Earlier this summer, Director of National Intelligence Dan Coats issued a blunt warning with regard to the growing cyber threat facing America. He said that the system was “blinking red” in the face of a likely attack.
Many of us will recall that this same language was used 17 years ago in a different but equally alarming context — to describe the state of affairs in the weeks immediately prior to the 9/11 terrorist attacks against the United States. DNI Coats is not alone in his assessment of the threat we currently face.
Indeed, as Secretary of Homeland Security Kirstjen Nielsen stated during the recent National Cybersecurity Summit in New York, cyber threats “now collectively exceed the danger of physical attacks against us.” She went on to warn that: “We are in crisis mode. A ‘Cat 5’ hurricane has been forecast, and now we must prepare.”
Their forceful proclamations underscore not only both the breadth and depth of the cyber threat, but how it has evolved over time.
From Hacktivists to Terrorists
At its inception, the cyber era levelled the playing field, allowing individuals and small groups to wield power on a global scale and challenge entities as big and powerful as the nation-state itself.
When threats arose, they often presented as distributed denial of service (DDoS) attacks, where a flood of traffic would cause a government or company website to shut down; or as cyber “graffiti”, where the perpetrators would deface the targeted websites. By 2007 and 2008 though, cyber tools, tactics, techniques, and procedures were being integrated into warfare; Russia led the way by incorporating cyber measures into its offensive operations against Estonia and the former Soviet Republic of Georgia during that period.
As Secretary of Homeland Security Kirstjen Nielsen stated, “We are in crisis mode. A ‘Cat 5’ hurricane has been forecast, and now we must prepare.”
Today, virtually all countries have developed or are seeking to develop a cybersecurity strategy as well as a military architecture and doctrine that lays the foundation for a national cyber capability which is both offensive and defensive in nature. Regional organizations such as NATO and the European Union are engaging in a similar exercise and planning. This is because the cyber threat has become so pervasive, multi-dimensional, and concerning.
Indeed, just the other day, the Homeland Security Secretary stated (during an event that I hosted) that “we have moved past the ‘epidemic’ stage and are now at a ‘pandemic’ stage—a worldwide outbreak of cyberattacks and cyber vulnerabilities.” In short, a wider range of nefarious actors than ever before can now access “sophisticated digital toolkits…spreading like wildfire.” The statistics cited on cybercrime alone are jaw-dropping: by 2021, some estimate that cybercrime damage will reach $6 trillion per year. That would be equivalent to almost 10% of the global economy.
Symantec’s latest Internet Security Threat Report contains equally disturbing statistics and trends: in 2017, there was a 200% increase in malware inserted into the software supply chain; the number of new malware variants targeting mobile devices rose 54%; and there was a 600% increase in attacks on the Internet of Things. Consider that the WannaCry cyberattack alone affected hundreds of thousands of computers, in 150 countries, and caused billions of dollars of damage.
Clearly, not all hacks are the same; nor are all hackers or their targets. We face a signal-to-noise dilemma. Who and what do we really need to pay attention to and why?
The threat comes in various shapes, sizes and forms. They range from nation-states, to criminal enterprises, foreign terrorist organizations, business competitors, and hacktivists and script-kiddies. Just as diverse as the threat actors themselves are the wide variance in their intentions, capabilities, and the tools they deploy.
At the highest end of the spectrum lie advanced persistent threats. These include nation-states with sophisticated capabilities and demonstrated intent to harm the United States and its allies. China, Russia, Iran, and North Korea have repeatedly acted in this manner and, in doing so, shown their cyber-savvy.
Symantec’s latest Internet Security Threat Report contains equally disturbing statistics: in 2017, there was a 200% increase in malware inserted into the software supply chain and there was a 600% increase in attacks on the Internet of Things.
Following nation-states, criminal organizations are the next most capable threat actors. A word of caution here — the gap between sophisticated cyber criminals and nation-state actors is increasingly narrowing, with the primary differentiator being that nation- states can utilize all source intelligence, of which cyber is merely one means. Needless to say, what differentiates criminals from other threat actors such as nation-states and terrorist organizations is their motivation and intent.
Rather than being motivated by ideology or political concerns, criminal organizations are driven by profit. They hope to stay under the radar and don’t want to bring any attention to their profitable, albeit illegal, activity. This is where most of the malicious cyber activity today occurs, and it is occurring at scale – so called ‘Cybercrime-as-a-Service’. Compounding this challenge is that nation states are increasingly turning to cyber criminals as proxies do their bidding.
Next up are foreign terrorist organizations. They certainly possess the motivation and intent, but fortunately they have not yet fully developed a sustained cyber-attack capability. It is likely, though, that they will increasingly turn to disruptive cyber-attacks. Whatever capabilities they don’t possess, they can simply buy or rent on the dark web. Moreover, since ISIS demonstrated its sophisticated use of social media for both propaganda and operational planning and tradecraft purposes, it would be foolish to discount that they — or future like-minded organizations — won’t develop a computer network attack capability or at least rent tools to enable a cyber drive-by shooting capability.
Finally, entities such as ‘hacktivists,’ single-issue organizations, and disgruntled employees may also have considerable skills and capabilities. Their motive is often to cause maximum embarrassment to their targets and to bring attention to their cause.
The Targets of their Attacks
The Department of Homeland Security has designated 16 critical infrastructures to be vital to our national and economic security.
The so-called “lifeline” sectors — such as water, energy and electricity, financial services, transportation, telecommunications, and of course, the defense industrial base — are at once the most critical of our critical infrastructures, while also the most targeted.
They are the jewels in the U.S. crown, in the eyes of the adversary. Against this background, these sectors have invested heavily in their own protection and resilience, knowing that their continuity of operations is crucial to ensure public health and safety. But the task is complicated by the many interdependencies that exist between and among these sectors, as well as by the public/private nature of the enterprise (over 85% of U.S. critical infrastructure is owned and operated by the private sector, which underscores how essential public/private partnerships are).
What lies ahead is not terribly comforting. The threat tempo is accelerating and magnified by the speed at which technology evolves. Our ability to ‘network’ has far outpaced our ability to protect ‘networks’. Just think about the Internet of Things, with an estimated 40 billion new devices expected to be interconnected by 2020. That is an exponential growth in connectivity — and an exponentially larger attack surface. At the same time, China, Russia, and others are investing heavily in artificial intelligence (A.I.), quantum computing, and space-based means of strategic advantage (to name just a few).
Our ability to ‘network’ has far outpaced our ability to protect ‘networks’. Just think about the Internet of Things, with an estimated 40 billion new devices expected to be interconnected by 2020.
The United States, too, is dedicating personnel and resources to these and other areas of innovation that are intended to bolster our posture both at home and abroad. Yet many of these technological advances cut both ways; for instance, A.I. can be expected to empower the adversary as well as our own activities and efforts directed towards national defense and national and economic security. Unfortunately, bits and bytes do not respect borders, which is one way of saying that a transnational challenge requires transnational solutions. This demands a redoubling our efforts with our allies, and calls for both strengthening and building new cyber alliances from a diplomatic, military and economic perspective. That said, there is much that can and should be done here at home.
The Challenges Ahead
At the very top of that list must be protecting and preserving continuity of operations of our lifeline sectors. Resources are finite, even in a country as prosperous and generous as America. Yet our risk profile is remarkably expansive. The only way forward is to prioritize and manage accordingly. Put differently, if everything is critical, then nothing is. Recognizing this, the Department of Homeland Security has taken the lead on mapping out “a collective defense strategy” — together with private sector partners — that is centered on the protecting the Nation’s critical infrastructure. This is a solid step in the right direction, but we must be clear-eyed — a challenging path lies ahead.
Keep in mind that private companies are now on the frontlines of this conflict, at the very tip of the spear. Yet how many companies, even the largest, went into business thinking they had to defend themselves against foreign intelligence services and nation-state actors? This is undoubtedly an uneven playing field. At minimum, we need to figure out a way to support and protect these private sector entities that are the foundation of U.S. innovation and prosperity — which in turn is the platform that powers and upholds our national and economic security.
Private companies are now on the frontlines of this conflict. Yet how many companies, even the largest, went into business thinking they had to defend themselves against foreign intelligence services and nation-state actors?
As of now, and likely for the foreseeable future, the initiative remains with the cyber attacker. They will continue to have first-mover advantage over the defender. It is increasingly clear that we cannot simply ‘firewall’ or defend our way out of this problem. A more forward-leaning posture that is supported and under-pinned by similar strategies and tactics is needed. For too long, our cyber-adversaries have had the run of the field, without the imposition of timely and severe consequences designed to discourage further malicious (if not downright hostile) activities directed against the United States.
Indeed, a robust deterrence strategy has been the primary element missing from the U.S. toolkit to date. Articulating and executing such a strategy must be a top priority in the days ahead, in order to expand the elements of statecraft that are at our disposal for the purpose of containing and dissuading the most significant cyber threat actors.
As President Abraham Lincoln once said, “The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise — with the occasion. As our case is new, so we must think anew, and act anew”.
The time is now to think anew and act anew with regard to the cyber threats we face as a nation.
Frank J. Cilluffo directs the McCrary Institute for Cybersecurity and Critical Infrastructure Protection at Auburn University.