The Attacker's Advantage and Pervasive Connectivity: Remarks by Michael Chertoff
We are facing a growing and increasingly important area of our national security. We need the innovation of the private sector to keep ahead of the adversary. The attacker's advantage (only needing to be right once) makes it all the more important to stay ahead of the adversary. Thus former Homeland Security Secretary Michael Chertoff opened his address to CyberMaryland 2016. "Things I talked about a year ago aren't even worth mentioning," he said, because they have now become commonplaces. There's virtually no part of our national economy or life that haven't been affected by cyber security.
Calling for some critical thinking about cybersecurity issues, he began with the obligatory Willie Sutton reference: criminals operate in cyberspace because that's where the money is. Some cybercrimes are variations on physical crime—bank robbery and impersonation, for example. The difference with cyber, Chertoff argued, is one of scale. He cited ATM theft and counterfeit cards as examples: tens of millions of dollars, perhaps hundreds of millions, have been stolen. Funds transfer systems, notably SWIFT, afford criminals the prospect of very big scores. The SWIFT hack at the Bangladesh Bank got away with nearly $100 million; the criminals, had they not been detected while the theft was in progress, would ultimately have netted around a billion dollars.
Data breaches are having major effects on corporate mergers and acquisitions. (He offered the Yahoo! breach as a recent example that's having an ongoing effect.)
There's often a blurry line between cybercrime and state-directed espionage. This can be seen in data breaches. The OPM hack exposed personnel records. "That affects the ability of many people to be confident that their most personal information hasn't been transferred to a foreign power," Chertoff said.
Billions of dollars in intellectual property have been lost to cyber espionage, and state-sponsored hacking has moved beyond espionage to more destructive attacks. The Sony and Saudi Aramco hacks both damaged company systems in expensive ways. The Ukraine power grid hack showed the risk to critical infrastructure.
Attacks affecting our political system represent a new threat. "We hadn't seen that before," Chertoff noted. "We are seeing penetrations designed to get documents that will embarrass people, for political, ideological, or revenge motives. People will become increasingly concerned about their communications, and the possibility that their communications will be distorted or falsified." And of course voting itself could be locally disrupted by cyberattack.
He offered a warning—timely given the widespread ongoing Internet outage since discovered to have been an Iot-botnet attack on Dyn—about the Internet-of-things. The IoT, with its smart, wireless connections, isn't built with security in mind, and its devices present a large surface area for attack.
He closed with a set of recommendations:
- He noted that the human immune system is a good model for cyber security. "Immunization, if you think about it, is a form of information sharing." That model is a good one for cyber resiliency. You will get sick from time to time, but you can recover.
- Security depends fundamentally on people, not technology. Policy decisions about architecture and privilege are the most important ones you'll face.
- It's important to design security in. Retrofitting security is imperfect and expensive.
- Encryption is important. Email and other business communication are very vulnerable. The cure for that is robust encryption. "We'll more and more see this as a default option."
- "The Internet was based upon a trust model in which everyone knew everyone else." But identity is now critical. The password is an inherently weak identification mechanism. Mult-factor authentication makes it better, but we need to move beyond our existing modes of authentication and identity management.
- We need to be sure we're secure about the sites we use. Russian hackers recently impersonated Google security alerts. Securing that layer will become increasingly important.
- Finally, you've got to look at resilience, critical to our ability to continue to use the Internet.
"Technology is a critical enabler," Chertoff concluded, "but more critical is critical thinking about these issues."
At this point he took questions.
What advice about cyber security would you offer colleges and universities?
His answer was terse: "hygiene."
What do you think of the conflict between advocates of strong encryption and law enforcement?
In this, Chertoff sided, basically, with the encryption advocates. "With proper legal authority, law enforcement is allowed to decrypt anything. Whether they can is another question." He's opposed to backdoors. They endanger everyone. "It's like keeping all doors unlocked in case you have to execute a search warrant on some house." Attempting to weaken or restrict encryption is "also futile." Criminals will frustrate you with better encryption. He drew an analogy from the old days of wiretapping organized crime under warrants. Sometimes people whispered, or played the radio loud, and that defeated the wiretap. He thought metadata, "by definition not encrypted," generally more fruitful and important for law enforcement than the ability to read encrypted content.
Concerning espionage by the Chinese government, what effect did we see from the indictment of Peoples Liberation Army officers? Did it slow hacking, or change the relationship between the US and China? Should we do more of this?
"It's an interesting question," Chertoff said. "No one believes the officers indicted will be inside a US courtroom. But it seems to have had some effect. It was embarrassing, and we've seen a dialing back. My perception is that the volume has dropped, although to be honest the sophistication has increased." The indictments raised visibility, and a certain naming-and-shaming may have had a good effect.
He then contrasted Chinese espionage with Russian activities. The latter require some serious thought. The US will have to consider how it responds to actions that are intermediate between acts of war and traditional espionage. More and more we see not classic cyberattacks, but information operations designed to recruit, mislead, or influence. "But the problem is we're facing an adversary that doesn't have a First Amendment." How do we follow our principles in an asymmetric world where others don't share them?
The Russians say they want to monitor our elections. How about it?
"I have to laugh. I'd like to say come on over and see how a real democracy works. But sometimes you have to be willing to put yourself under the same standards you apply to others. I'm only being semi-facetious when I say, great, come and observe: God bless, come and do that."
Chertoff doesn't think the Russians believe they can affect the outcome of an election. "They want to point to the US and say, see, that's a democracy, and it's failing." We're in a competition for soft power (he cited the recent tilt of the Philippines toward China). And so, "at some level, you know what, as long as you're not going to interfere with it, come on and see."
Apple refused to help FBI open the San Bernardino jihadist's iPhone. What do you think of the company's stance in this regard?
After disclosing that he has worked with Apple and is familiar with the case, Chertoff observed that the Government had the phone. "Had they not messed up, there would have been backups they could have used." The Government wanted Apple to help them brute-force the phone—"child's play if you had an infinite number of tries," but not when the phone locks up after a finite number of trials. The Government wanted Apple to disable the iPhone's locking function. Apple said that no, doing so wouldn't be a one-off, but would amount to creating a backdoor in its phones. So really the question is a species of the larger issue of backdoors.
"My general position is this," Chertoff said. "If the company has access to the data, then with the proper legal authority they should turn it over. But they shouldn't be required to weaken their security. Do we weaken the structure of security for the general public because in one case law enforcement wants it?"
Whose law do you apply when you operate in many countries?
The question of handling issues of privacy and data security in an international environment is an interesting and unresolved one. You have multiple sovereignties and multiple legal systems, yet data flow around the world. Which law applies? It's unclear which of any number of neutral principles might be applied.
The US invented the Internet. Why were we pressured to give up control?
"I supported the transition," Chertoff said, "and reported on it pro bono." The function of regulating domain names was previously done by ICANN under a Commerce Department contract. It's now been transferred to a contract with a board of international stakeholders. He thinks it better for civil society supervise the Internet. This seems likelier to help the Internet live up to its promise of being a global commons, like the sea. Sometimes you enhance your authority by giving some of it up, and he sees this as one of those times.