Analysis & Opinions - Harvard Law Today

Is the U.S. in a Cyber War?

    Author:
  • Jeff Neal
| July 14, 2021

Harvard homeland security expert Juliette Kayyem '95 says we are fighting an "epic cyber battle"

In the wake of a series of damaging cyber intrusions on private businesses controlling critical pieces of U.S. infrastructure, Harvard Kennedy School Senior Lecturer Juliette Kayyem says that countering the growing threat will require erasing the "legal fiction" that cyberattacks are different than physical attacks on American civilians.

In May 2021, the Colonial Pipeline became the latest high-profile company to fall victim to a ransomware attack by criminal organizations operating out of Russia. Stretching more than 5,000 miles from Texas to New York, the pipeline supplies nearly half of the fuel consumed in 14 states and Washington, D.C. The event disrupted the flow of gasoline, diesel, and jet fuel up and down the East Coast. At a summit this June, President Joe Biden presented Russian President Vladimir Putin with a list of 16 types of critical infrastructure that, if attacked by Russian actors, would provoke a U.S. response. Within weeks of that meeting, however, hundreds of businesses across the U.S. and abroad were temporarily crippled by a ransomware attack on Kaseya, a Florida-based information technology company. The Russian cybercriminal group behind this latest incursion is also suspected of attacking JBS, the world’s largest meat processor, earlier this year, disrupting American food supplies.

A 1995 graduate of Harvard Law School, Kayyem served as Assistant Secretary for Intergovernmental Affairs at the Department of Homeland Security during the Obama Administration, is a CNN national security analyst, and is the author and editor of several books, including "Beyond 9/11: Homeland Security for the Twenty-First Century" and the forthcoming "The Devil Never Sleeps." Harvard Law Today recently spoke with Kayyem about what the U.S. can do to deter future attacks.

 

Harvard Law Today: Are we in the midst of a cyber war?

Juliette Kayyem: I don't like to call it cyber war because it puts people in the mindset that government is the only solution. Governments fight wars. We are in an epic cyber battle with different pieces, which are important to separate. There are still the traditional attacks by foreign adversaries against our government networks, including the .mil domains  for the military or .gov domains for civilian federal, state, and local governments. We've seen that with the security clearance hacking and with other sorts of cyber intrusions. We have to do everything we can to thwart those attacks and to make it more difficult for our systems to be vulnerable. And then we need to go on offense, which often includes both overt things, such as the naming and shaming that we've seen going on, as well as covert activities that we don't know about. Are we able to disrupt, say, Russia's military network? (Russia wouldn't admit it if we did, of course.) So, there might be all sorts of covert activities we could turn to.

I think what we're seeing now is more complicated and reflects the nature of our homeland security structure, where two things are happening. The first is that our public infrastructure is owned by the private sector. So, an attack on our privately-owned infrastructure ends up having public consequences that are of concern to the government, whether it's the Colonial Pipeline attack or the disruption to our food supply. So, that's one piece. The second piece is what we call the downstream attacks, which is when cyber criminals aligned with a government attack a private entity whose downstream clients include both the private and public sector.

HLT: How do you prevent or deter these newer kinds of attacks against privately-owned public infrastructure?

Kayyem: We want to protect networks through layered defenses and cyber hygiene and all the words that we use to make ourselves safer, and to make sure that the vulnerabilities don’t exist. You want to avoid the single point of failure — the single access point that an adversary can use to get into and disrupt not just one system but downstream clients.

But we also need to assume breach. We need to be better prepared for these breaches to happen. We've built an entire cybersecurity infrastructure which has sold the illusion of perfect security, and we need to rethink that. We should assume there will be breaches and ask what we have done to mitigate the impact, to ensure that we have redundancies in the supply chain, and to give ourselves more options when these events occur. When the Colonial Pipeline got breached, it only had two options: to either pay the ransomware or shut the whole thing down. That's not a sophisticated safety system. A lot of cybersecurity companies have gotten exceptionally rich selling to clients the mythology that their system can be protected and secured perfectly. But if your network is attached to anything, it's vulnerable. And you can make it less vulnerable, or you can take it offline, which is an option, but you better also know what you're doing after you assume breach....

For more information on this publication: Belfer Communications Office
For Academic Citation: Neal, Jeff .“Is the U.S. in a Cyber War?.” Harvard Law Today, July 14, 2021.

The Author

Related

Juliette Kayyem Headshot