Last year, cyber expert P.W. Singer was asked to write the introduction to a big government report by a group called the Cybersecurity Solarium Commission. Instead of the usual bland summary, Singer produced a fictional account of what Washington, D.C., might look like in the aftermath of a devastating cyber attack.
“The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals,” wrote Singer. “All around the Mall you can see the black smudges of the delivery drones and air taxis that were remotely hijacked to crash into crowds of innocents like fiery meteors.”
Of course, none of this actually happened. But when the report was released last March, Russian hackers were allegedly burrowing their way into the computer networks of U.S. government agencies and private companies.
The so-called SolarWinds hack was not discovered until December, and now President Biden’s administration is assessing the extent of the damage. In broad terms, Biden is talking tough about cyber threats.
“We’ve elevated the status of cyber issues within our government,” Biden said in a major foreign policy speech on Feb. 4 at the State Department. “We’re launching an urgent initiative to improve our capability, readiness and resilience in cyberspace.”
But Biden hasn’t divulged the details and cyber experts say getting a handle on the threats from Russia, China and elsewhere will require a major, sustained effort that will take years.
The SolarWinds hack “was an egregious attack on our government and and also in the private sector. It exposed vulnerabilities that, frankly, we should have known we had,” said Maine Sen. Angus King, who’s a leading voice on cyber issues and was co-chairman of last year’s big cyber report.
King, an independent who caucuses with the Democrats, said the U.S. must get better at preventing such intrusions and also develop a strategy to hit back hard.
“If someone is punching you and they have no fear of ever being punched back, why would they stop punching you?,” King said. “I want somebody in the Kremlin at the table to say, ‘Boss, I don’t know if we ought to do this because, you know, they’re going to whack us.'”
Deterrence has so far proved elusive to successive administrations.
Former President Barack Obama was cautious when responding to cyber attacks, expressing concerns about U.S. counter-moves that could touch off a cycle of escalation and unintended consequences. Former President Donald Trump gave the U.S. intelligence community greater latitude to take action, but never made cybersecurity a top priority, his critics said.
Biden is winning early praise for bringing highly-regarded cyber experts into his administration. He plans to have a cyber director in the White House — a position Trump eliminated.
“I think the Biden-Harris administration really gets high marks so far,” said April Falcon Doss, who worked previously at the National Security Agency and on the Senate Intelligence Committee. She’s also the author of Cyber Privacy: Who Has Your Data And Why You Should Care.
Foreign and domestic threats
She still sees many tough challenges ahead. On the international front, Russia has been blamed for several major hacks in recent years. China has been accused of systematically stealing cutting-edge technology from a wide range of U.S. companies and universities.
Biden’s team has also inherited a raging debate on how to handle domestic disinformation and conspiracy campaigns on-line. And Falcon Doss notes that these foreign and domestic challenges can overlap.
“If someone is pushing QAnon conspiracy theories, is that really coming authentically from [domestic] users of the platform, or is it being pushed by the military intelligence service of a foreign government that is an adversary of the U.S.?” said Falcon Doss.
Sen. King wants the Biden administration to be ambitious. He believes the U.S. should lead an effort to set global rules.
“We need to develop a kind of cyber Geneva Convention that establishes norms and standards worldwide,” said King “If a country or a group violates those norms, then you have worldwide sanctions, a worldwide response.”
Some cyber experts support this idea in principle. But there’s a good deal of skepticism that such an agreement could be implemented in practice.
Nations, private groups and even individuals have learned that cyber attacks can be relatively low-cost and easy to carry out. In addition, the victim often faces a challenge in proving who’s responsible, and an even more difficult time imposing formal punishment.
“Achieving international agreement on norms is unlikely to happen any time in the near term,” said Falcon Doss, who argues it’s more likely that the U.S. will have to act unilaterally in many cases, and will have to consider a range of responses, like financial sanctions, that aren’t limited to the cyber realm.
Meanwhile, P.W. Singer says he’s busy writing more fictional accounts about future cyber attacks. He says his stories are based on actual research, and he calls this work “useful fiction.”
“You use the power of story to carry across real-world lessons. So it’s not science fiction. There is original, non-fiction research, a non-fiction point to make,” he said, adding that he’s involved with projects that include the U.S. and Australian militaries, as well as large cyber companies.
The goal, he says, is to make sure these doomsday scenarios never become reality.
Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.