Search
pacific forum History of Pacific Forum

YL Blog #84 – Adopting A PEPFAR Model for Indo-Pacific Cybersecurity

Written By

  • Nicholas Romanow Active-duty U.S. Navy officer currently serving aboard the U.S.S. New Orleans

MEDIA QUERIES

The Indo-Pacific is facing a pandemic of cybersecurity challenges. Framing cybersecurity in epidemiological terms is not intended to sensationalize this issue or allude to the very recent history of COVID-19. Rather, epidemiology can provide tools for grappling with the proliferation and interconnectivity of digital devices in the Indo-Pacific. Furthermore, the United States has a proven track record in successful foreign policy based around disease mitigation and eradication, namely the President’s Emergency Plan for AIDS Relief (PEPFAR). PEPFAR can be an instructive model for technology diplomacy in the Indo-Pacific to deliver economic, diplomatic, and security benefits for allies and partners in the region.

Symptom: Endless Fits of Hacking

Cyber intrusions impact every digitally-connected society, but like communicable diseases, “underlying conditions” make the Indo-Pacific especially susceptible to malicious cyber activity. One such condition is the exponential growth of internet-connected devices coming online in the Indo-Pacific. Similar to how the AIDS epidemic in Africa was partly driven by high birth rates, as HIV can spread through birth from mother to child, population growth in Southeast Asia consequently leads to more personal and commercial devices, which in turn, creates more targets for potential hackers. Cisco, an information technology (IT) corporation, projected that as of 2023 the Asia-Pacific region comprised 3.1 billion internet users (58% of global internet users) and 13.5 billion internet-connected devices (46% of global internet-connect devices). While internet access is a hallmark of a technologically-advanced economy, there is not only an abundance of targets but also an abundance of attack vectors. Sophisticated cyber actors often compromise inadequately secure devices and leverage them as “anonymization networks” to probe or exploit other targets. Because of techniques like these, cyber insecurity can transmit similar to how a pathogen transmits from victim to victim.

Another contributing risk factor for cyber insecurity in the Indo-Pacific is the region’s geopolitics. Cybersecurity firms have repeatedly attributed intrusions against Indo-Pacific nations to cyber actors associated with the government of the People’s Republic of China (PRC). Chinese government-backed cyber actors often target Pacific Island nations that are receiving Belt and Road Initiative (BRI) funding, as well as countries that have ongoing maritime disputes with the PRC in the South China Sea, especially the Philippines, according to a recent report from Microsoft as well as a report from Recorded Future. The multitude of cybersecurity companies all reporting on Chinese cyber espionage campaigns indicates a clear trend that the PRC resorts to malicious cyber activity as a first resort to influence diplomacy, economics, and security in the region.

Even more concerning is the specter of conflict that looms over the Indo-Pacific. One of the more alarming trends for PRC cyber actors has been its focus on targeting critical infrastructure networks that may support U.S. and allied forces in the region. In 2023, Microsoft revealed that it was responding to an intrusion in critical infrastructure networks in Guam, which hosts multiple critical bases for U.S. military operations in the Western Pacific. In its statement, Microsoft stated that it believed this compromise was intended to enable future disruption to this infrastructure. Experts expect that an armed invasion of Taiwan will be preceded by grave destructive attacks on Taiwan’s critical infrastructure. Such a scenario would have ripple effects  due to the region’s interconnectivity, enabled by undersea cables and satellite communications. While the prevalence of vulnerable devices across the Indo-Pacific generates opportunities for malicious cyber campaigns, strategic competition in the region drives the PRC’s intent to conduct such campaigns.

An Ounce of Prevention

The United States has an effective playbook for confronting an issue that spreads rapidly and is compounded by a lack of resources. According to analysis looking back on two decades of the program’s existence, PEPFAR saved 25 million lives and prevented millions of infections. The success of the program led to further economic and educational benefits for the communities that received PEPFAR assistance. The design and implementation of PEPFAR contains key lessons for foreign policy initiatives in general, but it can especially inform cybersecurity efforts due to the intertwined nature of cyber threats.

The first lesson flows from PEPFAR’s laser-focus on the AIDS epidemic. It can be tempting, in foreign assistance projects, to cast a wide net and attempt to allocate resources toward as many issues as possible. Part of the effectiveness of PEPFAR for alleviating suffering and saving lives is that focusing on AIDS had a ripple effect to preventing deaths from other ailments because AIDS is an autoimmune condition, which makes patients more vulnerable to other communicable diseases. Additionally, PEPFAR’s education and outreach efforts, especially those targeting adolescents, provide health education that can improve populations’ general well-being beyond only the prevention of AIDS.

Therefore, applying the PEPFAR model to a cyber diplomacy initiative would benefit from a focus on a specific sub-set of the more general cybersecurity problem. A potential scope for such an initiative could be directed toward critical infrastructure cybersecurity, which could yield ripple effects similar to PEPFAR. Because many individuals, businesses, and services rely on critical infrastructure (such as power, water, or telecommunications) to operate, better cybersecurity for critical infrastructure would ensure availability of key services for the broader population and economy.

Another crucial lesson is the necessity of collecting and analyzing data to refine the initiative. One of the central challenges in assessing foreign assistance programs is that the data tends to be biased toward success and have blind spots where assistance cannot reach. An AIDS clinic may be able to collect data on the patients that come to the clinic for care, but it may struggle to collect data on demographics that cannot access the clinic. For instance, PEPFAR early on struggled to assess the impact of AIDS on men as women would be more frequent visitors to the clinic, especially when they delivered children. Identifying this gap eventually led to, at first, greater visibility into male AIDS-related deaths and then more tailored resources to providing AIDS testing and treatment to reduce male AIDS mortality. Tailoring data collection and analysis to address gaps in knowledge enabled the program to understand local cultures and obstacles, continually improve, expand treatment, and save more lives.

A similar conundrum exists in cybersecurity as it is often difficult if not impossible for an organization to secure devices and networks that it does not know it owns. Furthermore, organizations may not be cognizant of which of their devices are considered “end-of-life” or “end-of-support,” meaning the vendor is no longer providing software updates or security patches. Such devices, when still in operation, are prime targets for malicious activity that enables “lateral movement” to exploit trusted connections between devices or networks. A PEPFAR-model cybersecurity assistance program should prioritize survey critical infrastructure networks and provide awareness of end-of-life and end-of-support devices within a critical infrastructure network. This data can empower system administrators to more efficiently allocate their time and limited security resources toward the more vulnerable parts of their network.

One last important lesson is the power of leveraging public-private partnerships to scale the reach of the program. PEPFAR’s partnerships with the private sector provided the government with additional resources, expertise, capacity, sustainability, and advocacy for countering the AIDS epidemic. One key example was the “Labs for Life” initiative launched in conjunction with Becton, Dickson and Company. The ability to treat AIDS rests on the ability to test for HIV, and by extension, the number of laboratories available to administer and analyze test samples. Partnering with the private sector provided PEPFAR with access to the requisite equipment and expertise to build laboratories and train personnel in the communities, which therefore provides a sustainable solution to shortages in laboratory capacity.  

The private sector, especially the information and communications technology sector, can provide even more contributions to the scale and sophistication of a cybersecurity assistance program. While U.S. Cyber Command (USCYBERCOM) has established “Hunt Forward Operations” to assist allies and partners in securing their networks, the teams that conduct these missions are limited and primarily geared toward securing military and intelligence networks. Working in tandem with cybersecurity firms would allow such a program to broaden its scope to encompass critical infrastructure providers and tap into the private sector’s expertise in securing the industrial control systems that underpin critical infrastructure systems. Private sector engagement has already proved extraordinarily effective in protecting critical infrastructure from sabotage in Ukraine against Russia’s ongoing military offensive. A similar endeavor conducted with urgency but without the backdrop of active combat could have an even more significant impact for key networks in the future.

A Prognosis for Indo-Pacific Cybersecurity

A proactive, forward-leaning cybersecurity assistance initiative modeled after the policy design that made PEPFAR successful would yield benefits to American foreign policy on a number of fronts. Diplomatically, such an initiative would offer a positive vision for U.S. leadership in the global technological competition, rather than mere warnings and opposition to the P.R.C.-driven Digital Silk Road and proliferation of surveillance technology. Economically, efforts to raise the baseline level of cybersecurity in developing economies would ultimately help reassure foreign investors and commercial partners in the security of their communications and intellectual property. Improved critical infrastructure would also benefit citizens across the region by ensuring commercial networks are secure for use for online banking, telemedicine, and other personal purposes.  It could also benefit American commerce by helping cybersecurity and technology firms gain footholds in new markets and reducing risks of intellectual property theft that may dissuade technology sharing and international research partnerships.

Finally, for security across the region, more secure critical infrastructure will support improving interoperability and information-sharing between the U.S. and its Indo-Pacific partners. It will also help boost the mobility of U.S. and allied forces across the region, which often rely on local, commercial critical infrastructure when based or in transit overseas. In other words, allied ships, aircraft, and other units would be more flexible to move across the region without heightened risk of compromise of their communications or information systems. While a laser-focused, data-driven program seeking to improve Indo-Pacific critical infrastructure cybersecurity seems like a very narrow proposal, its potential impacts across the Diplomatic, Informational, Military, and Economic (DIME) construct should not be discounted because of how prevalent digital technology has become both for every-day citizens and governments.

It is common to point to policy failures to derive lessons on what not to do, but it is equally important to capitalize on past successes when possible. As one of the most successful U.S. foreign policy programs so far in the 21st Century, close study of this policy’s programmatic design is warranted even if epidemiology seems like a niche portfolio. While saving more than 25 million lives is a difficult legacy to replicate, PEPFAR’s success is certainly an initiative worth learning from.

Nicholas Romanow is an active-duty U.S. Navy officer currently serving aboard the U.S.S. New Orleans homeported in Sasebo, Japan. His most recent assignment was to the National Security Agency’s Cybersecurity Collaboration Center. He holds a bachelor’s degree in International Relations and Global Studies from the University of Texas at Austin, where he was also an undergraduate fellow with the Clements Center for National Security.

Photo: Staff Sgt. Wendell Myler, a cyber warfare operations journeyman assigned to the 175th Cyberspace Operations Group of the Maryland Air National Guard monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron, known as the Hunter’s Den, at Warfield Air National Guard Base, Middle River, Md., June 3, 2017. Credit: J.M. Eddins Jr.