Understanding Digital Security
Shortly after the Americans won their independence from the British Empire, the young American republic was faced with the daunting task of defending their new nation from threats abroad. A country that hewed closely to the Atlantic coastline of North America, the original 13 states were heavily dependent on maritime trade to sustain its burgeoning economy. Yet, without the protection of the powerful British Navy, American merchants were left vulnerable to hitherto unconsidered threats, such as piracy (and other forms of lawlessness on the High Seas). Notably, American merchant vessels were terrorized by the Barbary Coast Pirates. To stop the pirates, the United States first paid the ransom they demanded. But, this only compelled them to take bolder action against the young republic. So, starting with President Thomas Jefferson, the United States acted in defense of its interests on the High Seas. Notably, Jefferson launched a daring punitive strike against the Barbary Coast Pirates’ base of operations in Libya. Had the United States not taken the dangerous but decisive action in defense of its own interests, against all odds, then it would have continued to suffer at the hands of the brutal pirates (and other rivals, sensing weakness, would have attacked as well).
The United States finds itself in a similar position today—only it is in the new strategic domain of cyberspace, rather than the sea, where the United States is most susceptible to attack and disruption. And, as the United States increases its reliance on cyberspace for much of its civilian and military functions—as individuals both in the United States and around the world use the internet and its attendant platforms for all daily activities—Americans will only become more threatened, if U.S. policies remain as they currently are.
Some Facts About the Internet
The internet was first created by the Pentagon’s elite research-and-development agency, the Defense Advanced Research Projects Agency (DARPA). First created in 1969, to “develop a network for sharing digital resources among geographically separated computers,” the internet has steadily become the most important technological innovation of the last century. At its very beginning, though, the early internet was conceived as nothing more than an information-sharing tool linking together small, but geographically diverse sets of classified military researchers and programs during the Cold War. Little thought or effort was given to security, since few even knew about it at its inception. Over time, other government agencies, such as the National Science Foundation, NASA, and the U.S. Department of Energy helped to expand the internet. By the 1980s, the internet started to proliferate to the commercial sector. And, by the 1990s, the internet had gone global.
The 1998 Digital Millennium Copyright Act (DMCA) and the Telecommunications Act of 1996 form the bases of the laws which regulate the Internet. The first was intended to protect proprietary intellectual property while U.S. telecommunication law (first crafted in the 1930s) created a “pro-competitive, de-regulatory national policy framework designed to accelerate rapidly private sector deployment of advanced telecommunications and information technologies.” According to Nielsen Online and the International Telecommunications Union, as of June 2019, there are more than four billion people worldwide—and counting—who have access to the Internet. Because cyberspace is both a strategic domain as well as a commons for civilian activities—one which has a very loose set of regulations governing how one should behave in cyberspace—modifications to the existing legal framework for cyberspace must be made that make it easier for the private sector and the government to cooperate more fully in cases of major security breaches. Only together can the public and private sectors secure the Internet (and those who rely on it) from malicious behavior.
The National Security Implications of an Undefended Cyberspace
Hacking has been a perennial problem for most Internet users. Initially, the problem was ancillary to the benefits enjoyed from using the Internet and the technological innovations that were spawned in the tech space over the years. Today, however, hacking of proprietary data has reached epidemic levels. A “dark web” exists wherein nefarious people from around the world can buy and sell stolen information. Cybercrimes, such as credit card theft and online fraud costs consumers “more than $16 billion” in 2016. According a 2017 report from Javelin Strategy & Research, that was a 16 percent increase from the costs in 2015.
The more we use the Internet and other Internet-related technologies, the less secure our data is. Part of the problem is that, like regulations, our ability to defend ourselves in cyberspace has trailed behind the numerous ways we use the technology. On a personal level, most people have “poor password hygiene.” Many fail to take even the most rudimentary measures to secure our data. We also have a stunning lack of education and, therefore, understanding about both the value of our personal data as well as the need to protect that data.
Incidents of “ransomware” cyberattacks have proliferated. These are attacks conducted either by independent hackers or state entities, such as the Russian government, designed to target personal, proprietary data; to steal or gain access to that data; and then demand a lump sum payment from the victim for returning that data to its rightful owner. In 2017, a wave of malicious ransomware attacks proliferated across the world. Ukraine was the hardest-hit nation in the attack, but it also seriously impacted a multitude of institutions throughout Europe and the United States. Using a weakness in the Windows operating system that originally was exploited by a National Security Agency (NSA) program known as “Eternal Blue,” the hackers used this weakness to lock out access to critical systems in American hospitals. At least one surgery at an affected hospital had to be postponed, as the computer system was locked out and the hackers were demanding a payment in bitcoin to hand access to the vital system back to the hospital. Often, victims find it easier to pay their attackers off rather than suffer through what could be years of financial and legal hardship visited upon them by their attackers. In the case of Hancock Health in Greenfield, Ind., the hospital paid $55,000 in bitcoin to hackers who had taken over their systems and demanded payment before returning control to hospital administrators. The lack of proper security, therefore, has made cybercrime a lucrative industry.
All of this is mere digital window-dressing, however. Very often, such attacks are trailblazing events for other, more nefarious, groups looking for more than money. Rival states, such as China, Russia, Iran, or North Korea encourage cyber-criminals in their own countries to perpetrate such wide-ranging attacks in order to “map” the digital infrastructure of their rivals (such as the United States). Using third parties, like criminals, to penetrate the cyber-defenses of a country like Ukraine or the United States, rival governments can then take the data and experience gleaned by these criminal actors and apply them to their larger cyberwarfare strategies against America.
In 2016, a shocking cyberattack occurred in Ukraine in which the Ukrainian power grid’s control system was essentially hijacked by unknown assailants (presumed to be Russia); commands were input by the hackers to shut down more than 30 power substations, and then, for good measure, the hackers changed all of the passwords for the system administrators, making it even more difficult to recover from the attack. But, as analysts proved, the attack did not simply happen overnight. It was done over the course of a long period-of-time, involving countless actors, some of which were undoubtedly related to a nation-state, but some which may have been criminal organizations. And, while power was ultimately restored, the fear among American security specialists was that Ukraine’s power grid was far better protected from cyberattacks than the power grid of the United States. For example, the Ukrainians were able to restore power in a timely fashion because they had manual backups in the power stations to ensure that if they ever lost digital access to the controls, they could physically override hackers from the substations affected by a cyberattack. In the United States, there are no manual overrides. If a system is compromised and our defenses are overcome, the country could literally be thrown into darkness.
Meanwhile, Chinese cyber-warriors have spent years cultivating and employing the methods and capabilities to electronically infiltrate, target, and exploit other advanced corporations and foreign companies in order to gain access to their proprietary data. In fact, in 2013, the Chinese government was responsible for the largest data breach in U.S. government history. At that time, a group of Chinese government hackers broke into the Office of Personnel Management database and stole millions of personnel files on U.S. citizens who either had been employed or were employed at the time by the U.S. government. It was believed that this would help the Chinese government ferret out any U.S. spies in their midst while allowing Chinese spies to target influential individuals within the United States.
Today, China has become such a potent technological power, so much so that KPMG believes Shanghai will eventually displace Silicon Valley as the world's leading technological innovation hub (China is second to the United States and gaining rapidly). Toward that end, China's best-known tech giant, Huawei, has come to pioneer research into the burgeoning 5G internet sector while also becoming a key global provider to other critical tech services. Although, much like China's overall rise, the growth of Huawei has understandably caused consternation in some quarters--notably Washington, D.C. For example, the line between the private sector and the public sector in China is blurred. Often, the ambitions of China's corporate leaders are inextricably bound to the geopolitical desires of the Chinese Communist Party. In the ongoing trade war between the United States and China, Huawei has become a political hot potato, as Washington exerts increasing pressure not only on the Chinese tech giant, but also on those allied countries, such as Germany, who do business with Huawei. The Chinese tech giant has already been caught redhanded working against democratic dissidents in places like Zambia, where the autocratic ruling party is a client of the Chinese firm. Meanwhile, the Europeans continue doing business with Huawei, despite the pressure and warnings from Washington, potentially putting at risk the private data of the users of Huawei products. And, given the defense ties between various European governments and the United States, the data security of American interests could be jeopardized by European states who insist on using Huawei technology. The concern is that Huawei routinely compromises the privacy of the countries that uses their products in an attempt to gain leverage, not only over their foreign corporate rivals, but also over rival governments on behalf of the Chinese government.
Also, the Russians may have exploited fundamental weaknesses in the U.S. election system in order to sow chaos in the contentious 2016 presidential election. This would never have been possible had the U.S. government taken data preservation and protection more seriously. North Korea infamously used its own cyberattacking capability to lay siege to Sony Pictures in 2013, before the studio could release a highly-anticipated comedy about Kim Jong-un, the North Korean dictator. Sony had spent $74 million to make the movie. Given the big names attached to the project, the film could have made a decent profit for the studio if not for North Korea's interference. But, in the aftermath of the North Korean cyberattack, it is believed that Sony lost $30 million. Sony also lost face as the private correspondence of Sony executives was aired to the world. Iran has spent much money on their own cyberwar capabilities, targeting American banking and infrastructure, in order to disrupt and confuse the civilian population of the U.S., as a means of stymying the American military’s freedom of action to conduct attacks or to threaten Iran directly.
In fact, the security situation is so bad in cyberspace that one senior official from the U.S. Cyber Command complained to me in May of this year that, “Everyone keeps talking about a new cold war. But, my people and I are living in a hot war, right now, each and every day!”
Lack of Communication: the Private Sector and Government
The Sony hack highlights a larger problem in cyber policy and data protection. Had it not been for the leaks of the hack that the North Koreans themselves disseminated to the public in the form of embarrassing emails from Sony’s higher-ups, the world would have been unaware that Sony was so badly compromised. Similarly, many corporations that have sustained deeply damaging cyber-attacks, such as Target or Home Depot, are hesitant to publicly disclose news of the successful attacks lest that news damage the value of their company.
What’s more, if a private entity, such as Sony or Home Depot endures a devastating cyber-attack, there are no regulations in place that would force those companies to warn the public about the attack. Lack of public warning could encourage more attacks. And, since private companies often take the path of least resistance by giving in to the demands of hackers without alerting the public or authorities of their plight, your personal data could be exposed on the “dark web” without you ever taking action to defend yourself in cyberspace. Just as the practice of paying ransom to the Barbary Coast Pirates often proved, paying ransom to cyber-attackers will only encourage greater cyber-attacks, cyber-attacks that will ultimately become impossible to either cover-up, pay off, or ignore.
Then there is the matter of American tech firms's willingness to do business with hostile foreign governments, such as those in China or Russia. For example, in 2016, in order to secure a contract with a Russian firm that tests software for the Russian military, Hewlett-Packard allowed for elements of Russia’s military to review the source code for the Pentagon’s ArcSight System. HPE’s ArcSight program basically defends the Pentagon’s critical networks. The program is also used to defend the sensitive computer networks of leading private companies. Because of HPE’s desire to win a contract with Russia, they effectively compromised the cybersecurity of the U.S. military and threatened the economic vitality of a host of powerful American companies.
The Way Forward
Last year, a disturbing report was circulated by the Government Accountability Office (GAO) entitled, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities, in which they determined that (as the subtitle of their report suggests), the Department of Defense is only just now beginning to understand the extent and nature of the threat the U.S. faces in cyberspace. The intensive GAO report is damning of Pentagon practices and policies surrounding cybersecurity. For example, it would appear that the Pentagon suffers from the same ignorance that most Americans do regarding basic cybersecurity.
As Fred Kaplan outlined about the cybersecurity failures of the Pentagon, “red-team hackers have correctly guessed administrators’ passwords in as little as 9 seconds. In many cases, weapons operators have received software updates to patch vulnerabilities—but haven’t installed them. Rarely do the operators log files to look for hackers. In many cases (and this may be most inexcusable of all), programs for ‘logistics, personnel, and other business-related systems’ are ‘connected to the same network as weapon systems.’” So, every aspect of American society has been digitized; every citizen, corporation, and the military has become nothing more than highly-valuable data points in cyberspace. Yet, few have taken even the most basic steps to defend that sensitive and proprietary data. Our enemies know this and routinely exploit these fundamental weaknesses.
The solution, though, is not blow up our computer networks and return to a pre-digital age. Instead, our policymakers must work to understand the nature of cyberspace. Like the other strategic domains, cyberspace has its own “key terrain” that can be attacked from, used to defend, and exploited. In 2010, the Obama Administration allowed for the creation of U.S. Cyber Command (CYBERCOM). This was an acknowledgement of the importance of cyberspace for American security and continued strategic dominance. Yet, very often, Cybercom is given the short-shrift as it reports to leaders and policymakers with little understanding of the digital environment. There have been proposals to create an independent, sixth branch of the United States military—the Space Force. Perhaps Cyber Command should be placed under the aegis of this proposed space force as well, since the two strategic domains of space and cyberspace are so inextricably linked. Then, perhaps, cybersecurity and national data protection would be given the credence it deserves.
Meanwhile, those private companies developing technology for the military must be made to better comply with higher security standards. There should be rules written into the contracts that companies, such as HPE, sign with the government wherein those companies (and their subsidiaries) would be barred from conducting trade with foreign governments, particularly hostile ones, such as those of Russia, China, Iran, or North Korea. Further, organizations, like the tiny innovation shop in the Pentagon, known as the Defense Innovation Unit (DIU), must be given greater resources to enhance their relationship with the tech sector; systems must be created to allow for private companies to discreetly alert authorities when massive cybersecurity breaches involving our data occurs.
Lastly, the U.S. must develop a comprehensive cyber warfare doctrine whose intention is to protect our country’s critical data by deterring adversaries in the strategic domain of cyberspace. While the United States still possesses an inordinate amount of capabilities and advantages in cyberspace, the fact that cyber warfare capabilities have so readily proliferated to all parts of the globe, means that conventional models of deterrence will not suffice. As the U.S. government works with its ordinary citizens and its corporations to enhance cybersecurity, our military and political leaders must think about developing a more offensive stance in cyberspace. Again, the Barbary Coast Pirate example comes to mind. Weakness is provocative whereas strength deters. Under present conditions, American rivals in cyberspace do not believe American defenses are strong in this important strategic domain. So, perhaps, the United States military should develop a wholeheartedly offensive cyber warfare doctrine, similar to what the French military recently created.
We have already seen how bad actors in cyberspace misuse and abuse the lawless nature of cyberspace to attack and manipulate our sensitive data. Current policies have not worked in deterring this pernicious behavior. In fact, they’ve exacerbated the bad behavior. This is likely because current U.S. military responses to cyber-attack are insufficient. The likes of Russia and China, along with their allies in international criminal circles, will leave important American institutions alone only when they realize that the costs of attacking America outweigh the benefits. Right now, the United States lacks a coherent, coordinated national strategy for responding to and, better yet, preventing cyber-attacks against the country.
To continue on our present course invites catastrophe—a “Cyberspace Pearl Harbor.” As technology continues to evolve, the value of data grows to the user, to companies, and to nations seeking to steal or exploit it. Despite its growing importance, though, the United States generally continues behaving as if cyberspace is a primarily American-controlled strategic domain. It is not. And, it has not been so for some time. Americans must stop treating their data as an afterthought; something to be given away, ignored, and allowed to be destroyed or stolen. In this critical moment of technological development, the United States can ill afford to continue operating under its current policies. There is a cyber war currently occurring for control and influence of our precious data. Right now, the Americans are losing. But, by enacting sensible strategies and getting our government and our high-tech firms to work more closely together in the area of cyber-defense, the threat can be mitigated over time.