“The Changing of a Continent” is a new column by journalist Kenneth R. Rosen that focuses on the US trans-Atlantic relationship and Europe’s future.
When Russia invaded Ukraine, my internet went dark. My home in northern Italy was disconnected from news, email, and all communication whatsoever. Eventually, news revealed that when a satellite servicing the Ukrainian military was hacked, some 50,000 people across Europe lost connectivity too, including wind turbines in Germany. So the continent I call home began to shift on the backs of the conflict.
NATO stresses its concerns about attacks beyond conventional warfare, urging Russia to promote a “free, open, and secure cyberspace.” Russian-supported hackers targeted state and commercial websites in Estonia in 2007 after a Soviet-era war monument was removed from Tallinn. In 2008, in the Georgia conflict, a majority of government websites and banking websites were offline for the 12-day war. Aside from the targeted cyberattacks against communication and control elements of the Ukrainian military in 2014 as Russia illegally annexed Crimea, Ukraine’s voting system was hacked and hard drives fried. In 2015, Kyivoblenergo earned the unwelcome honorific of one of the world’s first power grid providers to be shuttered in a cyberattack. A quarter-million people were without electricity for several hours. In 2017, a series of attacks orchestrated through a virus known as NotPetya inflicted $10 billion in damages. It had first started as an attack against Ukrainian businesses before going global.
Europe, where the 27 members have sought to unify cybersecurity standards (think: Interpol, for the Internet), has made great strides in centralizing those efforts (to include intelligence sharing, which has very much benefited Ukraine) like the creation of the European Union Agency for Network and Information Security (ENISA) and EU-wide mandates to further security obligations of companies, to include the vulnerabilities within their supply chains, and allow for individual national authorities the power to supervise those security adaptations and protocols. “ENISA’s authoritative status signifies the EU’s strategy to identify gaps in Member States’ cybersecurity capabilities and facilitate bridging those gaps through operational support,” a 2015 RAND study found. In addition, the European Cyber Crime Centre (EC3), launched by Europol in 2013, furthered the bloc’s harmonization.
The US can learn from the EU’s transpositions in domestic policies and foreign engagement. More importantly, though, the Biden administration can see how European countries have linked together against threats seen and unseen because their actions are both a cautionary tale and a lesson.
A NEW KIND OF WARFARE
Physical war consists of bullets and munitions. But digital and psychological warfare are increasing in frequency around the globe, and such conflict can reach far and wide, to hurt both physically and financially.
The government must reckon with the reality of its vulnerability as tensions overseas rise to new heights. Moreover, the government has its own security needs and concerns.
The global (and by extension, the domestic European) economy remains intertwined, financially and physically. Submarine cables connect Europe to the United States, including financial institutions — easily severable wires, causing months of disconnectivity and wreaking mayhem on banks, ATMs, and fintech. While most experts and analysts could say this is unlikely (given satellite connectivity, which still relies on wires on the ground), few dither with the realities of a high-speed underwater internet cable as a digital backdoor. It (and its satellite companions) is a portal through which cyberwarfare enters and war for which US institutions and government offices are not prepared. Its presence, the connectivity it delivers, and upon which myriad industries have come to rely, is itself a threat.
But it is a threat the nation must live with and can if heavily guarded. Unfortunately, protecting computer systems requires concerted protection and defense, something the private sector and government have not coordinated effectively. And this lack of coordination strips the national economy of billions of dollars annually.
The US government alone has numerous leaks and sub-standard security throughout its agencies. And like those agencies working in digital silos, separate from the general public, the private sector is apart but linked through programs like the government’s “E-Verify” employment program. The separate-but-apart relationship represents a devastating vulnerability to the national economy. Moreover, the country lacks a centralized cybersecurity defense, despite the White House touting efforts to make a more robust security apparatus. Until one is established, cyberattacks will continue to hinder businesses and bring the economy into upheaval with a single keystroke (think: the Colonial pipeline ransomware attack).
The White House has called for a more fortified national digital encasement for years. Still, those have stalled, in part for political reasons but also because of greed — there is always money to be made in security. As a result, the US government is extremely vulnerable and cannot protect private industry, which it should as one of its directives to allow for the free movement of trade and commerce.
RECOGNIZING VULNERABILITIES
Thanks to the Security and Exchange Commission’s (SEC) work alongside banks and stock exchanges, there’s a framework in place that enables a public company to disseminate market-moving news instantaneously. The White House can use regulatory landmarks like the Clean Air Act or the creation of the Food and Drug Administration as guideposts. And most computers use one of three operating systems — Linux, Windows, macOS — meaning a centralized security apparatus is possible, especially when those businesses (i.e., a defense contractor) use the same payroll software as your local pharmacy or veterinarian. Vulnerabilities span industries.
Domestically, the Transportation Security Agency has sought new digital safety practices for pipelines and railroads, and the Federal Communications Commission has cracked down on telecommunication companies. In addition, the SEC has insisted investment advisers and funds double down on digital security. Yet, some 80 subcommittees and commissions on Capitol Hill oversee varying facets of cyber regulation, creating unnecessary stagnation.
The government must reckon with the reality of its vulnerability as tensions overseas rise to new heights. Moreover, the government has its own security needs and concerns. Last year, a Government Accountability Office investigation revealed that 17 of 23 civilian agencies did not meet the requirements after a 2014 federal law required agencies to offer information security programs. Specific initiatives for cybersecurity were also lacking. The office noted, “The federal government needs to move with greater urgency to improve the nation’s cybersecurity as the country faces grave and rapidly evolving threats.”
Inherent threats to the economic stability and the growth of under-served communities that might be preyed upon play an inherent role in this story. When I worked at a slaughterhouse in West Texas, the processing plant employees were not trained on cybersecurity or personal digital security. These plants, such as JBS Foods, Tyson, and Cargill, supply the country with most of its meat and poultry products. Last year, all JBS operations were shuttered in a cyberattack. The case of JBS, the largest meat producer globally, is just one instance that underscores the breadth of impacts such attacks could have. Agricultural markets (and, by extension, rising food insecurity) are threatened. Pork prices spiked, and livestock futures slumped after the attack.
SEEKING DIGITAL CENTRALIZATION
It is a matter of national security and global cooperation as multinational companies operate overseas and connect directly to the US-based systems (think: Citrix, Workaday, and fintech).
The occasional cryptocurrency demand for the return of digital files or computer system access or the need for further authentication requirements for users of complex and advanced systems tied into electrical or power grids have been covered in the news media. What hasn’t been covered is the greater implication for national security. Often these stories spur responses that view the problem as a private-enterprise issue (upgrade your systems!) or as something that is one person’s fault (train your employees to spot phishing emails!) Yet, those systems should already be protected and those emails nonexistent.
The Government Accountability Office should continue to pressure government agencies with unprotected digital infrastructure to do better. In addition, the inspector general at the National Protection and Programs Directorate within the Department of Homeland Security should seek to aid in the transformation of the current decentralized digital infrastructure to protect not only those agencies but also the public and private enterprises reliant upon them.
Until homogeny arrives, global threats remain.
Kenneth R. Rosen is an independent journalist based in Italy.