In one of the most impactful European conflicts since World War II, Russian troops have invaded neighboring Ukraine, a sovereign nation. While the effects of this war on world peace and stability remain to be seen and while a larger conflict involving other nations including the U.S. could soon become a reality, the uncomfortable truth is that we are already at war.
Although it might not be the standard ground or air combat the average American envisioned, unlike in 1945, this conflict can be waged on a new, virtual front. Today, cyber cold war is a very real and growing possibility, and the American economy is vulnerable.
The Federal Bureau of Investigation has already called on U.S. businesses to be prepared for a potential cyberattack launched by Russia that could run in tandem with the country’s invasion of Ukraine.
While the U.S. undoubtedly has the most powerful military in the world, we are ignoring critical vulnerabilities in the era of cyberwarfare that need to be immediately addressed, and this process starts with protecting America’s small and medium-sized businesses (SMBs).
These businesses are a critical part of our economy and are inevitably a prime target for bad actors like Russia. SMBs employ nearly half of all Americans, are the most agile innovators and inventors and are the bedrock of both our nation’s social and economic foundations.
They need to be able to protect themselves from sophisticated state-sanctioned cybercriminals, and it’s imperative that we help them do so.
Growing International Cybersecurity Threats
From business email compromise luring victims into phishing schemes and malware to security and control systems falling prey to bad actors, there are countless weak spots that have become targets for cybercriminals to leverage to access valuable data.
Countries like North Korea, China, Iran and Russia—which is currently levying cyberattacks as part of its assault on Ukraine—have all tapped into infrastructure vulnerabilities in the U.S. to collect personal or confidential business information, attempt to influence our democratic process through disinformation campaigns and promote economic chaos and social unrest.
Take the Colonial Pipeline attack, or the recent SolarWinds attack against Microsoft, one of the most successful technology companies in U.S. history. President Biden’s sanctions against the six Russian companies that perpetrated the cyberattacks certainly were warranted. However, that the acts were eventually linked to SVR, a Russian intelligence agency, speaks to a larger issue at play: These crimes are becoming a standard tool for our enemies abroad as they attempt to discover and chip away at any cracks in our country’s defenses.
These attacks levied against us will only become more prevalent and severe. Those in the White House and Congress as well as state and local governments need to confront this reality and work toward stronger fortifications.
In the recently signed bipartisan infrastructure bill, a dedicated $1 billion cybersecurity grant program was established for state and local governments. The grant’s inclusion in the bill hinted at an awareness that critical national assets are unprotected or under-protected and remain vulnerable. Further, the administration’s cybersecurity review board and Department of Defense cybersecurity consortium are signs that cybersecurity vulnerabilities are areas of focus.
And while these initiatives are modest but welcome first steps for state and local governments, our national leaders have failed to seize the moment to craft a more comprehensive cybersecurity package that could have included a call to action and the resources to build a “cyber moat” that protects our critical small and mid-sized businesses.
These businesses can provide damaging inroads for cybercriminals to access much larger pools of data, and they likely don’t have the necessary resources to invest the amount of time or money needed to fully protect themselves from an attack.
Further, Industry 4.0 tools such as automation, cloud technologies and the internet of things (IoT) create additional opportunities for cyberattacks to hit our essential businesses. It certainly wouldn’t be outside the realm of possibility for a group, whether foreign or domestic, to hack into a group of manufacturing companies across the country and hold their operations hostage.
In fact, this very occurrence happened in 2019 when Norsk Hydro, one of the world’s largest metal producers, was forced to halt production when they fell victim to a cyberattack that forced a switch to manual operation and cost the company $52 million.
What Action Should the U.S. Take?
To start, the answer likely isn’t more regulation, as this is a measure that would receive blowback from small businesses across the country, be politically unpopular and would be unlikely to make its way through Congress.
What would be valuable for American SMBs are business incentives that would allow them to access the capital necessary to shore up their own defenses. During the pandemic, Congress created the Employee Retention Credit, which rewarded smaller businesses impacted by COVID-19 for keeping employees on the payroll.
The Research and Development Tax Credit, created in 1981 by Congress to reward businesses for innovating and becoming more competitive, would also be a good model for some type of tax credit or incentive.
The government should also work to create an incentive that targets vulnerable businesses and rewards them for taking the time and effort necessary to protect their digital assets and systems. A federal cybersecurity tax credit could be for the small business that purchases equipment or services from vendors. The incentive could be capped at $250,000 per year, require investments in the enhancement of cybersecurity defenses such as system protections and threat detection capabilities while being targeted at companies with less than $50 million in gross receipts.
A federal safe harbor that would limit the liability for businesses that have taken the necessary steps to protect themselves but nevertheless have experienced a cyberattack could also be an option.
There simply needs to be some type of reward for companies who work toward an incident response plan, conduct necessary training against phishing or other attacks or have managed service provider (MSP) monitoring in place. These are the businesses that are doing their part.
The federal government can also work to create relationships between cybersecurity professionals and those in need of defense.
One way to do so would be to create cybersecurity defense collaboratives for the top 50 U.S. cities made up of the best and brightest minds in the field. These public-private collaboratives could work together to build solutions geared toward businesses in their jurisdiction and work to protect the most vulnerable from future attacks.
The government could also leverage its vast contractor network to connect SMBs with larger technology or cybersecurity firms in the U.S. that can help to strengthen defenses or at least educate small businesses about the importance of being vigilant.
The government should look to the Google Cybersecurity Action Team as an example; the cybersecurity action team has a “singular mission of supporting the security and digital transformation of governments, critical infrastructure, enterprises and small businesses.” Google’s team offers services in the areas of strategic advisory, trust and compliance, security customer and solutions engineering, threat intelligence and incident response.
Google’s efforts likely won’t be easily reproduced, but it certainly offers a model for public-private partnerships that every state and local government should at least investigate.
However, these types of tools will not be an option if Congress doesn’t act. There have been several attempts to bolster our country’s cybersecurity capabilities, but there needs to be a more concerted effort.
Unfortunately, as was evidenced by the recent hearings featuring Facebook, Twitter and Google executives, our nation’s legislative body does not yet have the reputation of being on the cutting edge of these sorts of technological issues. Congress’s cybersecurity aptitude needs to improve so that this moonshot effort to protect our country’s cybersecurity weak spots can become a reality.
Members of Congress such as John Katko (R-NY) and Jim Langevin (D-RI) have been touted as Congressional cyber heavyweights, but both have recently ended their reelection bids. Other members of Congress need to take up the mantle and vehemently push for cybersecurity to be a legislative focal point.
Members at any level of government should work to fill their chambers with individuals who are knowledgeable enough about cybersecurity risks to put forward actionable solutions. Whether through cybersecurity fellowship programs or recruiting experts to educate members of Congress on the latest cybersecurity issues, more has to be done to increase that cybersecurity aptitude.
This sort of full-fledged campaign to address cybersecurity concerns undoubtedly would have bipartisan support, however, the message should come from the top down. President Biden should make his call-to-action crystal clear—and use the bully pulpit, if necessary—to demand action on this pressing issue.
The administration must clearly articulate to American SMBs, citizens and legislators what the national expectation is when it comes to cyberattacks. Who should businesses turn to if they are attacked? Should ransoms be paid if companies experience an attack? Is there a federal standard in place to protect consumer data? And will these businesses have the support of state and federal governments?
These are all questions that demand answers, and when none come to the surface, action will need to be taken.
What’s at Risk With a Weak Cybersecurity Response
At stake is more than just the data or monies that many cybercriminals are after. With the age of Industry 4.0, we are now looking at lost operations that we rely on every single day, lost jobs and an economic blow that very well could be comparable to the COVID-19 pandemic.
Foreign adversaries with the knowledge and expertise to levy a cyberattack view our country’s SMBs as a target-rich environment ripe for attack and know American small businesses have been distracted by supply chain hiccups and the fallout from the ongoing pandemic.
Those who perpetrate cyberattacks reap the criminal benefit of the ransomware booty, but our geopolitical cyber enemies—who are also the hosts of the black hat cyberthugs—rub their hands together watching the economic chaos and disruption unfold while our national cyber defense capacity weakens.
Today, warfare goes beyond critical military infrastructure and is seeping into the realm of socioeconomics.
Our country’s SMBs make up the backbone of the U.S. economy and, because of their vulnerabilities, we need to look at protecting them against cyberattacks as a necessary act for the benefit of our economy and national security.
We simply cannot turn a blind eye to this issue any longer. Bad actors will continue to strike if gone unpunished, and it would only be a matter of time before a path of inaction leads to catastrophe.