7 July 2018

To Hackers, We’re Bambi in the Woods

By Nicholas Kristof

Suddenly, the electricity goes out at the office. Cellphone networks and the internet have also gone black, along with subways and trains. The roads are jammed because traffic lights aren’t working. Credit cards are now just worthless bits of plastic, and A.T.M.s are nothing but hunks of metal. Gas stations can’t pump gas. Banks have lost records of depositors’ accounts. Dam floodgates mysteriously open. Water and sewage treatment plants stop working.  People can’t reach loved ones. Phone systems are down, so 911 is useless. Looters roam the streets. Food and water soon run out in the cities. And that’s just the first week.

Security experts have nightmares like that. Countries like Russia and China have implanted malicious software in the American electrical grid, nuclear power plants and water systems to have the capacity to mount such attacks — and we have done the same to them. Indeed, the U.S. prepared an extensive plan, Nitro Zeus, to unplug Iran through cyberattacks, but in the end we never implemented it.

These are some of the issues explored in an important — and deeply sobering — new book about cyberwarfare, “The Perfect Weapon,” by my Times colleague David Sanger. I’ve known Sanger since we joined our college newspaper together at the beginning of freshman year, and he has spent the decades since exploring the intersections of technology and international security — and trying to alert us to our vulnerabilities.

The risks aren’t just of a cyber-Pearl Harbor but also of a full spectrum of attacks. The Russian hack of Democratic emails should have been a wake-up call. A senior F.B.I. official told Sanger: “These D.N.C. guys were like Bambi walking in the woods, surrounded by hunters. They had zero chance of surviving an attack. Zero.” 

Even after the attacks we didn’t learn, and much of the U.S. is still like Bambi. The Russian hack of the U.S. elections in 2016 should have us on our toes for 2018, but the Trump administration has done little to prepare to fight off new hacking.

Sanger describes a Russian cyberattack on the Ukrainian electrical grid shortly before Christmas 2015. Operators of the grid were bewildered: Nothing they clicked on their computers had any effect, and cursors dashed across their screens to disconnect circuits and delete backup systems. Finally, the hackers disconnected the backup electrical system, so that the operators in the control room were literally in the dark.

Hackers are increasingly brazen. When Russian hackers infiltrated State Department and White House computer systems in 2014, National Security Agency specialists tried to uproot them — and the hackers fought back. “It was basically hand-to-hand combat in a network,” Rick Ledgett, a senior N.S.A. official, told Sanger.

Cyber is the “perfect weapon,” in Sanger’s formulation, because attackers typically get off scot-free.

If North Korea had responded to the Sony Pictures movie “The Interview” by blowing up cinemas, it might have faced a strong response. Instead, it hacked into Sony’s system, destroyed computers and paralyzed the company. In both the Sony and Democratic Party attacks, the hackers enlisted the American news media to magnify the damage; we in the media were used, and we should reflect on that.

Later, North Korean hackers pilfered $81 million from the Bangladesh Central Bank (they might have gotten away with almost $1 billion, but someone misspelled “foundation”). For all this, North Korea faced no significant punishment.

Sanger writes that American officials debated whether to punish Vladimir Putin for his hacks by exposing his links to oligarchs, or even by making some of his money disappear. But Barack Obama balked, fearful of what Putin might do next, and Donald Trump has also dithered. 

Gen. Paul Nakasone, head of the U.S. Cyber Command, was asked in his confirmation hearings this year what our adversaries think will happen if they attack us in cyberspace. “They do not think much will happen,” he replied. “They don’t fear us.”

As Sanger writes, “Deterrence is not working in the cyber realm.” Why wouldn’t Putin interfere in our 2018 midterms since we’re both vulnerable and not serious about responding?

We need to establish a cost to cyberattacks and help establish norms for cyber — a Geneva Convention for hacking. The problem is that the U.S. also uses cyberwarfare (to destroy Iranian centrifuges and, apparently, North Korean missiles), and we don’t want to constrain ourselves.

Meanwhile, we are becoming ever more vulnerable, partly because daily life is becoming more dependent on computers, and partly because cyber-offense is far ahead of cyber-defense. The U.S. started with a huge advantage, but Russia and China have nearly caught up, and Iran and North Korea don’t seem far behind.

In the 1990s, we were too complacent about the risks of terrorism; it took the twin towers collapsing to galvanize us. In the world of cyberspace, we’re still too complacent: Let’s stop playing Bambi!

No comments: