The Justice Department’s indictment of nine Iranian hackers shows that the educational sector is becoming ground zero for foreign intelligence and influence operations. It also demonstrates that we need to do more than just “name and shame” if we are going to stop these attacks.
Here are the basics of what happened last Friday.
The Justice Department charged nine Iranians with conducting a coordinated hacking campaign targeting the U.S. government and private sector, including more than 144 universities. This effort reportedly netted the hackers more than 31 terabytes of stolen intellectual property and other valuable information.
To put that into context, that’s equivalent to 31,000 hours of video, 527,000 hours of music, or 9.6 million photos. By any standard, this was a successful and damaging attack.
The Justice Department deserves credit for identifying these criminals and for taking action against them. Similar attacks, however, are almost certainly ongoing and are unlikely to be thwarted simply because this Iranian effort was disrupted. We need more than indictments to deter foreign cyberthreats.
The government needs to get serious in three areas if it really wants to improve our national cybersecurity.
1. A National Grand Strategy
We need a national grand strategy for cybersecurity.
This has to be more than just a boilerplate list of outcomes we prefer and risks we want to avoid. It needs to be a proactive and specific articulation of what we, as a nation, understand to be our goals and interests in cyberspace.
2. A More Proactive Private Sector
We need a private sector that understands and aggressively engages cyberthreats.
Cyberscurity is not just the government’s job, and these types of attacks are not only aimed at government servers and personnel. In fact, more and more can be known by targeting educational and other civil society targets because that is where much of the cutting-edge research is happening. There’s a reason these universities were targeted.
The difficult reality is that the national security burden is now more broadly shared with nongovernment entities, and we need them to act like it. Lax cybersecurity policies and practices at universities and private research facilities are no longer acceptable, and the government should assist these groups in understanding the threat and in encouraging them to adopt essential precautions.
Even more, the leaders of these organizations should understand cybersecurity as one of their primary responsibilities, and they should be held accountable accordingly.
3. Public and Private Sector Coordination
The government and private sector need to agree on what our shared interests are, how they can work together to secure those interests, and what, if any, formal organizations or processes are needed to jointly improve our cybersecurity.
The simple fact is there is no scenario where the United States secures its cyber interests apart from integrating the private and civil society sectors at the root level of policy and security.
All of this may sound simple and obvious. That is because it is, which is why further inaction is inexcusable.
It will not be long before the next critical data breach is discovered and, while indictments are useful, they are not sufficient to roll back the tide of cyberthreats that could swamp our nation.