power could be a pretext for a “real shooting war” at some point in the future. The comments came as President Joe Biden made a speech at the Office of the Director of National Intelligence (ODNI), highlighting the growing threats that Russia and China primarily represent to national security in the cyber sphere.
Biden warns of “shooting war” in response to serious attack on critical infrastructure
Speaking in the recent wake of attacks on Colonial Pipeline, JBS and Kaseya, Biden said that a “shooting war” was not off the table should a similar attack on critical infrastructure or a cyber threat to online security emerge and be found to be backed by a nation-state threat group.
Addressing the ODNI, Biden’s comments were framed in such a way to suggest that he thinks the greatest likelihood of the United States getting into a “shooting war” would be as a result of a significant enough cyber attack of this nature. Russia was an obvious target of speculation about who this was addressed to, given that the country’s state-backed hacker teams have already been caught meddling in elections and exploring the power grid. Russia has not taken a concrete step in attacking critical infrastructure as of yet, however, with the Colonial Pipeline and JBS attacks tied to private criminal actors working out of the country without any known government assistance. But Biden was not afraid to name China directly, citing President Xi’s desire to make the country’s military the world’s dominant power and to make it the world’s leading economy by the mid-2040s.
While Biden’s “shooting war” comments may seem inflammatory, relations have actually improved with Russia as of late. A June 16 summit in Geneva between Biden and Russian President Vladimir Putin saw the American president share a list of off-limits critical infrastructure with his counterpart, accompanied by an exhortation to stop giving criminal groups safe harbor in the country. The rapid disappearance of the groups behind the recent string of critical infrastructure attacks may be owed to the influence of the Russian government finally taking a more active role in policing its own territory. The two countries have also formed an ongoing working group to address cyber attacks that could impact national security.
However, Biden made clear that the US still considers Russia a threat. Biden called the prior election meddling and an alleged disinformation campaign targeting the 2022 elections a “pure violation of our sovereignty” and said that he believes Russia is a dangerous adversary as its economy is shrinking and is almost entirely reliant on oil. Biden did not elaborate on that comment, but it is possible it alludes to the fact that rivals such as Iran and China have recently been observed hacking for profit.
Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4, points out that “shooting wars” with any of these powers are still very unlikely given how hard it is to fully confirm the source of an attack: “The problem of attribution … It can be *really* (and I mean, really) hard to know with certainty who the “real” aggressor is in a digital attack. That can be a function of how an attacker routes their attack through the internet, it can be because the attack is bland and then the victim is trying to guess who might have the motivation and capability needed to launch such an attack, and it can even be that the “real” attacker intentionally leaves clues to make it look like the attack was perpetrated by someone else (e.g., imagine a piece of malware released from China or North Korea that has Russian references within the source code). Imagine the fall out of starting a shooting war with the wrong nation because of a false flag operation carried out digitally.”
“Shooting war” would hinge on serious threat to national security
None of this means that the US is preparing for some sort of retaliatory war against a rival. Both the Trump and Obama administrations both alluded to the possibility of a “shooting war” in response to hacking at different points. Each administration issued strategy papers, one in 2011 and the other in 2018, proclaiming that the US reserved the right to use physical force in response to cyber activity that threatened national security.
Though he warned that China has long-term ambitions to dethrone the US as the preeminent military and economic power, Biden seems to be less focused on that country’s present level of cyber threat. The president’s only recent action was to issue a 90-day review (in late May) that investigates the possibility of Covid-19 originating from a Chinese lab.
While not committing to specific activities against either rival, the Biden administration has been beefing up the nation’s general cybersecurity posture as pertains to critical infrastructure and national security. A recent national security memorandum outlines the Industrial Control Systems Cybersecurity Initiative, a public-private partnership for companies in industries that maintain critical infrastructure. Already tested in a pilot program run with the electrical utilities, the initiative is now encompassing the natural gas pipeline industry and will expand to water/wastewater and chemical sectors by the end of the year. The initiative creates new cybersecurity goals for these industries that are expected to enter implementation in September and be complete within one year, with the active assistance of the Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST).
The new national security memorandum followed a second Transportation Security Administration (TSA) security directive aimed at the pipeline industry, which established new cybersecurity requirements in addition to creating a new incident reporting system and implementing a contingency and recovery plan for cyber attacks.
New rules and legislation are required in this situation as 80-90% of the nation’s critical infrastructure is overseen by private companies, and to date there has been little in the way of hard cybersecurity regulations for them to follow. A bipartisan bill has been introduced that would require these companies to report anything that might constitute a national security threat to the appropriate federal agencies within 24 hours of discovering it.
Jon Clemenson, director of Information Security for TokenEx, notes that more legislation is in the pipes but that organizations should also be proactive about the realistic likelihood of being targeted by advanced hackers: “It’s great to see measured steps in the right direction. There are several, similar initiatives also working through Congress at the moment. An incident reporting bill (ALB 21B95 K29), a bill to establish a civilian cyber reserve (S.1324 – Civilian Cyber Security Reserve Act), another that removes punitive damages levied against organizations with appropriate cyber controls in place, (essentially, a carrot to incentivize the positive action of organizations versus the stick of litigation or being made example of). All good initiatives to bring cybersecurity and data protection process and technology to the forefront of actions for all organizations, not just federal … Often in the cybersecurity space, the government does something first (think: NIST controls), and then efforts trickle down to private sector organizations. My challenge to organizations is: why wait, when the solution is deceptively simple and right in front of you? Concerned about breaches? Then consider tokenization in addition to encryption. Building trust with clients, showing insurance companies that your organization is taking proactive action above and beyond the basics, and enabling data flow while simultaneously protecting the data—the list of benefits goes on. When thinking about Security Posture Management of an organization, tokenization should be a part of every data organization’s portfolio of tools.”