If it seems like Russian cyberattacks on the United States are becoming more frequent, it's because they are.
Though there is no conclusive body count or any clear indication of whether a given attack was the work of Russian government operatives or private hackers, the difference between state and private interests tend to blur in a mixed economy of cybercrime anyway. (The same goes for China, the source of this year's Microsoft Exchange and Pulse Connect VPN hacks. Even referring to this ecosystem as "Russian" or "Chinese" can be misleading: Russian-speaking actors, operating as far away as Venezuela, frequently target Russian servers.)
To learn more about Russian cybercrime and how US President Joe Biden and his administration can respond to it, Dark Reading sat down with Meg King, director of the Science and Technology Innovation Program at the Wilson Center, a Congressionally funded, nonpartisan international policy think tank based in Washington, D.C. King made her name as a policy expert at the Pentagon and later as senior staffer of the House Homeland Security Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, before taking a senior leadership position at the Wilson Center.
According to King, there's nothing particularly Russian about this Hobbesian cyberworld.
"We take opportunities where we have them also," she said, citing the recent FBI cyber sting that relied on Canadian tech distributors. "It's not exactly black and white in any country."
Nevertheless, she said, "other countries have more flexible options" – weak rule of law, for example, or a tradition of intertwined industry and government. Weak rule of law, in particular, means any American national cybersecurity strategy will have to be defensive.
It's a frustrating prospect. But King is enthusiastic about the Biden administration's efforts so far, even if the President's focus on infrastructure makes security take a back seat to connectivity. The first indication of Biden's serious intentions, she said, was the nomination of Chris Inglis as national cyber director (King calls him "amazing") and Jen Easterly as director of the Department of Homeland Society's Cybersecurity & Infrastructure Security Agency (CISA). The Department of Justice (DOJ)'s ramp-up of its ransomware taskforce is another reassuring step, she said.
Yet King is looking for more ambitious steps from the administration, particularly in compliance and regulation. For one thing, the US still lacks a comprehensive national data breach notification protocol. A single, standard checklist for companies would not only clear some of the "fog of war" following an incident – do we pay the ransom (no), do we alert the government (yes), if so who and when – but it would "give us a full picture of what is, at heart, a systems problem."
King would like to see a similar unified protocol for cyber insurance, with clear guidelines for insurers and clients alike.
On the level of the individual business, the Biden administration should consider mandatory, regular updates of legacy systems, as well as penetration testing, two-factor authorization, and staff training, King said. On the other hand, she doubts that any mandated offensive strategies, like outright bans on ransomware, could realistically become law.
King was quick to emphasize that all this talk of mandates and federal protocols makes cybersecurity policy sound entirely top-down, but it's far from it: "Everyone I talk to feels overwhelmed," she said. "If you have a problem of scale, you can never address it from the top down."
What's needed, King added, "is someone to lead at the Department of Education, to teach K-12 students about cybersecurity the way they taught about recycling [in the 1990s]," noting that a rebranding – from "cybersecurity" to the warmer-sounding "data care" – could encourage more users and employees to stay abreast of threats. That alone could make a significant difference: Some 88 percent of breaches boil down to error on the part of a single user, according to a recent study by Tessian and Stanford University.
Still, King said, "You need to have security engineering on the front end. It can't all be down to users."
Such protocols carry a political risk: There's a chance they might look unpleasantly dirigiste to lawmakers who prefer a wide berth between government and business. But King is unconcerned, not only by the lack of resistance so far but by the broad understanding that a serious cyber policy is no longer negotiable for businesses or the government.
"This shouldn't be political," she said.
For the moment, it's not. And while the Biden revamp is certainly not a mixed economy on the scale of the Russian cyber underworld, a hair of the Russian dog might be the secret to success.