What We Must Do about Cyber

Last week Amy Zegart noted the rapid rise of cyber in the DNI Annual Threat Assessment. As she observed,

Cyber is listed as threat number 1 but it's only been number 1 since 2012, suggesting just how fast the cyber threat landscape is changing. As late as 2009, cyber appeared toward the very end of the threat assessment, just behind drug trafficking in West Africa. In the 2007 assessment, cyber was not mentioned at all. No kidding. Not one word. So we've gone from no cyber to all-about-cyber in just eight years.

So what's the explanation for this shift? It's maturity: a combination of improved technological capabilities and a more sophisticated understanding of threats and US strategic goals. The US has been suffering cyberexploits — theft of information from networked systems — since at least the early 2000s. But in 2007, cyberattacks — actual damage to networked systems — went from theory to proof of concept. Of course, we'd had little bits of damage before, including a compromised NYNEX phone switch in 1997 that shut down the Worcester Airport for several hours. But prior to 2007, the damage from such attacks had been relatively minor. That year the Idaho National Laboratory ran a test that demonstrated it was possible to destroy a power generator through a remote cyber attack. In 2008 the Baku-Tbilisi-Ceyhan oil pipeline exploded. The pipeline, built over Russian objections, was protectively designed with many sensors to measure pressure, oil flow, etc. Nonetheless, malware was inserted into the control network; this was activated to cause an explosion. Although the perpetrators were never caught, there is little doubt who was behind this: the attack occurred three days before the start of the Russo-Georgian War.  In 2010 Stuxnet provided yet another proof of the ability of cyber to remotely cause kinetic damage. At the same time that technological capabilities improved, strategic analysis also shifted. We'd been hearing about cyber Pearl Harbors since 2011, and about electronic Pearl Harbors for fifteen years before that. No one says "cyber Pearl Harbor" anymore — and that's a correct assessment. The entities capable of launching a massive, multi-prong attack on US critical infrastructure through cyber have little strategic interest in doing so. Instead, DNI Clapper suggested that the threat will be,

Rather than a "Cyber Armageddon" scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.

These will be disruptive attacks on industry, a la Sony and JPMorgan, and more dangerously, there is the potential of low-level attacks to critical infrastructure. Clapper mentioned this, specifically calling out Russian cyber actors who are developing the ability to access industrial control systems. He is concerned about efforts to degrade quality of information — and thus the ability of systems to work correctly. This new understanding of threats changes in two fundamental ways what our responses must be. The first, as Clapper points out, is that we must increase our focus on information integrity.  Technical solutions, including cryptographic hashes to ensure data integrity, will play an increasingly important role here. (Interestingly, you also see information integrity play out in Google's new initiative to rank webpages based on the accuracy of the facts that they contain rather than on the links to them; thus, for example, webpages claiming a link between the Measles-Mumps-Rubella vaccine and autism would be downranked.) The second important aspect is resilience, the continued ability to function despite degraded performance; this will be increasingly critical. In the last several years, resilience has become part of DoD cyber doctrine; it also appears in the NIST Cybersecurity Framework. This capability also needs to become deeply embedded within the private sector. As DNI Clapper observed, "cyber risk must be managed." The Worldwide Threat Assessment brings a much more sophisticated and nuanced version of the cyber threats the US faces than earlier DoD  descriptions did. It behooves not just the US military and political leaders to pay attention, but also US industry leaders. Unlike the previous cyber Armageddons characterizations, this assessment captures the real threats to the US public and private sectors. Such threats will only grow more complex and more severe with time; that argues for beginning the development of responses now. Sony and JPMorgan are undoubtedly paying attention to this; one hopes that a much wider swath of US industrial leaders are as well.