We have been on the run from cyberattacks for more than a decade now, and in spite of the $90+ Billion we spent last year (according to Gartner) on cybersecurity technology, things have gotten worse, not better. Those same analysts predict we will be spending more than $113 Billion by 2025.
Thanks to tons of investment capital and bright young graduates from great schools, we have lots of sparkling new technology. In fact, at last year’s RSA Conference, we broke all the records with 15 keynote presentations, more than 700 speakers across 500+ sessions and more than 550 companies on the expo floors. But in pursuit of the next coolest cybersecurity-thing, we continue to ignore the biggest problem, which is the manner in which we are prevented from engaging the enemy.
Unless and until we change the fundamental rules of engagement, it will be virtually impossible to make any real progress.
As we continue to develop new defensive techniques, the effectiveness of those techniques increases right up until our attackers figure out how to develop countermeasures to evade them. Since there aren’t any physical determinants around the problem space, there don’t seem to be any barriers to the creation of new countermeasures. That fact alone creates the tedious attack cycle that we are experiencing today.
To overcome this key adversarial advantage, we should shift our focus from the latest threat landscape and start figuring out how to disrupt the defender-attacker dynamic.
This is not easy because there are at least four crucial and complicated problems that need to be addressed:
1) information asymmetry – our attackers know more than we know,
2) the economies of attacks – we spend billions avoiding attacks by a $50 exploit kit,
3) our lack of visibility into the attack horizon – we can’t predict or even anticipate the future,
4) the failure to be able to identify the exploitation of legitimacy – we can’t identify impostors.
Given our current information asymmetry, a defender can never prevail. The best we can do is delay the inevitable. The defender has to protect against all attacks, all the time. The attacker, however, only has to know of a single exploitable vulnerability. One glaring example is the 9 out of 10 enterprise environments that do not have a reliable inventory of all their SSH keys. This one cybersecurity hygiene failure creates a target rich attack setting for those intent upon gaining unlimited access into core computing networks.
In the last two decades, and in particular after the 9/11 attacks, the United States and its allies have enjoyed a veritable monopoly on the use of coercive economic measures (sanctions, trade controls, investment restrictions, etc.) to achieve foreign policy objectives. This dominance has been grounded in the central role that the U.S. financial system, capital markets, and the U.S. dollar play in international trade and commerce.
But the most novel aspect of the well-publicized but little understood cyberattack against Sony Pictures is that it demonstrates the proliferation of the weapons of economic warfare. Owing to the low cost of sophisticated tools for cyber exploitation and the distributed nature of expertise in their use, smaller and relatively poor countries like North Korea and Iran now have the ability to deploy those tools to target the economic interests of major powers for whatever political ends suits their fancy.
No longer does oil need to be traded in a country’s currency for that country to be able to project power using economic means. Smaller powers around the world can achieve coercive goals belied by their military weakness. And at the same time, the U.S. and its allies are asymmetrically vulnerable to the targeting of their commercial interests for political purposes given the dominant position their corporations occupy in the global economy. This vulnerability extends and applies in both the economic and cyber warfare arenas equally.
And while we have long known that the United States is vulnerable to cyberattacks because of its technological connectedness, the direct recent exploitation of that vulnerability for political ends is novel.
The administration’s proposal to criminalize the sale of certain exploitation tools is a start, but what is needed is not more law, but more strategy—serious conceptual work on the relationship between the commercial interests of American companies and the strategic interests of the United States, and a viable framework for responding to cyberattacks at all levels of intensity. If we hired InfoSec professionals to do the work instead of lawyers, it would be an even better start.
North Korea’s activities are recognizable to those familiar with the tools and goals of financial warfare. Sanctions, trade controls, and other coercive economic measures generally have one (or both) of two main objectives.
First, they are designed to impede the operations of rogue states and illicit actors like terrorist groups or narco-trafficking cartels. Sanctions and the due diligence obligations of banks, among many other measures, make it substantially more expensive and risky, and less efficient, for illicit actors to raise, store, move, and use the funds that are the lifeblood of their organizations.
Entities like drug trafficking networks, terrorist groups, and proliferation facilitators require substantial streams of funding and access to the global financial system, to remain effective. The more time and resources they spend trying to fund an organization, the less time spent planning attacks or engaging in other illicit activity.
But sanctions and trade controls also have a second objective, which is to shape the behavior of decision-makers in foreign governments by raising the costs of their actions. We have recently seen, for example, the United States and its allies in Europe imposing increasingly innovative and wide-ranging sanctions in order to demonstrate to Russia that its activities in Ukraine are not cost-free, and the result was a forced shift in its activities in the region.
While the Sony breach itself was significant in that it resulted in the theft of a large quantity of sensitive data and shut down its network operations, the more troublesome aspects of that event relate to the ways in which the commercial interests of American companies were targeted to affect changes in their behavior. Shortly after the hacks, the group that conducted it threatened attacks on theaters that planned to show the film and as a consequence, Sony canceled the planned release.
While in this case, commercial interests were targeted in order to influence the decisions of an American company, it is easy to see how the threat actor’s logic could be applied to try and manipulate political decisions of the U.S. government or one of its allies.
How would the U.S. government respond if commercial interests of American companies were targeted to change foreign policy decisions? What if North Korean, Iranian or Chinese hackers inflicted hundreds of millions of dollars’ worth of damage on several companies, sequentially, until the only feasible U.S. response short of outright war would be to lift sanctions, draw down troops, alter deployments, cancel joint military exercises or back-off contract terminations with rogue terrorist states?
Not that it was a specific target (?) but you can see how much of an “interested” reaction the recent NotPetya attack on Ukrainian interests got from the folks at JP Morgan and Goldman Sachs.
In this sense, the U.S. and its allies are asymmetrically vulnerable, as their companies operate all over the world and often constitute globally recognized brands. Their economic interests can consequently be targeted with much greater ease via cyber tools. Whereas in the past, one needed the presence of a U.S. company in order to target its commercial interests— by disrupting physical operations or denying operating licenses—cyber tools provide both reach and an effective degree of deniability.
Adversaries of the United States can use (or outsource) cyber exploits to target American interests from half a world away. And as democracies, the United States and most of its allies might be more susceptible to public pressure to act after a significant corporation (or a large group of smaller corporations) is targeted. Does Facebook ring a bell?
One no longer needs to have the dominant global currency in order to utilize the tools of economic statecraft. And conversely, it is not only the fact that our critical infrastructure is wired that creates asymmetric vulnerabilities, but also the distributed nature of our economic interests.
What we need now, in addition to substantial work on improving our cyber defenses, is serious thinking on how we will respond when the economic interests of American companies are targeted through the exploitation of their digital vulnerabilities. What we have witnessed so far is child’s play.
The good news is that the evolving epidemic of cyber insecurity does not mean that cyber deterrence is infeasible in any absolute sense; on the contrary, threats are becoming more sophisticated because deterrence is working.
The question is whether its working fast enough.