Featured
INTRODUCTION
In the cyber domain the United States’ borders are not protected by allies or oceans, allowing adversaries unprecedented proximity to the United States’ critical infrastructure. Recent major cybersecurity events have clearly outlined the scope of the threats we face. The United States needs to prepare a whole-of-nation strategy to rebuff these threats in cyberspace. Though our adversaries are not coordinating their efforts, their combined efforts are force-multiplying each other’s work.
According to our panelists, and experts throughout the field, the United States’ critical infrastructure is extremely vulnerable to nation-state perpetuated cyber aggression.. The companies themselves, as well as the chain of businesses which support them, are being breached daily. Many private and public companies responsible for American’s most critical functions lack basic cybersecurity hygiene. Critical infrastructure are high value targets, especially during wartime. What is different now is that the U.S.’s adversaries are going after these assets during peacetime. The escalating scope, scale, and impact of ransomware since the beginning of the pandemic have grown significantly, and reporting of these attacks has increased dramatically.
Based on the recent summit between President Biden and Vladimir Putin, this is only the beginning of the beginning, not the beginning of the end of cyber negotiations. According to General Nakasone, Commander of US Cyber Command, who said this during a public Congressional hearing, Russians have compromised electrical grid. Them pulling the trigger would be catastrophic. The United States must make a whole of nation effort to prepare for this ever-growing threat surface.
The Potomac Institute’s esteemed panelists provided insights into the world of cyber criminality and warfare, considered the geopolitics of cyberspace, and offered their thoughts and recommendations as to how our nation can respond.
NATION STATES as SAFE HARBORS for CRIMINALS
Criminals are safe from extradition The idea that Russia, for example, is not perfectly aware of the cybercriminals that operate out of the country is naïve. The criminals, for their part, may be acting almost entirely out of desire for money, but the states that harbor them are getting something much more important: they are gaining an infrastructure of capable, skilled, and often trained individuals that can conduct sophisticated, and sometimes devastating, cyber operations. Though not conducted at the behest of adversarial governments, these criminal gangs run like a mafia-protected system in Russia.
The United States must develop a separate strategy for deterring foreign cyber criminals.cybercriminals. to halt further. For example, cybercriminals took down the health system in Ireland, and that attack directly caused deaths in that country. Similar, and potentially worse attacks than that have already occurred in the United States. The United States government would be naïve to assume that it will not happen again. The United States government needs to make it clear that countries that harbor cybercriminals will face consequences.
According to one of the panelists, a potential course of action would be to designate these cybercriminals as terrorists. That would provide the administration important tools to take down these networks through extra-territorial actions. Some experts believe that the United States, in accordance with the Law of Armed Conflict, in the name of self-defense, could go into foreign territory and break up cybercriminal networks. The United States needs to rely on its allies in creating an international understanding that conducting what is effectively state-sponsored cyber-terrorism is unacceptable.
NOTABLE ADVERSARIES
RUSSIA
To understand Russia, one must look at the larger geopolitical picture. President Putin has found innovative ways to exert influence through cyberspace regardless of their comparative conventional military disadvantage. One of our panelists believes that their goal is to bring cyber weapons into the arms control regime and to be recognized as a major global player, especially in the eyes of eastern European states as the European Union weakens.
The Russian government has made concessions to the United States, saying that they would crack down on cyber gangs within their country. Our experts agree that Putin and his administration are well aware of the cybercriminal activity taking place within their borders. This is likely an empty gesture, and the United States should operate under the assumption that attacks from this region will continue.
CHINA
For years, the Chinese goals in cyberspace focused intellectual property theft, industrial espionage and collecting as much personal identifying information on as many people around the world as they could.
The Chinese endeavor to control the very infrastructure and technology that forms the foundation of the internet.. They’ve doubled down on efforts to control 5G networks, the microelectronics that we use in our systems, and access points around the world. This is a growing concern that will need to be addressed.
RECOMMENDATIONS
One of the panelists argued that efforts to navigate this era of cyber warfare need to be led by the White House. The Executive Order from May of 2021 made significant progress in establishing standards for government agencies. However, this is not enough to protect our largely privatized critical infrastructure.
As cybersecurity events continue to threaten critical infrastructure in the United States, the whole nation needs to have a concerted strategy. Cyber threats should be no exception. There are many avenues by which the United States can impose consequences to those countries harboring cyber criminals. The difficult question to answer, however, is what is the proportional response?
Most of our critical infrastructure – 85% of it – is in the hands of the civilian sector. Congress must produce legislation that can effectively incentivize companies to make the necessary investments to insulate themselves and their customers from harm driven by gaps in cybersecurity. The government, for the sake of the public good, must ensure this level of security.
CONCLUSION
The United States faces an unprecedented threat in cyber space. Every adversary should be taken seriously. Our infrastructures have such true vulnerabilities at the cores of every system that it is relatively inexpensive and easy to cause harm. With that in mind, we should not focus all of our efforts on one single threat. A unified strategy that can handle the growing threat of cyber criminals as well as the growing list of nation-state actors is an imperative that must be met.
Mr. Overman retired from Northrop Grumman Electronic Systems as VP & GM of the Systems Development & Technology Division which was the focal point for emerging programs, mission/system concepts, discriminating technologies and profitable growth of a multibillion-dollar Sector. Responsibilities included: research, development, test and reduction to practice of systems deployed from underseas to deep space. In this organization value focused world class teams created, pursued, won and successfully executed programs bridging concept to capability growing the top line while generating current year profits.
The organization’s success was process based and sparked by distributed, empowered leadership. A record number of Vice Presidents and Presidents graduated from the group. Kelly has stated: “It’s all about people and teams. Once objectives are wider than your shoulders you must have a team. Successful teams couple a common vision with empowered, distributed leadership. The difference between a leader and a driver is less than a foot. A driver builds a fire under butts, a leader builds a fire in many a belly. The key is a clear contagious vision and people who have something they want to do more than something they want to be.”
Focus areas included:
Missions: Space, Air, Land, Surface, Undersea & Cyber with systems, assets & weapons employed to secure offensive, defensive and intelligence functions.
Commercial spin offs: Law Enforcement, Commercial Security Systems & Electric/Hybrid automotive propulsion (R&D 100 Award).
Technology: EW, RADAR, EO, CNI, SIGINT, IW/IO, Cyber, Chem-Bio, Power, Vision/Telepresence, Collaboration, Materials/ICs.
Mr. Overman represented Westinghouse on AIA. His team participation includes: the USAF Advisory Board Study on Asymmetric Warfare (9-11), the National Security Forum of the Air War College, National Laboratory Reviews, the Secretary of the Air Force Special Advisory Group and the OSD DSB Study 21st Century Military Operations in a Complex Electromagnetic Environment.
He has authored articles and presentations on signal processing, situation estimation theory, fusion, quantum impacts/opportunities, information defined - HW & SW enabled systems, mission information superiority, lateral thinking, value growth business strategy, characteristics of successful entrepreneurial organizations, teams and leadership. He is an active contributor to business strategy, advanced programs, future missions, systems, techniques and technology.
Mr. Overman holds a BSEE from the University of Arkansas and a MSEE from the University of Pittsburgh. Executive studies include the Center for Creative Leadership, the Brookings Institution and Harvard Business School. He is a member of: Tau Beta Pi, Pi Mu Epsilon; Eta Kappa Nu, the University of Arkansas Academy of Electrical Engineering and the Association of Old Crows. He holds an FAA Pilot License, a USCG Captain License, as well as multiple patents and awards for presentations/papers. In free time, Mr. Overman loves sailing, racing and classic sports car touring with his wife and soul mate BJ, another engineer.
Tania Elliott, MD, FAAAAI, FACAAI, is an expert in telemedicine and digital health, leveraging connected care technologies to bring care to patients, wherever they are. Passionate about the quadruple aim, she creates solutions to improve quality, efficiencies, access, and patient and care team experiences.
She is currently Chief Medical Officer of Virtual Care for one of the nation’s integrated delivery networks, advancing adoption hybrid care and remote patient monitoring across the care continuum.
Previously, she served as a clinical solutions medical director at a Fortune 5 healthcare company supporting the development of telemedicine reimbursement policy and digitally enabled women’s health and cardiovascular programs to improve patient engagement and reduce medical costs. She has cared for thousands of patients through synchronous video visits, and has trained physician’s across the country on how to effectively practice via telehealth, including developing best practice standards, continuing medical education, and graduate medical education programs in virtual care.
Dual board certified in Internal Medicine and Allergy and Clinical Immunology, Dr. Elliott has published in multiple peer reviewed journals on the use of telemedicine and digital technologies in healthcare. In 2019, she was named Medical Marketing and Media's (MM+M) Top 40 Healthcare Transformers.
She currently chairs the Telemedicine and Technology Taskforce for The American American College of Allergy Asthma and Immunology, and is a mentor for Stanford University's Masters in Clinical Informatics Management Program.
She is a graduate of Jefferson Medical College, completed her residency at Mount Sinai Medical Center in New York, and Fellowship at NYU Langone Hospital Long Island. She holds a BA in Biology from Haverford College.
Dr. Waltzman has 39 years of experience performing and managing research in Artificial Intelligence applied to domains including social media and cognitive security in the information environment. He is formerly Deputy Chief Technology Officer and a Senior Information Scientist at the RAND Corporation in Santa Monica, CA. Prior to joining RAND, he was the acting Chief Technology Officer of the Software Engineering Institute (Washington, DC) of Carnegie Mellon University. Before that he did a five-year tour as a Program Manager in the Information Innovation Office of the Defense Advanced Research Projects Agency (DARPA) where he created and managed the Social Media in Strategic Communications (SMISC) program and the Anomaly Detection at Multiple Scales (ADAMS) insider threat detection program. Dr. Waltzman joined DARPA from Lockheed Martin Advanced Technology Laboratories (LM-ATL), where he served as Chief Scientist for the Applied Sciences Laboratory that specializes in advanced software techniques and the computational physics of materials. Prior to LM-ATL he was an Associate Professor in the Department of Computer Science at the Royal Institute of Technology in Stockholm, Sweden, where he taught and performed research in applications of Artificial Intelligence technology to a variety of problem areas including digital entertainment, automated reasoning and decision support and cyber threat detection. Before his professorship he served as a DARPA Program Manager focusing on Artificial Intelligence and Image Understanding. Dr. Waltzman has also held research positions at the University of Maryland, Teknowledge Corporation (the first commercial Artificial Intelligence company in the world where he started in 1983), and the Applied Physics Laboratory of the University of Washington.
On 24 November 2021, a consortium of twenty expert organizations from the cybersecurity community jointly published the second edition of the Guide to Developing a National Cybersecurity Strategy (NCS) to assist countries in their ongoing effort to develop, update, and implement national cybersecurity strategies including cyber-preparedness and digital resilience. The Cyber Readiness team at the Potomac Institute for Policy Studies provided extensive experience, knowledge, and expertise, as well as references to relevant aspects of the Cyber Readiness Index 2.0 (CRI 2.0), to the development of both the first edition of the Guide, published in 2018, and to the second iteration published today. The new edition of this good practice guidance reflects the evolving nature of cyberspace, as well as emerging security trends and threats that can impact the national security and economic wellbeing of a country and should, therefore, be included into national strategic planning.
In the last decade, most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies. This fast-changing cyber threat landscape, the increased dependency on information and communication technologies (ICTs), and the proliferation of digital risks call for continuous improvements to national cybersecurity strategies. While more than 127 countries have adopted an NCS as of 2021 – an increase of 40% in the last three years, this should be considered an ongoing effort to strengthen the cybersecurity posture and digital resilience of a country. The new Guide intends to provide a useful, flexible, and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist national leaders and policymakers in the development of national cybersecurity strategies and policies that take into consideration a country’s specific situation, cultural and societal value, and that encourage the pursuit of secure, safe, and resilient digital societies.
As Melissa Hathaway, CRI Principal Investigator, stated: “over the last three years, the first edition of this Guide has served governments as an important resource and blueprint to develop and implement an NCS. The second edition was an even bigger effort to bring intergovernmental and international organizations, as well as private sector, academia, and civil society together to produce a comprehensive Guide to help governments improve their existing or future NCS and serve a growing number of national and international stakeholders. It is our hope that this Guide will encourage more national leaders and policymakers to think strategically about cybersecurity and cyber resilience and help them better align their national economic visions with their national security priorities.” Francesca Spidalieri, CRI Co-Principal Investigator, continued: “The second edition of the Guide makes an even stronger link between the need to balance the security risks associated with the proliferation of ICT-enabled infrastructure and services with a comprehensive national cybersecurity strategy, and the ability of a country to reap the full benefits of digitization and achieve the economic growth and the national security goals it is seeking.”
“Cyber risks can generate ever-growing security challenges for both public and private sector entities in countries at all stages of development. I champion the work Melissa Hathaway and Francesca Spidalieri do, as they lead Potomac Institute’s Cyber Readiness Index, and work tirelessly to educate leaders worldwide about the importance of cybersecurity and digital resilience to their countries and organizations. This new Guide is a huge step to strengthen national cybersecurity efforts around the world,” said Dr. Jennifer Buss, CEO at Potomac Institute.
The Guide is the result of a unique, collaborative, and equitable multi-stakeholder cooperation effort among partners working in the field of national cybersecurity strategies, policies, and cyber capacity-building, including: the Council of Europe (CoE), the Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO), the Geneva Centre for Security Sector Governance (DCAF), Deloitte, the Forum of Incident Response and Security Teams (FIRST), the Global Cyber Security Capacity Centre (GCSCC), the Geneva Centre for Security Policy (GCSP), the Global Partners Digital (GPD), the International Criminal Police Organization (INTERPOL), the International Telecommunication Union (ITU), Microsoft, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the Potomac Institute for Policy Studies (PIPS), RAND Europe, the World Bank, the United Nations Institute for Disarmament Research (UNIDIR), the United Nations Office of Counter-Terrorism (UNOCT), and the United Nations University (UNU).
Click here to download the Guide to Developing a National Cybersecurity Strategy.
The Cyber Readiness Index 2.0 (CRI 2.0) provides a comprehensive, comparative, experience-based methodology to assess countries’ commitment and maturity in regard to securing their national digital infrastructure and services upon which their economic growth and national resilience depend. The CRI 2.0 methodology can help countries identify existing gaps, strengthen their current cybersecurity posture, and better manage national-level cyber risk. It includes over seventy unique indicators across seven essential elements to discern operationally ready activities and identify areas for improvement in the following categories: national strategy, incident response, e-crime and law enforcement, information sharing, investment in research and development (R&D), diplomacy and trade, and defense and crisis response. The methodology is available in Arabic, Chinese, English, French, Russian, and Spanish. The CRI country profiles of France, Germany, India, Italy, Japan, Morocco, the Netherlands, Saudi Arabia, Slovakia, the United Kingdom, and the United States can be found by following this link.
For media inquiries please contact: John Mecham, This email address is being protected from spambots. You need JavaScript enabled to view it..
Follow us on Twitter: @CyberReadyIndex