Report: Biden should prioritize cyber capacity building for allies

More than a year into Russia’s largely failed invasion of Ukraine, Kyiv has been fairly successful in repelling Russian cyberattacks — in part thanks to assistance from partner nations and corporations. Now a new report is urging the Biden administration to build on that success and and prioritize cyber capacity building for allies and partners.

Thursday’s report from the Foundation for the Defense of Democracies, a Washington think tank, includes a set of eight recommendations for the Biden administration to ensure that cyber capacity building makes up a key part of its forthcoming international cybersecurity strategy.

“This is as transnational an issue as any,” Nate Fick, the State Department’s Ambassador at Large for Cyberspace and Digital Policy, said at a an event marking the report’s release. “There’s very little that any one country or small group of countries or one company or set of companies can do on its own.”

The report points to Ukraine’s largely successful defense against Russian cyberattacks against critical infrastructure, including the country’s energy system. While Ukraine has been fending off Russian cyberattacks for years, it has grown more successful in doing so at least due in part because the United States and its allies have invested in building out those defensive capabilities, the report notes.

“What we’ve learned in Ukraine is that cyber defense works,” said Annie Fixler, the director of FDD’s Center on Cyber and Technology Innovation and one of the report’s co-authors. “It is possible to keep attackers out and to respond quickly, to mitigate attacks to recover quickly when that happens. So we want our allies and partners to be strong in that way, but some allies and partners are not as resilient as they need to be.”

FDD’s report documents the extensive existing programs within the Departments of State, Defense, Justice, Energy, Homeland Security, and Treasury that aim to build cybersecurity capacity via technical assistance, training, and assisting in developing strategies and rules. These programs have become more popular than the U.S. government’s current ability to provide them, and the report urges Congress to allocate more funding to capacity building programs and consolidate their administration within the Bureau of Cyberspace and Digital Policy.

The report recommends additional funding for programs such like one within the Energy Department that assisted Ukraine in building out its cyberdefenses following the 2015 attacks on the Kyiv’s grid but argues that State and DOD should get the bulk of any additional funds.

The report recommends that the international cybersecurity strategy — which Fick’s office is responsible for drafting — prioritize “resources from both military and civilian U.S. agencies, remove redundancies, and close any seams” and account for the role of allies and private-sector partners.

Fick argued on Thursday that while Russia has attempted to carry out cyberattacks against Ukraine, they’ve been generally unsuccessful. “That’s a model that we need to maintain and replicate in other places,” he said.

Cyber capacity-building, the report argues, helps “allies and partners build cyber resilience, develop national cyber strategies, prosecute cyber criminals, and evict malicious cyber actors from critical networks.” The report recommends that the U.S. build out cyber force employment capabilities for allies while also thinking about how to build out cyber force deployments for offensive cyber operations.

“Through classroom training, tabletop exercises, and operational exercises, U.S. operational and legal practitioners could provide cyber-specific guidance on basic legal issues such as due diligence, sovereignty, and jurisdiction as well as more complex operational issues such as collateral damage assessments, clarification on when states can “hack back,” and when states can engage in self-defense,” the report notes.

Additional recommendations include that the administration prioritize building cyber resilience in critical infrastructure with allies, conduct additional bilateral and multilateral cyber exercises and use bilateral memoranda of understandings to improve military cyber defense capabilities with allies.