The 2018 State of the Digital Union: The Seven Deadly Sins of Cyber Security We Must Face

singer2

When President Barack Obama made his first State of Union address, there were a series of key challenges for cyber security policy. There was increasing problems of state-linked intellectual property (IP) theft that, in the wake of such incidents like the hacking of the F-35 fighter jet program, were becoming both an economic and national security issue, clouding Sino-American relations. There were growing worries about such ills as transnational criminal networks harming trust in the growing e-commerce marketplace, as well as botnets threatening to clog the “pipes” of cyberspace. Cyber warfare was starting to emerge as a real realm of conflict, with demands for the U.S. military to figure out how it was going to train, recruit, budget and organize for digital operations. And, there were concerns about privacy and state surveillance, but in those halcyon pre-Snowden disclosure days, they were framed mostly around such issues as China’s hacking of Google networks.

These concerns would then animate a series of cyber security programs and activities over the next years of the Obama administration, with mixed success. They ranged from the launch of bilateral talks with China that would culminate in a new agreement on IP theft, to the launch of new efforts to set cyber security standards for both American business and global politics, to new revelations and battlelines of privacy and surveillance, to the creation of an entire new military organization for fighting in cyberspace, U.S. Cyber Command.

Obviously, we are in a fundamentally different world today as President Donald Trump prepares to deliver his first State of the Union address. And, in the field of cyber security, we are also in a fundamentally different place. While none of the tough issues described above have gone away, they have been downgraded in importance by a series of even more thorny problems. For the Trump administration, and the broader national security community, these issues go well beyond mere staffing gaps (although these certainly are considerable, with over a third of key cyber security positions still left unfilled) or concerns with the execution of policy. Rather, from the collapse of cyber deterrence to rise of new types of attacks and vulnerabilities, there are seven fundamental new changes to the cyber security landscape. If the United States is to have any effective cyber security strategy, this new threat environment demands to be understood and faced.

The Collapse of Cyber-Deterrence

Building cyber-deterrence through a mix of both national capabilities and global norms that guide behavior has been a cornerstone of U.S. cyber security since the very realm first emerged. Today, it is not just challenged, but in utter collapse. For multiple years, Russia conducted a successful series of attacks on the American political system, as well our allies, with no real consequence. This campaign hit political targets of both parties, like the Democratic National Committee, and also the Republican National Committee, as well as prominent Democrat and Republican leaders, civil society groups like various American universities and academic research programs. These attacks started years back, but have continued after the 2016 election. They have hit clearly government sites, like the Pentagon’s email system, as well as clearly private networks, like U.S. banks.

In addition to attacking this range of public and private American targets, over an extended period of time, this Russian campaign has also been reported as targeting a wide variety of American allies. These include government, military and civilian targets in places that range from the United Kingdom, the Czech Republic, and Norway, as well as trying to influence elections in Germany, France and the Netherlands. It also targeted a range of international institutions, including most recently those linked to the Olympics after Russian athletes were caught cheating.

This is not just about targets, but also tactics. Russia has treated Ukraine as a kind of battle lab for all sorts of new cyber threats and tactics. Think of it as a digitized version of how the Spanish civil war in 1930s was used by the Germans not just to hone the technology of the Blitzkrieg, but to learn just what the world would let them get away with. Most worrisome has been a series of Russian attacks on civilian power grids, the type of attacks that have long been the nightmare scenario of cyber security, but here again with no consequence. This has been accompanied by probing attacks on previously off-limits areas in critical infrastructure, such as into nuclear plants in both the United States and Europe.

This series of actions, with no firm reactions, have been accompanied by a reversal in the global discussion of cyber security policy. At the very same time that the United States has retreated from its leadership role in global discourse, most symbolically with the literal closing of the State Department’s Cyber Coordinator position, China and Russia reversed years’ worth of work at the United Nations on building respect for the laws of war in cyber, and took key steps to win influence on the overall future of the Internet itself.

In the most generous interpretation, the combination of all these trends has undermined U.S. cyber deterrence, by creating mass uncertainty not about American capabilities, but the more politically important dimension of intent and will. In the capital cities of both American allies and adversaries, as well as the chatrooms of non-state actors, there is no great confidence in what exactly the U.S. position now comprises (especially in a world where presidential tweets voice the exact opposite language and threat view of national security strategy documents), nor what actions would compel a U.S. response, or what that reaction would be.

Less generously, these trends have created the opposite of deterrence: incentives. The failure to clearly respond has taught not just Russia, but any other would-be attacker, that such operations are relatively no pain on the cost side, and all gain on the benefits side. Until this calculus is altered, the United States should expect to see not just Russia continue to target its citizens and institutions (indeed, the same Russian organization that attacked 2016 election organization has been reported as presently attacking U.S. Senate offices), but also other nations and non-state groups looking for similar gains.

Influencing the Wrong Problem

When digital security first emerged as a problem area, there was a debate within U.S. military circles as to whether it should be treated as part of a previously existing arena that is known as information operations. Encompassing concepts that range from psychological operations to influence, subversion and disinformation campaigns, Information Operations saw information itself as a way to, as the U.S. military put it, “ influence, disrupt, corrupt or usurp” the other side’s decision-making.

Ultimately, cyber security was split off and treated as its own problem area and professional field. This influenced not just how the U.S. military organized, but also how corporations framed their own security problems, such as how social media firms focused on keeping attackers from breaking into their networks, versus simply mimicking legitimate customers. It may well have been the wrong call.

In nations like Russia and China, another pathway was followed. Cyber-attacks were seen more as part of a continuum of the many ways to influence and undermine your adversaries. One of the first to voice this was Gen. Valery Gerasimov, chief of the General Staff of the Russian Federation. In 2013, he gave a speech to fellow officers, which became a centerpiece of Russian strategy to the extent that it was even written into the Russian military’s doctrine. With this, the broader information domain began to be viewed “…like a new theater for conflict and [Russia] has invested in developing its capabilities just as it would in developing a new weapon system.” And it wasn’t just any weapon; Russian military strategists began to describe how a strong information offensive can have a strategic impact on par with the release of an atomic bomb.

The key here was an understanding that hacking digital systems was only a complement to a larger effort to hack human minds and their political systems. For example, whether it was in Ukraine or the United States, the efforts to penetrate the email systems of political opponents of Russia was given real weight when the fruits of the hack were pushed out via the combined tentacles of a massive online army. This network is made up of four groups: thousands of sock-puppet accounts, where Russian human agents pose as trusted commentators and online friends, tens of thousands of automated bots that could drive overall online trends by manipulating search algorithms, and finally legions of “fellow travelers” and polezni durak (Russian for “useful idiots”) inside the target countries, who either knowingly echo out this propaganda and disinformation or do so driven by mostly partisan reasons.

The effect of this is a weaponization of social media , felt across the political environment, poisoning not just U.S. politics, but also targets ranging from the United Kingdom to Italy. Its scale is perhaps illustrated by how, via Facebook alone, 126 million Americans saw ads and posts from a subset of known Russian trolls hiding behind false identities that ranged from U.S. military veterans to African American activists. Similarly, in just the last ten weeks of the 2016 U.S. election, accounts now known to be Russian in origin, but posing as someone else, generated 2.12 million tweets on election related topics, receiving 454.7 million impressions within their first seven days of posting.

Unfortunately, both the U.S. government and private companies have yet to come to grips with how best to respond. This problem made all the more difficult by the sense of denialism at the very top of both.

Mega Gets Mega

For all the new and often highly political ills, the more “traditional” attacks in cyber security have not gone away. Indeed, the last year saw a near doubling in the number of reported cyber incidents to 159,700. The problem is that the worst kind of attacks have reached a new kind of scale.

“Mega-breaches” are defined as data breach incidents that cause the exposure of at least 10 million identities. Think of them as the mass murders in a city already undergoing a massive crime wave. Such attacks used to be incredibly rare; for instance there was just one mega breach in all of 2012. Driven by how much more we are putting online, in still unsecured manners, such major breaches now come at a regular pace. Last year’s mega breaches ranged from the compromise of 57 million of Uber customers’ personal data to the Equifax breach, which lost the credit monitoring data of some 143 million Americans.

These massive breaches have come so quickly, in fact, that where they would have once been the subject of weeks of breathless news stories and demands for government action, most have been quickly forgotten. For example, many recall the Target breach of five years ago that affected 41 million Americans. But few even noticed the 2017 loss of nearly 200 million Americans’ voter data (names, date of birth, address, phone numbers, voter registration details) by Deep Root Analytics, a marketing firm that works for the Republican National Committee.

However, the collective impact on their victims from this ongoing spate of attacks will not be quickly forgotten. As more and more mega-sized breaches occur, and more and more data is lost, more and more of this data will be mined and combined. If we don’t get ahold of this problem, it will make the ways that governments and companies use such data, literally to define who we are and what we are allowed to do, unsustainable.

The Threat Goes Hybrid

The threat actors that troubled us in cyber security originally were the proverbial teenagers in their parents’ basement and other early “hackers” driven by a mix of curiosity and attention seeking. Over time, they were surpassed by groups of attackers that were more organized and effective: state governments, non-state criminal groups, and global hacktivist networks.

Here again, none of these actors have gone away, but a new problem is the hybridization of these threats. Just like the relationship between covert hacks and overt influence campaigns, such combinations work in seemingly opposite ways, that are actually two sides of the same coin. The first is non-state actors that conduct the operations of states. The proverbial example here are Russian criminal networks which have been enlisted to attack political targets in places that range from Ukraine to the United States, frequently using the very same means and modes of attack that they used in theft. By some accounts, these groups or individuals are often pressured or blackmailed into aid through threats of jail time, akin to how the FBI ensured the U.S. branch of the mafia worked to aid American interests during World War II by passing on intelligence of Axis positions in Sicily.

The other hybrid threat is the reverse, where state actors conduct operations that have traditionally been criminal. Here the proverbial example is North Korea, whose hackers have been implicated in attacking banking systems in places like Bangladesh, Vietnam, Ecuador and Poland, stealing at least $94 million, conducting some of the biggest bank robberies in history. Here the goal is not political influence, but cash needed to sustain the sanctioned nation’s economy.

In turn, by being in both worlds, but neither fully, hybrid threats don’t fit into easy categorization to enable the normal responses. For example, seeking cross-border law enforcement cooperation for criminal prosecution is not a viable answer when the criminal is doing the dirty business of the state itself. This means we are yet to figure out exactly how to handle hybrid threats. If we want to defeat and deter them, better defenses are not enough. We’ll have to determine what are their “control mechanisms,” what the military calls the actions that force an adversary to start acting according to our ends and designs, versus only reacting to theirs.

Holding the World Ransom

If this new scale and new attackers weren’t enough, we are also seeing a new form of cyber-attack move to the forefront of concern. Whether it was a credit card or a government secret, when information was stolen in the past, it was to be used to the benefit of the attacker. Now, we are seeing more and more ransomware attacks, where information or access is being kept from the use of the victim, until they pay a ransom to unlock it.

Not so long ago ransomware was a minor area of the field, but now it is arguably the fastest growing with all sorts of insane statistics to underlie how bad it is becoming. By one measure, ransomware saw a 167 times growth (not 167 percent, but times) over one year.

The costs are equally growing, with 2017 the costliest year by far. In the NotPetya attacks, for instance, Maersk suffered $200 million in damages, FedEx $300 million loss , and Merck over $310 million in damages.

All signs point to this trend growing. The first reason is that ransomware crime pays, and pays more and more. The average take per victim in a ransomware attack in 2015 was $294. In 2017, it grew by 266 percent to $1,077 per victim. The second reason is that, aligned with the hybridization problem, states are getting into the act. NotPetya may have caused harm to private business across the world, but it has been concluded that it originated with a Russian attack on Ukraine.

The ransomware problem will get much worse. So far, the targets that have been taken offline have been information systems needed for the operation of an organization, such as digital hospital files or business data. What looms is holding ransom of the machines needed for the operation of an organization. White hat hackers have demonstrated this scary future by already showing off the threats posed by ransomware that can seize control of everything from thermostats to public water treatment plants.

The Stakes Grow with Things

The shift of what will be targeted by ransomware points to a larger shift in the Internet itself, and the growing stakes of cyber security. Our network of networks is evolving from being about communications between human beings to running the systems of our increasingly digital world. The numbers are in some dispute, but roughly 9 billion “things” are online now. In the next five years this will at least double, and likely triple or more. But most of these new things will shift from being computers on our desks and smart phones in our pockets to objects like cars, thermostats, power plants, etc.

This massive growth won’t just grow the Internet economy, but also massively grow the attack surface, the potential points of vulnerability that cyber threats will go after. However, it will also be a bit like traveling back in time, in that the new growth in the “Internet of Things” (IoT) is replicating all the old cyber security problems. With responsibilities for security unclear, and almost no regulation or even basic liability, all too often these devices lack even basic security features, while customers are largely unaware of what they can and should do. The result is that up to 70 percent of IoT devices have known vulnerabilities, and they have already become a key part of botnets. Here again, the situation will grow worse. As one 2018 prediction put it, we should expect to see more and more hacked things “used for volumetric attacks, to exfiltrate stolen data, to identify further vulnerabilities, or for brute force attacks.”

But there is a key new area in this growth of attack, which we haven’t seen much of, yet should expect to come: targeting things to cause physical damage. The pioneering of Stuxnet-style attacks that sabotage the operations of industrial control systems and more and more “things” which rely on these systems is a dangerous combination. IoT attacks will cost not just future money, but lives.

These fundamentally different consequences will cause fundamentally different ripple effects. The Internet of Things won’t just change the Internet as we know it, but the very politics of cyber security. As opposed to opaque attacks with unclear consequences, IoT attacks will be easy to see and understand by the broader public and policymakers. They will lead to far quicker and louder calls for action in response.

Subversion on a Whole New Level

Cyber security concerns so far have been tough enough. But they have only been about adversaries attempting to hack or manipulate already created systems. There are growing concerns that the underlying DNA of the digital systems themselves may be increasingly compromised.

This problem comes in three forms. The first reflects a new kind of dilemma in a new era of geostrategic competition. Never before has a nation been in geostrategic competition with another nation that manufactures substantial parts of both its business and military technology. This is the predicament for the United States, which finds itself beholden to China, all the way down to the microchip level. It creates not just a type of dependence never before seen, but also one that can be exploited through the potential of “hardware hacks,” where vulnerabilities might be baked into systems in a manner that might not be made evident for years if not decades. The chips that you buy today, could cost you a war tomorrow.

The second comes from the dueling incentives of multinational business and national security, again another key shift. In order to maintain access to certain markets, tech companies have increasingly allowed state governments access to their inner workings, all the way down to the source code. For instance, major firms like SAP, McAfee, and Symantec all reportedly allow the Russian government to do so on their products, while firms like Kaspersky have been accused of granting even closer access. The worry is that these same firms provide key security to networks in at least twelve U.S. government agencies.

The third problem is not one of deliberate sabotage, but a worry that errors in the equivalent “DNA” itself may have caused a type of cancer for the overall cyber security system. Security researchers are still coming to grips with the full implications of what is known as Meltdown and Spectre. Due to fundamental design flaws, the chips that almost all our major systems use have potential points of compromises. And, reflecting the above global firm versus national security problem, the maker informed Chinese state-linked firms of the security flaw before the U.S. government.

So far, there is no one security solution, and even the limited patches cause substantial problems. In many ways, these incidents may well be like the 2010 “flash crash” on the stock market, where the consequences of relying on a system that is so incredibly fragile is so deeply worrisome that we all just agree not to worry about it.

What Can We Do On ‘The Cyber’?

Obviously, there are no easy answers to these problems (and there are, of course, many more threats and changes one could add to the list). But that doesn’t mean that they will go away. If the Trump administration wants to improve the state of the cyber union, the United States will have to take a new approach. It will have to re-evaluate not just what is and isn’t working today, but also explore what new actions we ought to take, including options and ideas that have already been proposed but were not viable in previous political climates.

One track might be fundamental shifts in the technology that we use, such as movements to the cloud, to blockchain, to quantum computing, and to artificial intelligence. Each of these holds great promise for cyber security, potentially able to rewrite the balance of power between attacker and defender.

Another track might entail creating entirely new organizations. For example, the Homeland Security Act of 2002 explored the creation of a volunteer National Emergency Technology Guard (NET Guard), but it was never funded. Think of it as akin to a cyber security version of the Civil Air Patrol, where both experienced and student pilots train for personal interest, but are also on call for emergencies. Estonia has used a similar model to build deep resilience against Russian cyber attacks and interference. Importantly, such an organization would be able tap a wider set of expertise than now aiding in national cybersecurity, those who want to serve their nation, but are not physically able or willing to meet the demands of the active duty U.S. military or National Guard.

Or, it might include new laws designed to unlock the free market. An equivalent to the Terrorism Risk Insurance Act, but for cyber security would make it easier for the nascent cyber security insurance industry to take off, and enable companies both to better cover themselves and be influenced to good behavior.

Indeed, we should even include rethinking entire worldviews. For the last generation, the legal requirements of cyber security have been largely absent, their substitute mostly aspirational voluntary standards, backfilled by growing liability incentives. This was largely because government requirements were opposed by most business and considered politically unviable. However, threats and times change. Akin to how industry initially opposed regulations like car safety and then embraced and surpassed it, business is starting to re-evaluate its stance on all cyber security regulation being bad. This is based on a recognition that actual and defined requirements might aid in better protecting themselves, especially among their vendors, as well as cut through a growing thicket of lawsuit liability and varied state and global frameworks that is confusing and costly to navigate. In turn, we have to be prepared for how the politics of what is and isn’t viable in cyber security could change in an instant, especially in the wake of a catastrophic attack. For instance, the idea of a national agency for homeland security was an unworkable proposal that had floated about in various think tanks and commission reports for over a decade, until it became viable after 9/11.

At some point in the future, another president will deliver their first State of the Union. How seriously these seven problems are treated in the next few years will determine whether it is one delivered in an era of improved cyber security or of a fundamental breakdown into digital insecurity.

 

P.W. Singer is Strategist at New America and the author of multiple books including Cyber security and Cyberwar: What Everyone Needs to Know and Ghost Fleet: A Novel of the Next World War.

Image: Air Force/Margo Wright