The government has a process for weighing the benefits of exploiting vulnerabilities against the costs to cybersecurity, but it is heavily weighted in favor of offense. Why are we even thinking about this? As soon as vulnerabilities become known, they should be disclosed—responsibly—so that vendors can immediately develop fixes. Government must unambiguously support end-to-end encryption with no back doors. We need to learn our lesson. The U.S. priority must be to close gaps in U.S. defenses, even if this sacrifices offensive capabilities and complicates intelligence collection in the short run.
Second, government must engage in operational, real-time collaboration with the private sector. Here, there is some good news to report.
Mitigating Russia’s offensive cyber operations has been a triumph of public-private coordination. On the day before Russia’s invasion of Ukraine, Microsoft’s Threat Intelligence Center spotted a new form of malware that Russia was using to wipe Ukrainian computers, disguised as a criminal ransomware attack. Within three hours, Microsoft updated its virus detection systems to block the malicious code. Company officials quickly reached out to Anne Neuberger, the White House deputy national security advisor in charge of cybersecurity, who facilitated sharing of the code with partners in Eastern Europe that very night.
As Microsoft’s CEO Brad Smith has explained, his company has gone further, repeatedly neutralizing “Russian positioning, destructive or disruptive measures” against the Ukrainian government, IT sector, and financial institutions. Microsoft accurately described cyberattacks on civilians as a violation of the Geneva Conventions, and offered practical support to the International Committee of the Red Cross (ICRC), as well as defending key NGOs supplying humanitarian relief against ongoing cyberattacks.
Other Big Tech companies have also stepped up. A malicious hacking group called “Ghostwriter” tried to hijack the Facebook accounts of Ukrainian military officials and other public figures, hoping to post fake videos showing the Ukrainians surrendering. That plan didn’t work either. Meta (Facebook’s parent company) discovered the activity and locked down the accounts. Similar efforts to compromise accounts on Twitter and YouTube were also thwarted by the companies themselves.
Such efforts build on outstanding work by Biden’s cyber “dream team.” In August 2021, the Biden administration launched JC/DC—the Joint Cyber Defense Collaborative. The new organization is focused on true collaboration at the operational level to defend the nation’s computer networks, especially critical infrastructure, going beyond the information sharing that characterized previous public/private partnerships. It includes high-level participation by major cybersecurity players, like CrowdStrike and FireEye, as well as Big Tech, including Google, Microsoft, Amazon, Verizon, Cisco, Palo Alto Networks, and many others.
Finally, Congress and the Biden administration must continue pushing— with mandates if necessary—for transformational change in U.S. cybersecurity defenses. Biden’s executive order requiring all federal agencies to adopt a Zero Trust Architecture (ZTA) instead of outdated perimeter-based defenses is a good start. “Incremental improvements will not give us the security we need,” the order reads. The Strengthening American Cybersecurity Act of 2022, which passed the Senate in early March, contains additional reforms to federal cybersecurity.
The next steps will be harder. Securing critical infrastructure and other private networks will be costly; industry will resist. Still, Congress, the Biden administration, and U.S. international partners must put defense first, second, and third. There is no real alternative.
Timothy H. Edgar is a senior fellow at the Watson Institute at Brown University, teaches in its cybersecurity master’s program and is a lecturer at Harvard Law School. He served in the White House National Security Staff under President Barack Obama and is the author of Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA.