American businesses are on the front line of the nation’s looming conflicts with China and other adversaries like Russia and Iran, the U.S. spy chief Director of National Intelligence Avril Haines warned last week.
“We recognize that the private sector is on the front lines of attack, and in addition to helping institutions protect themselves, we must engage them in a new, different way,” Haines told an audience of U.S. intelligence officials and government contractors at the 2024 Intelligence and National Security Summit in Bethesda, Md.
She sketched out a future in which strategic competition with great power adversaries quickly escalates into conflict, while still remaining below the level of armed warfare—with U.S. businesses the territory on which those conflicts rage.
“Protecting the private sector is fundamental to our national security,” she said, adding that was true not just of defense contractors or tech companies “at the edge of innovation in fields that are crucial to our national security,” but also of “privately-owned critical infrastructure that provides the most basic life support for our population.”
The following day, her comments were reinforced by an FBI warning that hackers “associated with the government of Iran,” had started supplementing their cyber espionage activities by working with Russian ransomware gangs to extort the U.S. healthcare and other organizations they’d hacked into.
“The FBI assesses a significant percentage of these threat actors’ operations against U.S. organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” reads the advisory, posted by the American Hospital Association or AHA. It concluded that the group’s ransomware activities are a side-hustle “likely not sanctioned” by the Iranian government.
AHA National Advisor for Cybersecurity and Risk, John Riggi, a former senior FBI official who tracks ransomware actors and their campaign against U.S. healthcare, said the advisory exposes “the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit.”
He told CyberWatch that Russian ransomware gangs were increasingly “big game hunting” in their attacks on healthcare in the U.S.—aiming for large systemic targets which would impact multiple healthcare organizations. Like the attack on prescription payment processors Change Healthcare or on One Blood, the Florida-based blood products supplier.
Acknowledging that the exact relationship between ransomware gangs and Russian intelligence services was murky and uncertain, he nonetheless called for ransomware attacks that “broadly threaten public health and safety,” to be treated as “national security threat-like terrorist attacks.”
Although these attacks on businesses remain below the threshold of open warfare for the time being, a former senior defense official told CyberWatch, they would very likely be part of any war plan for strategic conflict with the U.S.
Earlier this year, U.S. agencies warned about the cyber activities of a threat actor called Volt Typhoon—a Chinese government-affiliated hacking group that sought to infiltrate the networks of water and power providers in Guam, a U.S. territory in the South Pacific and a vital U.S. military base.
Officials testified that, in the event of a Chinese invasion of Taiwan, a breakaway self-governing democratic island 100 miles off the Chinese coast, these cyber implants could be used to try to sabotage the U.S. response.
“My take away from the messaging [by U.S. intelligence officials about Volt Typhoon] around the [annual U.S. intelligence] threat assessment is that they think the Chinese believe there is a low-risk way to interfere with our ability to respond” to an invasion of Taiwan, said the former official, who asked for anonymity as they were not cleared to speak to the media by current employers.
The Chinese also had nuclear weapons, the former official pointed out, and was modernizing its arsenal of long range ballistic missiles. “In any strategic conflict, many of the key questions are about escalation.”
“The Chinese are prepositioning cyber assets to take down the power and maybe the water in Guam,” the former official said. “But in Guam, not in Long Beach. That suggests to me that they understand the escalation that an attack, even a non-kinetic one, on [the continental United States, or] CONUS would represent.”
Caught in the crossfire
Haines used her keynote address to call for a full-scale refashioning of the relationship between the private sector and academia on the one hand, and the nation’s intelligence agencies on the other.
It’s an ambitious program, but it’s not a new idea and its prospects are at best uncertain, experts tell CyberWatch.
The private sector-intelligence community relationship needed to outgrow the narrow confines of the customer/vendor nexus, Haines said, and to get beyond the information-sharing paradigm created after Sept. 11. It had to become truly multimodal: “We need to understand each other better, learn from each other, work together more closely, grow together. And sometimes even make decisions together.”
Haines highlighted a number of initiatives designed to bring about a change in the institutional culture of America’s intelligence agencies, including adding a personnel evaluation procedure which would rate intelligence community staff on “a performance objective that incentivizes engagement with the private sector and academia.”
The theme of the private sector being on the front line was echoed by other senior intelligence officials at the summit.
Gen. Timothy D. Haugh, the commander of U.S. Cyber Command and director of the National Security Agency, told a panel on strategic intelligence priorities that western companies had already found themselves “in the middle of this conflict between two belligerents,” in Ukraine. U.S. satellite operator Viasat was cyber attacked on the eve of the 2022 invasion and Starlink—a U.S.-based global internet provider designed for the consumer market—has been used by the military on both sides of the conflict.
Private sector infrastructure operators like large cloud computing providers or satellite based internet services—many of them U.S. companies—were the key to Ukraine’s resiliency, Haugh said.
He added that he was looking for new ways to help provide intelligence support to U.S. companies, in the form of actionable but declassified or sanitized insights, and highlighted efforts like the NSA’s Cybersecurity Collaboration Center which offers companies including small businesses, the opportunity to interact with NSA personnel and resources in an unclassified environment.
Haines also highlighted that unique capabilities such as that provided by Starlink’s low earth orbit satellite constellation meant a new level of significance for the private sector.
“Certain industries now wield substantial geopolitical influence,” she said.
A new relationship paradigm
The need for a new paradigm of relations between the private sector and the intelligence community, Bob Gourley, a veteran intelligence official, technologist and entrepreneur, told CyberWatch, comes from the “convergence” of several factors.
First is the increasingly polluted information environment, with its 24 hr endless news cycle and persistent mis- and disinformation, which gives the enemy a shot at setting the narrative about anything it does.
Second are the technologies that empower threat actors, like IoT or cloud in the recent past, generative AI right now, and in the near future, quantum.
“Businesses can’t protect themselves,” said Gourley, now CTO at security consultants OODA LLC., pointing out that modern IT enterprises, “can’t be indefinitely defended against a persistent, well-resourced, technically adept [cyber] threat actor.”
Technological competition takes many other forms as well, he pointed out, highlighting the supply chain risks created when Chinese companies come to dominate certain technology sectors, like LIDAR for autonomous vehicles or cellular connectivity modules for IoT devices.
“U.S. companies can’t do it alone,” Gourley concluded.
The third factor is the way that our always-on, everything connected world means anything connected to the internet can be hacked from half a world away. A development which destroys the huge geographical advantages the U.S. historically enjoyed.
“We were so blessed with our geography: Oceans on either side separating us from our adversaries,” said Gourley. But now, in the borderless realm of the internet “we connect directly with adversaries, we share with them this great global commons, this digital domain and all the tools we’ve built like cloud infrastructures, mean the enemy can just roll right up to the front door of any business in America.”
“Many of us saw this coming,” Gourley said, referring to several prior efforts as far back as the 1997 President's Commission on Critical Infrastructure Protection.
The commission established the system of industrial sector-based Information Sharing and Analysis Centers, or ISACs, “The single most successful thing that the U.S. government has ever done for critical infrastructure,” according to Gourley.
2016, when the Kremlin’s “hack and dump” operation leveraged WikiLeaks in a combined cyber espionage and information warfare operation, was a tipping point, he said, revealing the strategic possibilities of combining cyberattacks and information operations.
“I would say, since 2016, there has been a sea-change. There’s a totally different approach to the private sector from the intelligence community,” said Gourley.
“National security is a team sport,” he said, “It takes a team to win.” Industry had to become partners, not just vendors or recipients of sanitized or declassified intelligence reporting. Government needed to overhaul the way it thought about industry too, Gourley said. “Intellectual property vital to our future security isn’t the sole preserve of massive defense contractors. Start-ups and other small businesses may have IP that needs to be defended.”
“We have tried deterring our adversaries, but that doesn’t appear to have succeeded very well. We have tried mandating security compliance, that hasn’t been very effective.”
“Information-sharing is our greatest hope,” said Gourley, who also called for much greater investment in counter-intelligence, “Including especially gumshoe agents on the ground to look for hostile intelligence operatives.”
Gourley said Haines had taken on a huge and frankly daunting project. “She understands the importance of the challenge, she is aiming for a complete cultural change [in the IC] on several different levels.”
But he was not optimistic about her chances, “I am on her side, but this kind of change is only possible with joint White House and Congressional action, and I don’t expect that any time soon.”