20 March 2017

Whistling Past The Cyber Graveyard

by Matthew Wein

It seems not a day passes that a new cyber security incident is not reported. Whether it is the breach of email accounts at Yahoo, the networks at the Democratic National Committee (DNC) or John Podesta’s digital recipe box, the revelations draw the attention of a wide variety of news organizations, and the stories each seem to approach a level of critical mass until a new story emerges. These incidents are all different in scope, and their targets are in the crosshairs of both criminals and hostile intelligence organizations – for motives that vary from political, to monetary, to just plain mischief. No matter the intent of the cyber criminal, the government’s response ought to prevent escalation along the cybercrime continuum. What Americans have seen to this point is network access and data exfiltration – or more simply said: breaking, entering, and theft.

Data manipulation, the next step along the cybercrime continuum, was possible in each of the aforementioned scenarios. The ability of criminals to manipulate data through the Internet could have destructive and harmful long-term effects, particularly for an American public that is increasingly reliant on networked technologies and cloud computing. Yet, this is an eventuality for which American law enforcement entities need to deter against, and for which they are unprepared. As the incident allegedly perpetrated by the Russian Government leading up to the American 2016 Presidential elections demonstrates, now is the time for the U.S. to develop a comprehensive plan of action for cybercrime in the realm of data manipulation.

Most Americans understand the cybercrime threats they commonly face: someone might try to steal their credit card number if a retailer gets hacked, or their card could be swiped at a machine with a skimmer. Yet, more complex issues like the encryption debate or the disclosures about the NSO Group, often fail to resonate with common citizens or register as topics that merit an immediate, personal concern. Perhaps said more plainly—it is easy to understand why Russian military intelligence (GRU), would want to hack the email address of Hillary Clinton’s campaign manager, but why would the GRU be interested in the e-mails of John Q. American from Anywhere, USA? Data manipulation is the reason why every U.S. citizen should care about cybercrime, and what a U.S. cybercrime deterrence policy should guard against. Escalation along this continuum affects every American—from political operatives and elected officials, to soccer moms and college students.

According to a 22 December 2016 Crowd Strike report, the Russian GRU’s hack of the DNC was limited to data access and exfiltration; in other words, digital theft. As Russian President Vladimir Putin and other strongmen around the world test the limits of their cyber aggression, they are moving along the continuum of crime and/or espionage described above. The laundering and release of stolen documents via groups like WikiLeaks is where we seemingly find ourselves right now in terms of Russia’s meddling in American democracy. The next step beyond cyber theft is data manipulation. In this scenario, the perpetrator could change individual votes or voter records, or create fake emails to seemingly corroborate propaganda from fraudulent news stories. This would certainly be an escalation for Russia following the sanctions President Obama announced on 29 December 2016, but would be a potentially under the radar response for Putin who is seemingly seeking to upend the liberal democratic order in Europe and North America.

While many erroneously focus on whether Russia’s meddling cost Hillary Clinton the presidency, too many elected officials are dismissing the meddling as simply noise for their own political purposes in hopes of implementing their legislative agenda. This leaves too much focus on short-term, tactical implications of cybercrime, while missing the strategic effects on long-term risks and vulnerabilities to our democratic interests and critical infrastructure.

The cyber domain is just the space where the American public, federal, state, and local governments are most vulnerable. This domain cannot simply be looked at as an avenue to espionage, snooping, or crime. Unlike airplanes, cars, or banks, the cyber domain is available to a multitude of nefarious actors. It is just as easy for the GRU to exploit these vulnerabilities as it is for China’s People’s Liberation Army, ISIS’s cyber terrorists, or European criminal gangs. That the target du jour is currently the U.S. democratic system does not preclude anyone from taking aim at our critical infrastructure, bank accounts, or the health records of average Americans. The U.S.’s deterrence policies ought to make it clear that there are steep costs for anyone who attempts to manipulate or degrade our cyber systems or global systems on which we depend. As Rob Knake has pointed out, the Obama Administration took several concerted steps over time to pressure China to stop stealing industrial secrets and other intellectual property data. The combination of “naming and shaming,” as well as the threat of economic sanctions, seems to have worked against Chinese hackers.

But like nuclear deterrence, one layer of security will not serve as a remedy to the problem. Simply sanctioning Russia and China will not act as a long-term deterrence measure. Cyber deterrence ought to be more complex and layered. To use a more common example, as mentioned above, criminals can corrupt commercial air travel in a variety of ways. Drug cartels can use it to move their contraband, weapons, and human smugglers can ship their wares. No single deterrent can affect the calculations of a dispersed group 100% of the time—something the U.S. intelligence agencies and law enforcement personnel have figured out the hard way over the years.

When attacks take place in the physical world, the focus is placed equally on the target and the means by which the attack was carried out. We seek to harden vulnerable targets to the extent we can, but we also secure the pathways that lead to these targets. As incidents in the cyber domain occur, they are often viewed independently of each other, preventing the public from appreciating the multifaceted vulnerabilities of the U.S. cyber infrastructure. Part of our cyber deterrence plan ought to be explaining the totality of the threat to the public in words they can digest. This public narrative would build resilience and a more informed citizenry. Data manipulation can affect large swaths of the American public in different ways: we need to engage everyone in discouraging the use of cyber pathways to exploit vulnerabilities in the system.

While the ideas of identity theft and credit card fraud dominate the public narrative around cyber threats, the concept of cybercrime through data manipulation must be more publicly acknowledged and addressed. If data manipulation continues to be overlooked, there will be serious consequences. Therefore, now is the time to craft real proposals for deterrence. These proposals must start with educating the people responsible for our nation’s critical infrastructure and those working in industries like healthcare, finance, electricity, as well as the democratic institutions that ensure our electoral processes are fair and uncorrupt. We need a multilayered approach to education where federal agencies empower their employees to be a part of the solution – one that doesn’t treat information security as solely the domain of IT professionals.

Taken further, agency heads should elevate Chief Information Security Officers to be included in their senior leadership groups and decision-making processes. Additionally, given the dispersed nature of the Internet’s infrastructure, DHS (particularly US-CERT), the DoD, and DoJ should forge bilateral and multilateral agreements with strategic partners to strengthen information sharing, operational cooperation, and share risks across this broad and growing threat surface. In order to address the totality of the threat, the U.S. must embrace shared solutions at operational, tactical, and strategic levels. In order to affect and instigate change at these levels, those who best understand the challenges we face must explain the strategic risks of data manipulation in digestible English so that action can be taken. Until then, the conversation that takes place is insufficient.

No comments: