THE 2018 STATE OF THE DIGITAL UNION: THE SEVEN DEADLY SINS OF CYBERSECURITY WE MUST FACE

PETER W. SINGER JANUARY 30, 2018

When President Barack Obama made his �rst State of Union address, there were aseries of key challenges for cyber security policy. There was increasing problems ofstate-linked intellectual property (IP) the� that, in the wake of such incidents likethe hacking of the F-35 �ghter jet program, were becoming both an economic andnational security issue, clouding Sino-American relations. There were growingworries about such ills as transnational criminal networks harming trust in thegrowing e-commerce marketplace, as well as botnets threatening to clog the“pipes” of cyberspace. Cyber warfare was starting to emerge as a real realm of

con�ict, with demands for the U.S. military to �gure out how it was going to train,recruit, budget and organize for digital operations. And, there were concerns aboutprivacy and state surveillance, but in those halcyon pre-Snowden disclosure days,they were framed mostly around such issues as China’s hacking of Googlenetworks.

These concerns would then animate a series of cyber security programs andactivities over the next years of the Obama administration, with mixed success.They ranged from the launch of bilateral talks with China that would culminate ina new agreement on IP the�, to the launch of new e�orts to set cyber securitystandards for both American business and global politics, to new revelations andbattlelines of privacy and surveillance, to the creation of an entire new militaryorganization for �ghting in cyberspace, U.S. Cyber Command.

Obviously, we are in a fundamentally di�erent world today as President DonaldTrump prepares to deliver his �rst State of the Union address. And, in the �eld ofcyber security, we are also in a fundamentally di�erent place. While none of thetough issues described above have gone away, they have been downgraded inimportance by a series of even more thorny problems. For the Trumpadministration, and the broader national security community, these issues go wellbeyond mere sta�ng gaps (although these certainly are considerable, with over athird of key cyber security positions still le� un�lled) or concerns with theexecution of policy. Rather, from the collapse of cyber deterrence to rise of newtypes of attacks and vulnerabilities, there are seven fundamental new changes tothe cyber security landscape. If the United States is to have any e�ective cybersecurity strategy, this new threat environment demands to be understood andfaced.

The Collapse of Cyber-Deterrence

Building cyber-deterrence through a mix of both national capabilities and globalnorms that guide behavior has been a cornerstone of U.S. cyber security since thevery realm �rst emerged. Today, it is not just challenged, but in utter collapse. Formultiple years, �ussia conducted a successful series of attacks on the Americanpolitical system, as well our allies, with no real consequence. This campaign hitpolitical targets of both parties, like the Democratic National Committee, and alsothe Republican National Committee, as well as prominent Democrat andRepublican leaders, civil society groups like various American universities andacademic research programs. These attacks started years back, but have continueda�er the 2016 election. They have hit clearly government sites, like the Pentagon’semail system, as well as clearly private networks, like U.S. banks.

In addition to attacking this range of public and private American targets, over anextended period of time, this �ussian campaign has also been reported astargeting a wide variety of American allies. These include government, militaryand civilian targets in places that range from the United Kingdom, the CzechRepublic, and Norway, as well as trying to in�uence elections in Germany, Franceand the Netherlands. It also targeted a range of international institutions,including most recently those linked to the Olympics a�er �ussian athletes werecaught cheating.

This is not just about targets, but also tactics. �ussia has treated Ukraine as a kindof battle lab for all sorts of new cyber threats and tactics. Think of it as a digitizedversion of how the Spanish civil war in 1930s was used by the Germans not just tohone the technology of the Blitzkrieg, but to learn just what the world would letthem get away with. Most worrisome has been a series of �ussian attacks oncivilian power grids, the type of attacks that have long been the nightmarescenario of cyber security, but here again with no consequence. This has beenaccompanied by probing attacks on previously o�-limits areas in criticalinfrastructure, such as into nuclear plants in both the United States and Europe.

This series of actions, with no �rm reactions, have been accompanied by a reversalin the global discussion of cyber security policy. At the very same time that theUnited States has retreated from its leadership role in global discourse, mostsymbolically with the literal closing of the State Department’s Cyber Coordinatorposition, China and �ussia reversed years’ worth of work at the United Nations onbuilding respect for the laws of war in cyber, and took key steps to win in�uence onthe overall future of the Internet itself.

In the most generous interpretation, the combination of all these trends hasundermined U.S. cyber deterrence, by creating mass uncertainty not aboutAmerican capabilities, but the more politically important dimension of intent andwill. In the capital cities of both American allies and adversaries, as well as thechatrooms of non-state actors, there is no great con�dence in what exactly the U.S.position now comprises (especially in a world where presidential tweets voice theexact opposite language and threat view of national security strategy documents),nor what actions would compel a U.S. response, or what that reaction would be.

Less generously, these trends have created the opposite of deterrence: incentives.The failure to clearly respond has taught not just �ussia, but any other would-beattacker, that such operations are relatively no pain on the cost side, and all gain onthe bene�ts side. Until this calculus is altered, the United States should expect tosee not just �ussia continue to target its citizens and institutions (indeed, the same�ussian organization that attacked 2016 election organization has been reported aspresently attacking U.S. Senate o�ces), but also other nations and non-stategroups looking for similar gains.

In�uencing the Wrong Problem

When digital security �rst emerged as a problem area, there was a debate withinU.S. military circles as to whether it should be treated as part of a previouslyexisting arena that is known as information operations. Encompassing conceptsthat range from psychological operations to in�uence, subversion and

disinformation campaigns, Information Operations saw information itself as away to, as the U.S. military put it, “ in�uence, disrupt, corrupt or usurp” the otherside’s decision-making.

Ultimately, cyber security was split o� and treated as its own problem area andprofessional �eld. This in�uenced not just how the U.S. military organized, but alsohow corporations framed their own security problems, such as how social media�rms focused on keeping attackers from breaking into their networks, versussimply mimicking legitimate customers. It may well have been the wrong call.

In nations like �ussia and China, another pathway was followed. Cyber-attackswere seen more as part of a continuum of the many ways to in�uence andundermine your adversaries. One of the �rst to voice this was Gen. ValeryGerasimov, chief of the General Sta� of the �ussian Federation. In 2013, he gave aspeech to fellow o�cers, which became a centerpiece of �ussian strategy to theextent that it was even written into the �ussian military’s doctrine. With this, thebroader information domain began to be viewed “…like a new theater for con�ictand [�ussia] has invested in developing its capabilities just as it would indeveloping a new weapon system.” And it wasn’t just any weapon; �ussian militarystrategists began to describe how a strong information o�ensive can have astrategic impact on par with the release of an atomic bomb.

The key here was an understanding that hacking digital systems was only acomplement to a larger e�ort to hack human minds and their political systems. Forexample, whether it was in Ukraine or the United States, the e�orts to penetratethe email systems of political opponents of �ussia was given real weight when thefruits of the hack were pushed out via the combined tentacles of a massive onlinearmy. This network is made up of four groups: thousands of sock-puppet accounts,where �ussian human agents pose as trusted commentators and online friends,tens of thousands of automated bots that could drive overall online trends bymanipulating search algorithms, and �nally legions of “fellow travelers” and

polezni durak (�ussian for “useful idiots”) inside the target countries, who eitherknowingly echo out this propaganda and disinformation or do so driven by mostlypartisan reasons.

The e�ect of this is a weaponization of social media , felt across the politicalenvironment, poisoning not just U.S. politics, but also targets ranging from theUnited Kingdom to Italy. Its scale is perhaps illustrated by how, via Facebook alone,126 million Americans saw ads and posts from a subset of known �ussian trollshiding behind false identities that ranged from U.S. military veterans to AfricanAmerican activists. Similarly, in just the last ten weeks of the 2016 U.S. election,accounts now known to be �ussian in origin, but posing as someone else,generated 2.12 million tweets on election related topics, receiving 454.7 millionimpressions within their �rst seven days of posting.

Unfortunately, both the U.S. government and private companies have yet to cometo grips with how best to respond. This problem made all the more di�cult by thesense of denialism at the very top of both.

Mega Gets Mega

For all the new and o�en highly political ills, the more “traditional” attacks incyber security have not gone away. Indeed, the last year saw a near doubling in thenumber of reported cyber incidents to 159,700. The problem is that the worst kindof attacks have reached a new kind of scale.

“Mega-breaches” are de�ned as data breach incidents that cause the exposure of atleast 10 million identities. Think of them as the mass murders in a city alreadyundergoing a massive crime wave. Such attacks used to be incredibly rare; forinstance there was just one mega breach in all of 2012. Driven by how much morewe are putting online, in still unsecured manners, such major breaches now comeat a regular pace. Last year’s mega breaches ranged from the compromise of 57million of Uber customers’ personal data to the Equifax breach, which lost thecredit monitoring data of some 143 million Americans.

These massive breaches have come so quickly, in fact, that where they would haveonce been the subject of weeks of breathless news stories and demands forgovernment action, most have been quickly forgotten. For example, many recallthe Target breach of �ve years ago that a�ected 41 million Americans. But few evennoticed the 2017 loss of nearly 200 million Americans’ voter data (names, date ofbirth, address, phone numbers, voter registration details) by Deep Root Analytics,a marketing �rm that works for the Republican National Committee.

However, the collective impact on their victims from this ongoing spate of attackswill not be quickly forgotten. As more and more mega-sized breaches occur, andmore and more data is lost, more and more of this data will be mined andcombined. If we don’t get ahold of this problem, it will make the ways thatgovernments and companies use such data, literally to de�ne who we are and whatwe are allowed to do, unsustainable.

The Threat Goes Hybrid

The threat actors that troubled us in cyber security originally were the proverbialteenagers in their parents’ basement and other early “hackers” driven by a mix ofcuriosity and attention seeking. Over time, they were surpassed by groups ofattackers that were more organized and e�ective: state governments, non-statecriminal groups, and global hacktivist networks.

Here again, none of these actors have gone away, but a new problem is thehybridization of these threats. Just like the relationship between covert hacks andovert in�uence campaigns, such combinations work in seemingly opposite ways,that are actually two sides of the same coin. The �rst is non-state actors thatconduct the operations of states. The proverbial example here are �ussian criminalnetworks which have been enlisted to attack political targets in places that rangefrom Ukraine to the United States, frequently using the very same means andmodes of attack that they used in the�. By some accounts, these groups orindividuals are o�en pressured or blackmailed into aid through threats of jail

time, akin to how the FBI ensured the U.S. branch of the ma�a worked to aidAmerican interests during World War II by passing on intelligence of Axispositions in Sicily.

The other hybrid threat is the reverse, where state actors conduct operations thathave traditionally been criminal. Here the proverbial example is North Korea,whose hackers have been implicated in attacking banking systems in places likeBangladesh, Vietnam, Ecuador and Poland, stealing at least $94 million,conducting some of the biggest bank robberies in history. Here the goal is notpolitical in�uence, but cash needed to sustain the sanctioned nation’s economy.

In turn, by being in both worlds, but neither fully, hybrid threats don’t �t into easycategorization to enable the normal responses. For example, seeking cross-borderlaw enforcement cooperation for criminal prosecution is not a viable answer whenthe criminal is doing the dirty business of the state itself. This means we are yet to�gure out exactly how to handle hybrid threats. If we want to defeat and deterthem, better defenses are not enough. We’ll have to determine what are their“control mechanisms,” what the military calls the actions that force an adversary tostart acting according to our ends and designs, versus only reacting to theirs.

Holding the World Ransom

If this new scale and new attackers weren’t enough, we are also seeing a new formof cyber-attack move to the forefront of concern. Whether it was a credit card or agovernment secret, when information was stolen in the past, it was to be used tothe bene�t of the attacker. Now, we are seeing more and more ransomware attacks,where information or access is being kept from the use of the victim, until they paya ransom to unlock it.

Not so long ago ransomware was a minor area of the �eld, but now it is arguablythe fastest growing with all sorts of insane statistics to underlie how bad it isbecoming. By one measure, ransomware saw a 167 times growth (not 167 percent,but times) over one year.

The costs are equally growing, with 2017 the costliest year by far. In the NotPetyaattacks, for instance, Maersk su�ered $200 million in damages, FedEx $300million loss , and Merck over $310 million in damages.

All signs point to this trend growing. The �rst reason is that ransomware crimepays, and pays more and more. The average take per victim in a ransomware attackin 2015 was $294. In 2017, it grew by 266 percent to $1,077 per victim. The secondreason is that, aligned with the hybridization problem, states are getting into theact. NotPetya may have caused harm to private business across the world, but it hasbeen concluded that it originated with a �ussian attack on Ukraine.

The ransomware problem will get much worse. So far, the targets that have beentaken o�ine have been information systems needed for the operation of anorganization, such as digital hospital �les or business data. What looms is holdingransom of the machines needed for the operation of an organization. White hathackers have demonstrated this scary future by already showing o� the threatsposed by ransomware that can seize control of everything from thermostats topublic water treatment plants.

The Stakes Grow with Things

The shi� of what will be targeted by ransomware points to a larger shi� in theInternet itself, and the growing stakes of cyber security. Our network of networksis evolving from being about communications between human beings to runningthe systems of our increasingly digital world. The numbers are in some dispute,but roughly 9 billion “things” are online now. In the next �ve years this will at leastdouble, and likely triple or more. But most of these new things will shi� frombeing computers on our desks and smart phones in our pockets to objects like cars,thermostats, power plants, etc.

This massive growth won’t just grow the Internet economy, but also massivelygrow the attack surface, the potential points of vulnerability that cyber threats willgo a�er. However, it will also be a bit like traveling back in time, in that the new

growth in the “Internet of Things” (IoT) is replicating all the old cyber securityproblems. With responsibilities for security unclear, and almost no regulation oreven basic liability, all too o�en these devices lack even basic security features,while customers are largely unaware of what they can and should do. The result isthat up to 70 percent of IoT devices have known vulnerabilities, and they havealready become a key part of botnets. Here again, the situation will grow worse. Asone 2018 prediction put it, we should expect to see more and more hacked things“used for volumetric attacks, to ex�ltrate stolen data, to identify furthervulnerabilities, or for brute force attacks.”

But there is a key new area in this growth of attack, which we haven’t seen much of,yet should expect to come: targeting things to cause physical damage. Thepioneering of Stuxnet-style attacks that sabotage the operations of industrialcontrol systems and more and more “things” which rely on these systems is adangerous combination. IoT attacks will cost not just future money, but lives.

These fundamentally di�erent consequences will cause fundamentally di�erentripple e�ects. The Internet of Things won’t just change the Internet as we know it,but the very politics of cyber security. As opposed to opaque attacks with unclearconsequences, IoT attacks will be easy to see and understand by the broader publicand policymakers. They will lead to far quicker and louder calls for action inresponse.

Subversion on a Whole New Level

Cyber security concerns so far have been tough enough. But they have only beenabout adversaries attempting to hack or manipulate already created systems. Thereare growing concerns that the underlying DNA of the digital systems themselvesmay be increasingly compromised.

This problem comes in three forms. The �rst re�ects a new kind of dilemma in anew era of geostrategic competition. Never before has a nation been in geostrategiccompetition with another nation that manufactures substantial parts of both its

business and military technology. This is the predicament for the United States,which �nds itself beholden to China, all the way down to the microchip level. Itcreates not just a type of dependence never before seen, but also one that can beexploited through the potential of “hardware hacks,” where vulnerabilities mightbe baked into systems in a manner that might not be made evident for years if notdecades. The chips that you buy today, could cost you a war tomorrow.

The second comes from the dueling incentives of multinational business andnational security, again another key shi�. In order to maintain access to certainmarkets, tech companies have increasingly allowed state governments access totheir inner workings, all the way down to the source code. For instance, major�rms like SAP, McAfee, and Symantec all reportedly allow the �ussiangovernment to do so on their products, while �rms like Kaspersky have beenaccused of granting even closer access. The worry is that these same �rms providekey security to networks in at least twelve U.S. government agencies.

The third problem is not one of deliberate sabotage, but a worry that errors in theequivalent “DNA” itself may have caused a type of cancer for the overall cybersecurity system. Security researchers are still coming to grips with the fullimplications of what is known as Meltdown and Spectre. Due to fundamentaldesign �aws, the chips that almost all our major systems use have potential pointsof compromises. And, re�ecting the above global �rm versus national securityproblem, the maker informed Chinese state-linked �rms of the security �awbefore the U.S. government.

So far, there is no one security solution, and even the limited patches causesubstantial problems. In many ways, these incidents may well be like the 2010“�ash crash” on the stock market, where the consequences of relying on a systemthat is so incredibly fragile is so deeply worrisome that we all just agree not toworry about it.

What Can We Do On ‘The Cyber’?

Obviously, there are no easy answers to these problems (and there are, of course,many more threats and changes one could add to the list). But that doesn’t meanthat they will go away. If the Trump administration wants to improve the state ofthe cyber union, the United States will have to take a new approach. It will have tore-evaluate not just what is and isn’t working today, but also explore what newactions we ought to take, including options and ideas that have already beenproposed but were not viable in previous political climates.

One track might be fundamental shi�s in the technology that we use, such asmovements to the cloud, to blockchain, to quantum computing, and to arti�cialintelligence. Each of these holds great promise for cyber security, potentially ableto rewrite the balance of power between attacker and defender.

Another track might entail creating entirely new organizations. For example,the Homeland Security Act of 2002 explored the creation of a volunteer NationalEmergency Technology Guard (NET Guard), but it was never funded. Think of it asakin to a cyber security version of the Civil Air Patrol, where both experienced andstudent pilots train for personal interest, but are also on call for emergencies.Estonia has used a similar model to build deep resilience against �ussian cyberattacks and interference. Importantly, such an organization would be able tap awider set of expertise than now aiding in national cybersecurity, those who want toserve their nation, but are not physically able or willing to meet the demands of theactive duty U.S. military or National Guard.

Or, it might include new laws designed to unlock the free market. An equivalent tothe Terrorism Risk Insurance Act, but for cyber security would make it easier forthe nascent cyber security insurance industry to take o�, and enable companiesboth to better cover themselves and be in�uenced to good behavior.

Indeed, we should even include rethinking entire worldviews. For the lastgeneration, the legal requirements of cyber security have been largely absent, theirsubstitute mostly aspirational voluntary standards, back�lled by growing liability

Copyright ©2018 War On The Rocks

incentives. This was largely because government requirements were opposed bymost business and considered politically unviable. However, threats and timeschange. Akin to how industry initially opposed regulations like car safety and thenembraced and surpassed it, business is starting to re-evaluate its stance on allcyber security regulation being bad. This is based on a recognition that actual andde�ned requirements might aid in better protecting themselves, especially amongtheir vendors, as well as cut through a growing thicket of lawsuit liability andvaried state and global frameworks that is confusing and costly to navigate. Inturn, we have to be prepared for how the politics of what is and isn’t viable in cybersecurity could change in an instant, especially in the wake of a catastrophic attack.For instance, the idea of a national agency for homeland security was anunworkable proposal that had �oated about in various think tanks andcommission reports for over a decade, until it became viable a�er 9/11.

At some point in the future, another president will deliver their �rst State of theUnion. How seriously these seven problems are treated in the next few years willdetermine whether it is one delivered in an era of improved cyber security or of afundamental breakdown into digital insecurity.

 

P.W. Singer is Strategist at New America and the author of multiple books including Cybersecurity and Cyberwar: What Everyone Needs to Know and Ghost Fleet: A Novel ofthe Next World War.

Image: Air Force/Margo Wright

COMMENTARY