Cyber strategy: an old story of competition transposed to a new domain.
Director of National Intelligence Coats set the tone for the day's proceedings when he called out cyberthreats as one of the prime, enduring dangers the United States faces. He focused on the exposure of critical infrastructure and the fragility of public trust—how it might be fractured by disruption or disinformation.
How technological progress shapes the strategic landscape in cyberspace.
Robert Joyce, White House Cybersecurity Coordinator, described what he characterized as the "five revolutions." These are, first, the invention of the personal computer; second, the emergence of the Internet and the World Wide Web; third, the development and general adoption of the smartphone; fourth, cloud computing and ubiquitous connectivity; and fifth, the explosion of the Internet-of-things.
He made these familiar points with some striking facts. In In 1984 1000 machines were connected; by 2017, 3.77 billion users were connected.
We experience a vastly expanded attack surface composed of "vulnerabilities in things we don't even know are there." We need resilience, but we also need deterrence and credible imposition of costs. We're working on international norms, but such norms don't for now, have consequences associated with their violation.
"From ransomware to Russia." Organizing for strategic response.
A panel moderated by Cylance's John McClurg and composed of Michael McConnell (BAH), Christopher Krebs (NPPD, DHS), Ambassador Sorin Ducaru (NATO), and Rick Ledgett (former Deputy Director NSA) also called out Russia and North Korea, the former for information operations, the latter for state-run cybercrime.
McConnell described the history of the Department of Defense, which was formed after the Second World War to overcome Service fragmentation by unifying them into a single Cabinet Department. But, he said, the Department didn't make serious inroads into solving that problem until the 1980s when the Goldwater-Nichols Act effectively required the Services to take "jointness" seriously. He thought the Intelligence Community might be able to learn something from Goldwater-Nichols. Two things McConnell would do at once would be to make NSA "the DARPA of cybersecurity" and then compel intelligence sharing among organizations.
Krebs, describing the interconnection between the cyber and physical worlds, said he didn't know why adversaries wouldn't hit the US now. The US is "down," right now, with Hurricanes Harvey and Irma. Natural disasters of this magnitude also present the adversary with opportunities to disrupt an already stressed infrastructure. He praised the cooperation of power utilities nationwide in physical response to the storms ("a thing of beauty"), but said "we're not yet there in cyber." Lessons from Irma and Harvey will unquestionably inform national policy. We must push more collaborative information sharing.
Ambassador Ducaru, responding to McClurg's invitation to give the NATO perspective, said that the Atlantic Alliance had for some time—about ten years, beginning with the Russian cyber campaign against Estonia—understood cyber to be an issue of policy and strategy, not just a technological problem. 2007 (Estonia) and 2014 (Crimea) were the two great milestones in NATO cyber policy. The Alliance has developed cyber protection for its own networks. It performs threat intelligence and analysis, and it's now blending technical analysis with intelligence.
As the panel closed, McConnell looked back on his own tenure as Director of National Intelligence and wished he'd been bolder. He urged clarity in coming up with an answer to what he took to be the central question we face: who defends nation against cyberattack?
How strategy looks through two of the other Five Eyes.
Conrad Prince, UK Cyber Security Ambassador, began his presentation with a good natured and ironic review of some cryptologic history going back to the American Revolution, including interception of General Washington's plans for kidnapping George III's heir. (Nice words about the Special Relationship suggested all had been forgiven.)
Internet use is pervasive throughout the UK. It's one of the most Internet-dependent nations in the world, Prince argued, and he outlined the serious consequences of cyberattacks on businesses and ordinary people. HM Government is committed to building international norms in cyberspace and developing confidence-building even as it builds capacity. The UK strategy calls for a single national cyber authority, the National Cyber Security Centre (NCSC), operating from within GCHQ.
Dr. Tobias Feakin (Australian Ambassador for Cyber Affairs) began his account of Australian cyber priorities by asserting the remarkably close and intertwined nature of Australian and US cyber efforts. (His presentation slides indeed coincided with Joyce's.)
The remarkable progress of the online world and the rapid spread of computational power worldwide have induced a comprehensive shift from cyber being a niche issue to being absolutely central. "Nations have traded, fought, collaborated throughout history. They're now doing so in cyberspace."
The Australian Government has undertaken its cybersecurity responsibilities, Feakin said, in full cooperation with the private sector. The Australian "mantra," as Feakin called it, is "global in perspective, regional in focus." The strategic goal is strong cyber security resilience for Australia, the region, and the globe.
Feakin thought that encouraging responsible state behavior in cyberspace is a challenge, and Australia is working to meet that challenge through the UN, through bilateral agreements, and through transparent dialogue. As desirable as norms are, they can be difficult to "make stick." Australia tries to work as positively as it can, but it's also openly acknowledged that it has an offensive cyber capability. (This is an example of transparency.) The overarching Australian strategic goal is a cyberspace that's free, open, and secure.
The threat to critical infrastructure.
Charles Carmakal, of FireEye's Mandiant unit, continued this discussion in his keynote on threats to criminal infrastructure. The US has been fortunate, he said. "Those able to attack critical infrastructure have lacked motivation, while those with the motivation have lacked capability." But we must not count on this continuing—motivations shift, and capabilities advance. He described current trends among threat actors (and for Carmakal, like Coats, Russia leads the pack).
Russian operations against Ukraine form an instructive case study, Carmakal noted. NotPetya turned out to be a Russian attempt to inflict pain on Ukraine, not the ransomware attack it initially presented itself as. The attack involved malicious versions of widely used commercial software. Any company doing business Ukraine must file taxes, which effectively means using one of two tax software products. Russian actors corrupted the update process of one of those products, thereby infecting systems with NotPetya. The infestation spread rapidly across the world.
The earlier attacks on Ukrainian power distribution in 2015 and 2016 could have been effective against Western grids, Carmakal observed.
Turning to the Chinese cyber threat, he observed that Chinese government actors have gained access to OT networks. China could have used access for disruption, but lacked the motivation to do so (and also, Carmakal said, recognized that such disruption would have amounted to an act of war).
Iran, the third state actor that's shown some disposition to intrude into critical infrastructure, was initially sloppy, but has recently been seen to improve its game significantly. It's conducing a great deal of economic espionage today. And there's been one episode of Iranian taunting and doxing directed at US infrastructure. Shamoon, of course, was an Iranian action against Saudi oil production that enjoyed significant success. So Iran has developed the capability to be significantly disruptive.
North Korea, the final major state adversary, has shown some quiet capability against infrastructure, but, "oddly, they've not acknowledged their successful hacking."
Hacktivists are generally far less capable than states, Carmakal said, but they can't entirely be disregarded. He reviewed the "Tesla Team's" action undertaken as a protest against gold mining. Tesla Team did succeed in disrupting mining operations, and they could have done much more harm than they actually accomplished—they had penetrated the mining operation's SCADA environment. (Following a familiar evolutionary path, Tesla Team has turned from hacktivism to conventional, financially motivated crime.)