Anyone familiar with the post-World War II security environment will remember grainy movies with a friendly but stern voice instructing children on how to survive a nuclear blast. “Duck and cover,” they said; curl up at the base of a nearby wall and cover yourself with a jacket or your hands. When the United States lost its monopoly on nuclear weaponry in 1949, the U.S. government sought to prepare the population for nuclear war. Even if the benefits of “duck and cover” in the event of a nuclear strike were negligible, the sense of agency in a truly unstable security environment was invaluable.
This winter, the world celebrates 21 years since the end of the Cold War and fears over inter-superpower nuclear war, but a Millennial generation that remembers nothing of “duck and cover” lessons is facing a new threat no less terrifying than thermonuclear war.
“Stuxnet was Hiroshima,” said James Mulvenon, Vice-President of Defense Group, Inc.’s Intelligence Division and Director of DGI’s Center for Intelligence Research and Analysis, on an Atlantic Council panel in July. In much the same way the A-bomb showed the world the destructive potential of nuclear power, so too did Stuxnet prove what malware capabilities combined with destructive intent could do. And much like the era of duck and cover, policymakers have failed to come up with solutions that will adequately protect the population in the event of cyberwar. For the moment, solutions are utterly out of their reach, and anything they try could potentially make the situation worse.
Unlike in nuclear war, where the precedent was “use as a last resort,” the creators of Stuxnet have set the precedent of striking through cyber attacks as a prelude to physical hostilities. After news about Stuxnet broke, the world’s governments were strangely quiet—most likely because they immediately devoted resources to repurposing it. However, the beauty—and terror—of the Internet Age is how it has democratized access to knowledge, allowing actors to take advantage the immense power of crowd-sourced information, both in public forums and in a significant information underground. Just like policy-makers fear nuclear weapons falling into the hands of rogue non-state actors, they should fear these same actors getting their hands on a zero-day vulnerability in any of our critical infrastructure. Should someone choose to attack, they would have a good chance of affecting a system that was never built to withstand malicious attacks in the first place.
The democratization of cyber weaponry has raised the question: what meaning does sovereignty have in cyberspace? More than any virus or environmental pollutant, internet denizens care little for Westphalian borders. Traditional cybersecurity policy has been approached from a nationalist point of view, with regulations focusing inside national or regional borders, but they are largely ineffective against attacks originating from outside the country’s borders. There is nothing a law passed by the U.S. Congress is going to do stop a Chinese or Russian backer from depositing a piece of malware or spyware in a critical banking or secret government program.
Government officials cannot evolve on what protective defensive measures to implement fast enough to keep up with the advancements in technology, let alone with a hacker’s tactics. U.S. officials are just beginning to consider how to implement a strategy to deal with both the kind of attacks perpetrated by bored young adults, like Lulzsec, and intelligence espionage, and have not even begun considering how to address issues brought about by mobile technology and increasingly “frictionless” sharing of data.
In response, private companies are taking matters into their own hands, going on the offensive against perceived threats by striking back at their attackers. After Chinese attackers hacked Gmail accounts and stole some Google source code in January 2010, Google responded by hacking their attackers right back. A July survey of 181 attendees at the Black Hat USA conference in Las Vegas showed that 36 percent of respondents had engaged in retaliatory hacking in the past; in reality, the numbers are likely much higher. Despite government exhortations to focus on proactive defense rather than an “eye for an eye” sense of cyber justice, the private sector is rapidly hurtling down a path where one wrong accusation or action could escalate to an all-out war.
The low barrier to entry in this battle has led to the development of a sort of Wild West environment, where digital hit men openly advertise their hacking services in taking down whatever target a buyer desires, and though prices vary, a hit man can be bought for less than an average apartment’s monthly rent payment.
Just like during the Cold War, it will not be uncommon for peripheral actors to be caught up in attacks on other actors. One tactic of espionage hackers is to target “watering hole” sites—meaning to hack websites that an organization’s employees are likely to visit (local government sites, a community bank, or a trusted news source) and install a Trojan when visitors arrive on the page. Symantec has warned that, “Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013.”
Even worse than one company’s employees being hacked, is the silence coming from those companies after. Without knowledge sharing between companies, one PR department’s embarrassment could lead to one company after another falling victim to the same attack, and hackers gathering more and more intelligence.
Most notable about all these threats is how few of the problems fall under the jurisdiction of state actors. The Internet Age has diffused power from major centers of hierarchical power to ever-smaller, autonomous non-state actors. It is theoretically possible for dedicated individual to change the entire global balance of power, and it is impossible for any one government to stop it.
It is clear that there must be a substantial, comprehensive approach to cybersecurity. The first step to creating a better security environment is acceptance. In the stages of grief, the U.S. is currently in denial. We cannot continue to act as if every attack will be “Pearl Harbor” as Secretary Panetta tries to warn, because that will leave us vulnerable to a number of smaller problems. However, we also cannot continue to act as if a cyberattack will never happen to us personally. We must accept that the new world we live in will always carry a risk of cyber insecurity.
Once we stop worrying about that, we can move on to the next step: building a defensive mindset. Defending against a cyber intrusion is not only about creating new technologies; technology, after all, is only as smart as the person using it. It is more important to create to educate on best practices for safety, and in the process create a set of norms for cybersecurity. Is it necessary to attach all your personal information to your Facebook account? Or to then use that Facebook account to comment on multiple forums or sign up for apps?
Finally, the world’s nations need to cooperate to create a system of global deterrence, similar to the network created to deter the production of more nuclear weapons. At the moment, there is not deterrent incentive; rather, there is a high incentive to preempt another nation or group attaining the means to attack, making the current environment highly unstable. Deterrence will mean, initially, establishing an image of being able to respond to any attacks with disproportionate force, then creating a set of norms, with rewards and punishments, to discourage cyber attacks.
Any plan must encompass three levels: 1) the individual (for example, if you decide to participate in mobile banking, what precautions should you take?); 2) private enterprise (choosing proactive defensive measures over dangerous reactive retaliatory measures, and share knowledge of threats with each other); and 3) nation states (find a balance between security and citizens’ desire for transparency, and cooperate with each other to find global solutions to global problems).
To reach this point quickly, the United States, as the world’s leader in cyber industry, much draw upon the resources of allied governments and work to create strong defenses, appropriate and balanced punishments, and a system of norms that will raise the entry point for cyber crimes to discouraging levels.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.
Photo: marsmet543 (cc).
a global affairs media network
Duck and Cover: Cyber Instability
December 18, 2012
Anyone familiar with the post-World War II security environment will remember grainy movies with a friendly but stern voice instructing children on how to survive a nuclear blast. “Duck and cover,” they said; curl up at the base of a nearby wall and cover yourself with a jacket or your hands. When the United States lost its monopoly on nuclear weaponry in 1949, the U.S. government sought to prepare the population for nuclear war. Even if the benefits of “duck and cover” in the event of a nuclear strike were negligible, the sense of agency in a truly unstable security environment was invaluable.
This winter, the world celebrates 21 years since the end of the Cold War and fears over inter-superpower nuclear war, but a Millennial generation that remembers nothing of “duck and cover” lessons is facing a new threat no less terrifying than thermonuclear war.
“Stuxnet was Hiroshima,” said James Mulvenon, Vice-President of Defense Group, Inc.’s Intelligence Division and Director of DGI’s Center for Intelligence Research and Analysis, on an Atlantic Council panel in July. In much the same way the A-bomb showed the world the destructive potential of nuclear power, so too did Stuxnet prove what malware capabilities combined with destructive intent could do. And much like the era of duck and cover, policymakers have failed to come up with solutions that will adequately protect the population in the event of cyberwar. For the moment, solutions are utterly out of their reach, and anything they try could potentially make the situation worse.
Unlike in nuclear war, where the precedent was “use as a last resort,” the creators of Stuxnet have set the precedent of striking through cyber attacks as a prelude to physical hostilities. After news about Stuxnet broke, the world’s governments were strangely quiet—most likely because they immediately devoted resources to repurposing it. However, the beauty—and terror—of the Internet Age is how it has democratized access to knowledge, allowing actors to take advantage the immense power of crowd-sourced information, both in public forums and in a significant information underground. Just like policy-makers fear nuclear weapons falling into the hands of rogue non-state actors, they should fear these same actors getting their hands on a zero-day vulnerability in any of our critical infrastructure. Should someone choose to attack, they would have a good chance of affecting a system that was never built to withstand malicious attacks in the first place.
The democratization of cyber weaponry has raised the question: what meaning does sovereignty have in cyberspace? More than any virus or environmental pollutant, internet denizens care little for Westphalian borders. Traditional cybersecurity policy has been approached from a nationalist point of view, with regulations focusing inside national or regional borders, but they are largely ineffective against attacks originating from outside the country’s borders. There is nothing a law passed by the U.S. Congress is going to do stop a Chinese or Russian backer from depositing a piece of malware or spyware in a critical banking or secret government program.
Government officials cannot evolve on what protective defensive measures to implement fast enough to keep up with the advancements in technology, let alone with a hacker’s tactics. U.S. officials are just beginning to consider how to implement a strategy to deal with both the kind of attacks perpetrated by bored young adults, like Lulzsec, and intelligence espionage, and have not even begun considering how to address issues brought about by mobile technology and increasingly “frictionless” sharing of data.
In response, private companies are taking matters into their own hands, going on the offensive against perceived threats by striking back at their attackers. After Chinese attackers hacked Gmail accounts and stole some Google source code in January 2010, Google responded by hacking their attackers right back. A July survey of 181 attendees at the Black Hat USA conference in Las Vegas showed that 36 percent of respondents had engaged in retaliatory hacking in the past; in reality, the numbers are likely much higher. Despite government exhortations to focus on proactive defense rather than an “eye for an eye” sense of cyber justice, the private sector is rapidly hurtling down a path where one wrong accusation or action could escalate to an all-out war.
The low barrier to entry in this battle has led to the development of a sort of Wild West environment, where digital hit men openly advertise their hacking services in taking down whatever target a buyer desires, and though prices vary, a hit man can be bought for less than an average apartment’s monthly rent payment.
Just like during the Cold War, it will not be uncommon for peripheral actors to be caught up in attacks on other actors. One tactic of espionage hackers is to target “watering hole” sites—meaning to hack websites that an organization’s employees are likely to visit (local government sites, a community bank, or a trusted news source) and install a Trojan when visitors arrive on the page. Symantec has warned that, “Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013.”
Even worse than one company’s employees being hacked, is the silence coming from those companies after. Without knowledge sharing between companies, one PR department’s embarrassment could lead to one company after another falling victim to the same attack, and hackers gathering more and more intelligence.
Most notable about all these threats is how few of the problems fall under the jurisdiction of state actors. The Internet Age has diffused power from major centers of hierarchical power to ever-smaller, autonomous non-state actors. It is theoretically possible for dedicated individual to change the entire global balance of power, and it is impossible for any one government to stop it.
It is clear that there must be a substantial, comprehensive approach to cybersecurity. The first step to creating a better security environment is acceptance. In the stages of grief, the U.S. is currently in denial. We cannot continue to act as if every attack will be “Pearl Harbor” as Secretary Panetta tries to warn, because that will leave us vulnerable to a number of smaller problems. However, we also cannot continue to act as if a cyberattack will never happen to us personally. We must accept that the new world we live in will always carry a risk of cyber insecurity.
Once we stop worrying about that, we can move on to the next step: building a defensive mindset. Defending against a cyber intrusion is not only about creating new technologies; technology, after all, is only as smart as the person using it. It is more important to create to educate on best practices for safety, and in the process create a set of norms for cybersecurity. Is it necessary to attach all your personal information to your Facebook account? Or to then use that Facebook account to comment on multiple forums or sign up for apps?
Finally, the world’s nations need to cooperate to create a system of global deterrence, similar to the network created to deter the production of more nuclear weapons. At the moment, there is not deterrent incentive; rather, there is a high incentive to preempt another nation or group attaining the means to attack, making the current environment highly unstable. Deterrence will mean, initially, establishing an image of being able to respond to any attacks with disproportionate force, then creating a set of norms, with rewards and punishments, to discourage cyber attacks.
Any plan must encompass three levels: 1) the individual (for example, if you decide to participate in mobile banking, what precautions should you take?); 2) private enterprise (choosing proactive defensive measures over dangerous reactive retaliatory measures, and share knowledge of threats with each other); and 3) nation states (find a balance between security and citizens’ desire for transparency, and cooperate with each other to find global solutions to global problems).
To reach this point quickly, the United States, as the world’s leader in cyber industry, much draw upon the resources of allied governments and work to create strong defenses, appropriate and balanced punishments, and a system of norms that will raise the entry point for cyber crimes to discouraging levels.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.
Photo: marsmet543 (cc).
