Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Trump Got a Space Force. Biden Should Get a Cyber Force.

Wednesday, January 27, 2021

Categories: ASCF News Emerging Threats Cyber Security

Comments: 0

Nearly lost in the tumult of the insurrection at the Capitol on Jan. 6 and the excitement of Joe Biden’s inauguration is the continuing fallout from the massive data breach of SolarWinds Corp. by suspected Russian hackers. As the new team settles into office, what can it do to keep the nation safe in cyberspace?

Let’s begin with the scale of the hack. SolarWinds was a prime vendor to tens of thousands of clients, including hundreds of Fortune 500 enterprises and nearly the entire U.S. government. It says at least 18,000 entities were affected.

SolarWinds provides an important service: ensuring that software versions are updated in a timely and efficient manner for their clients. This gave it access to customers’ entire networks and databases. By breaking into SolarWinds, the hackers — allegedly the Russian unit known as Cozy Bear — had instant access to that huge roster of firms.

To use a military analogy, the initial attack on SolarWinds was a carpet-bombing, which had immediate (if undetected) effects across the entire field of battle. What happened next was more pernicious: A series of precision-guided strikes directed at top cybersecurity firms such as FireEye, and at key nodes throughout the U.S. infrastructure. This included financial institutions, utilities (disclosure: I serve on the board of a public utility, American Water), defense companies and government entities including the Departments of Homeland Security, State and Commerce.

The scale of the attack is breathtaking, and there is still a great deal we are uncertain about. This is partly because of the sophistication and level of resources available for the hackers (Cozy Bear allegedly has Kremlin support) and because there is still a limited culture of sharing the results of hacks between elements of the public and private sector.

Unlike the airline industry, where a single commercial airliner going down sparks a public accounting and detailed information-sharing between airlines and national governments, cyber still has something of a “keep your cards close to the vest” approach. This is particularly true of software providers such as SolarWinds, which are operating in highly competitive markets.

Despite the offensive advantages of cybercriminals, the U.S. can collectively do a better job at defense. SolarWinds was a clear demonstration that technology alone cannot solve cybersecurity problems. The Department of Homeland Security’s sophisticated Einstein intrusion-detection system didn’t keep hackers from going unnoticed for almost a year.

This means U.S. firms and the government must put a greater priority on supply-chain security and third-party risk management to root out attackers at the initial source of compromise. This time it was SolarWinds, but there are thousands of other software suppliers that could be next.  

The Biden administration faces plenty of pressing international security issues: returning to the Iran nuclear deal (or not); restarting negotiations with North Korea; developing a coherent strategy to deal with China; creating a stronger partnership with India; recovering a smooth relationship with the European Union, among many others. But the challenge that concerns me the most is the cybersecurity vulnerabilities of critical infrastructure and democratic institutions from external state and nongovernmental actors.

At the top of the to-do list is getting out the excellent report of the federal Cyberspace Solarium Commission and following the majority of its recommendations. Released last July, it is full of very specific and sensible ideas for improving America’s cybersecurity policy.

The commission’s executive director, retired Admiral Mark Montgomery, should be called into the administration at a high level — his energy and understanding of both the cyber landscape and the mechanisms of the federal government are unparalleled. The organizational ideas in the report include getting serious representation of cyberspace experts into the White House and a position on the National Security Council staff with enough authority to require Senate confirmation.

Other ideas from the bipartisan commission — led by Senator Angus King, Independent of Maine, and Representative Mike Gallagher, a Wisconsin Republican — include greater scrutiny of risks posed by the emergence of quantum computing, allowing Defense Department personnel to get government funding for cybersecurity education, and encouraging higher levels of private-public collaboration to increase the security and resilience of the national critical infrastructure.

The administration should also create a full-fledged Cyber Force. The Donald Trump administration correctly created a Space Force, recognizing how much of national security relies on the ability to operate in space, and that securing it requires specific skills concentrated in a single organization. Likewise, we are overdue for an elite, independent branch of the armed forces in which all the personnel wake up every morning thinking about defending the nation in cyberspace.

A long-overdue step is splitting up the National Security Agency and the U.S. Cyber Command. The former is an intelligence-gathering entity that should be led by a senior civilian, preferably one with both legal and cybersecurity training. The latter is a military combatant command under a four-star officer. Both are now led by the same person, the Pentagon’s head of Cyber Command. But each is far too large, vital and fundamentally different in mission to share a leader.

Obviously, the pair of agencies would continue to share information and be deeply entwined, much as with the Ccentral Intelligence Agency and Defense Department. But over time, each would be strengthened by a formal split. Congress has already authorized this separation, but the secretary of defense has to certify the change.

There are many other ideas for the new administration to explore, from a national cyber-insurance structure (like national flood insurance) to mandating higher levels of transparency from companies when they are hacked. Those are longer-term conversations. But the SolarWinds hack shows that public and private entities need to move smartly to enhance the level of protection in cyberspace. The Solarium Commission report, creating a Cyber Force, and splitting up the NSA and Cyber Command are good places to start.

Photo: Don’t click there - Photographer: Chris Ratcliffe/Bloomberg

Link: https://www.bloomberg.com/opinion/articles/2021-01-25/biden-needs-to-prepare-for-the-next-big-hack-like-solarwinds

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.