18 June 2017

A Multilateral Approach to Cybersecurity

By Hilary Hurd

For the sanguine among us, last month’s NATO meetings were a success. President Donald Trump abandoned his formal charge of NATO’s obsolescence and—however belatedly—acknowledged the US commitment to mutual defense. But for many European leaders, Trump’s stint in Brussels did more to confirm anxieties over American disengagement than it did to assuage them. Speaking shortly after the G7 summit in Sicily that immediately followed the NATO meetings, German chancellor Angela Merkel made clear that America’s reliability could no longer be assumed. And the fight for Europe’s future would not be a shared one. Meanwhile Alexander Stubb, former PM of Finland, tweeted that the United States was “losing ground as a superpower.”

Yet as US pundits dissect what America’s collective responsibility should be, new attacks remind us what our collective vulnerabilities actually are. Infecting more than 200,000 computers in more than 150 countries around the globe, last month’s WannaCry attack—like the Dyn and Swift attack before it—underscores why, in 2017, borders matter less, not more, to those who threaten us. Should the United States go it alone? In a new book, The Cybersecurity Dilemma, Dr. Ben Buchanan gives a clear and compelling answer: no.

Since the Peloponnesian War, states seeking to enhance their security have faced a dilemma: to ensure their own security through actions that threaten the perceived security of others (e.g., military build-up) or do nothing and risk being left vulnerable. When actions can’t be clearly interpreted, the “security dilemma,” as John Herz dubbed it, drives fear. When fear is sufficient, the security dilemma drives war. In The Cybersecurity Dilemma, Buchanan applies the old dilemma of interpretation/response to cyberspace, arguing that what states do to ensure their own cybersecurity, in turn, destabilizes the system.

By invading other states’ networks, states can prepare the groundwork for future aggression without committing to it. They can scan for unknown weaknesses inside another state’s system or plant malicious worms that later have knock-on kinetic effects (as happened with Stuxnet). Gaining meaningful access to another state’s network is by far the hardest part of a cyber operation given the time and effort required compared to the final, exploitation stage. And so, keeping options open often means going in.

But to defend themselves against future aggression, states are also incentivized to invade the networks of other states. After all, by invading other states’ networks, states can gather critical intelligence about potential adversaries’ capabilities and enhance their defenses through knowledge of how other states structure their cyber command and controls. The result? Once a state has broken into another state’s network, offensive versus defensive intensions are nearly all but impossible to distinguish. What’s more, intentions can change overnight. The consequence? States assume the worst when they realize they’ve been intruded, launching more intrusions of their own. Hence, the dilemma.

For those who know little about cybersecurity, Buchanan’s book is refreshingly lucid in its treatment of core concepts. He explains how states go about gaining access to other systems, shedding light on the respective difficulties of eight core steps: target acquisition, development, authorization, entry, establishing command and control, pivoting, payload activation, and confirmation. But for those more seasoned in cyber, Buchanan’s trove of rich historical analogies from the Cold War clearly establishes the “vexing characteristics” of maximizing security in cyberspace.

In the wake of Wannacry and last year’s hacking of the Democratic National Committee, defense experts from James Stavridis to Richard Clarke have repeatedly called for greater federal coordination to counter America’s cybersecurity threats. Buchanan is unlikely to disagree. But his book establishes quite clearly that much of America’s vulnerability could be minimized with stronger baseline defenses. To set up his case, he underscores repeatedly the lack of sophistication behind many high-profile attacks on the United States and the “colossal failures in management” that have actually been to blame. For example, the 2015 intrusion of the US office of personnel management (OPM), which compromised confidential data of nine to fourteen million government employees was largely the result of widespread legacy systems and a lack of two-factor verification.

But Buchanan doesn’t conclude with a catalog of cyber follies. He ends with a push for greater multilateral engagement and collaboration in cyber. He argues that states seeking to maximize their security should acknowledge the destabilizing nature of network intrusions and build confidence wherever possible. While he does not go into extensive detail about how states might build trust in cyber, he does list a few things like improving crisis communication and advancing strong encryption to protect private data. In short, the persistent challenge of uncertainty should be fought as it was with NATO: in lock-step with allies, and cognizant—as much as possible—about what our actions signal to our possible adversaries.

The one lingering question? How do trust-building measures from the Cold War apply to cyber, if at all?

In applying the security dilemma to cybersecurity, Buchanan’s focus is inherently state-centric. But, as former Secretary of Defense Leon Panetta remarked in 2012, “Securing cyberspace is not the sole responsibility of the United States military or even the sole responsibility of the US government.” Were the same statement to be said about the US borders, it’d be an invitation for vigilantism. Because the duty to defend cyberspace involves more kinds of actors across the private sector, the cybersecurity dilemma is arguably more vexing than Buchanan contends.

For example, in 2003, a slammer worm penetrated a private computer network at Ohio’s Davis-Besse nuclear power plant before moving through an IT line that bridged the private network and the corporate network. It disabled the safety monitoring system for five hours. While US nuclear power plants generally don’t have digital systems controlling them—just monitoring them—the incident highlighted the difficulty of keeping private, corporate, and critical networks separate. Furthermore, as we saw with the Sony hack, private actors are often some of the most vulnerable to foreign attacks. It’s hard to imagine how the US government could ensure the security of private companies that fall outside narrow bounds of “critical infrastructure” absent some kind of cyber deterrence.

Buchanan argues that states “do not need to respond in the manner in which they were provoked,” but the challenge of attribution remains and solving it would necessarily involve the same tactics Buchanan warns against: network intrusions. After all, how else would the US government have known that North Korea was behind the Sony attack? Sharing threat intelligence worked to bolster interstate relations during the Cold War, most notably for the Five Eyes community. But it’s difficult to imagine the political appetite to widely broadcast gains from network intrusions given their dual purpose.

To the extent that signaling works in cyber, Buchanan’s recommendations for trust-building are firm. And yet, for those recommendations to be successfully enacted would require a high-level strategy (and philosophical commitment) that’s is unlikely to emerge in the current political climate, and has perhaps already been rejected. As National Security Advisor H.R. McMaster wrote last month with Gary D. Cohn, the United States has embraced “a clear-eyed outlook that the world is not a ‘global community’ but an arena where nations, nongovernmental actors and businesses engage and compete for advantage.” For the United States to tie its own hands in cyber seems unlikely.

The need for multilateralism is stronger than it was during the Cold War, when NATO was first created. Russia has its sights on destabilizing the West. And cyber is its new domain. While one can hope the United States takes a card out of its old playbook, the chance of a cyber race seems—however troubling—more inevitable than ever. The cybersecurity dilemma, indeed.

Hilary Hurd leads Transparency International’s defense work in the United States. Previously, she worked for Chatham House researching the cyber vulnerabilities of nuclear SCADA systems.

This article appeared originally at Modern War Institute.

No comments: