U.S. must harden its cybersecurity defenses, experts say

After years of talks about the need for public-private partnerships to strengthen U.S. cyber defenses, Russian aggression is testing them in real time, according to legal experts who spoke at the ABA National Security Law CLE Conference: Emerging Critical Issues, sponsored by the ABA Standing Committee on Law and National Security.

The invasion of Ukraine by Russia has added urgency to difficult questions about the lines between national security and law enforcement, the relative roles of government and the private sector and strategies to improve the U.S. cybersecurity posture.

It boils down to “resilience, resilience, resilience,” said Robert Chesney, law professor and associate dean for academic affairs at the University of Texas School of Law. “I think we’ve made great strides in getting our defenses systematically leveled up,” especially since technology companies in the U.S. are mostly privately owned. “It’s obviously a difficult challenge but I do think we’re trending in the right direction.”

Because most of the actionable intelligence has been found by companies like Microsoft and Google, some tech company employees have attended secure briefings organized by the National Security Agency and United States Cyber Command, which is a good sign. “The tone between public and private is positive,” agreed panelist Sujit Raman, a partner at Sidley Austin LLP and a former associate deputy attorney general at the U.S. Department of Justice.

Some officials are braced for a cyberattack by Russia in retaliation for economic sanctions imposed by the United States and Europe, which means the U.S. could face an escalation of risk in real-time, Chesney said. “The Russians have proven they’re more than willing to do deeply destructive and wildly reckless things, including things that will spill out and harm others beyond their immediate targets.”

To counter this threat, he said the U.S. has empowered our cyber command forces to defend forward, which could mean operating inside their networks, and when necessary, take disruptive steps to head off or terminate those attacks. “Are we great at this yet? I don’t know, I’m on the outside,” Chesney said. “I do know that Congress has been building a legal architecture to prune away some of the legal ‘who has the authority’ type questions that stood in the way of these types of activities, and I guess I would say not a moment too soon.”

Related links:

• National Security Law Today podcast
• The Hill: Cyber officials urge agencies to armor up for potential Russian attacks
• Time: U.S. companies should prepare for Putin’s ‘gangster diplomacy’ as risk of Russian cyberattacks grows
• ABA Journal:
  
  • Law firms drop some Russian clients following sanctions for Ukraine invasion
  • Ukraine asks international court to rule Russia made false claims of genocide to justify ‘brutal’ invasion
    
  • 3 BigLaw firms close their Kyiv offices; firms in U.S. ready for pro bono refugee work