America is fed up with being the prime target for foreign hackers. So US National Cyber Director Sean Cairncross says Uncle Sam is going on the offensive – he just isn’t saying when.
Speaking at the Aspen Cyber Summit in Washington, D.C., on Tuesday, Cairncross said his office is currently working on a new National Cyber Strategy document that he said will be short, to the point, and designed to pair policy with actions that go beyond improving defensive posture. He wants the US government, in cooperation with private industry, to start going after threat actors directly.
“As a country we have not done a terrific job sending a signal to our adversaries that this behavior is not consequence-free,” Cairncross said, adding that he wants the new National Cyber Strategy to introduce cost and consequences into the mix for America’s adversaries that keep hitting US critical infrastructure.
Cairncross noted that the US government and many private companies have become experts at identifying and responding to threats and remediating damage, but the fractured way the US responds to incidents means there’s no long-term, cohesive strategy to hamper continued attacks.
“There has never been a top-cover strategy,” Cairncross said. “What we haven’t been good at is saying ‘what can we do over the course of 12 months to really put a dent in the incentive to engage in this sort of behavior?'”
The cyber boss didn’t go into detail about the strategy document he’s working on aside from mentioning it would have six pillars and function as a “single coordinated strategy” that has never existed in the US cyber domain before.
“The private sector is responsible for our critical infrastructure. It’s a design of our system,” Cairncross said. “It’s a double-edged sword. It makes it somewhat more disparate and harder to protect, but there is a way to do this collaboratively that is effective.”
The industry responds
Sitting alongside Cairncross was Mandiant cofounder Kevin Mandia, who argued that the current asymmetry in US cyber posture, with American companies and critical infrastructure entirely on the defensive, wasn’t sustainable, especially in the age of AI.
“The criminal element always gets [new tech] enabled before the good guys,” said Mandia, who’s now a cofounder and partner at Ballistic Ventures. “Five years from now, primarily attacks will be AI agents doing the offense at a scale and scope we have to be ready for.”
Better defense “will never stop the problem,” he added.
In a panel discussion on offensive cybersecurity following Cairncross’ keynote, Google Threat Intelligence VP Sandra Joyce echoed some of what Mandia said, with a focus on the threat-sharing element of the current public/private world of cybersecurity.
Joyce doesn’t believe the current paradigm is successful, either.
“We have collectively decided that government will take the action and industry will share intelligence. If that was going to work, it would have worked by now,” Joyce said. It’s actually been the opposite, with increases in ransomware attacks and critical infrastructure intrusions. “We both need to do more – it’s been open season on American businesses and government organizations for way too long.”
Rather than private industry dumping its information on the government, Joyce posited, firms need to give specific intelligence that will help the feds decide how to act offensively.
Joyce also believes that the current government model of responding offensively to cyber threats has largely failed.
“If we take six months to do something thoughtful that’s great, but in two weeks if they’re back up and running that’s not going to give the effects we need,” Joyce said.
Case in point, take the Lumma infostealing malware. Disrupted by the FBI and other agencies over the summer, the malware is already back with newly-improved features. That’s only the most recent example of such cybercriminal gangs roaring back after government disruption.
Cairncross’ talking points suggest the US is damn well going to try to turn the tables, but when asked for a timeline on release of the document, he deflected. Hard.
“We’re going to roll out a strategy, we’re going to roll out an action plan … and then we’ll start moving deliverables,” Cairncross said. Until then, it’s going to be entirely defensive, with fewer people keeping watch. Business as usual. ®