On July 7, FPRI held its fourth intern seminar of the summer. At this seminar, Mr. Lawrence Husick spoke on Cyber Insecurity. Mr. Husick is the Co-Chairman of the Center for the Study of Terrorism at FPRI, co-director of the Wachman Center’s Program on Teaching Innovation at FPRI, and a faculty member at the Whiting Graduate School of Engineering and the Krieger School of Arts and Sciences Graduate Biotechnology Program at the Johns Hopkins University.
Mr. Lawrence Husick began his talk on the admittedly complicated issue of cyber insecurity with a primer on the technological basics of cyber threats. Cyber threats can be executed with a variety of tools including, but not limited to, phishing emails, viruses, worms, rootkits, adware, and ransomware. Each of these tools allows hackers to gain some element of control over the victim’s digital presence. Two examples of such control are inundating the user with advertisements or seizing personal data for monetary ransom. These tools exploit vulnerabilities in software. As soon as a new feature is released, hackers begin looking for ways to subvert it. Mr. Husick argued that with cyber threats, the tools the criminals use are far less important than the motives and goals of the criminals themselves.
The next issues that Mr. Husick discussed were the risks and ramifications involved with cyber threats. He outlined the three primary types of cyber threats: cyber crime, cyber spying, and cyber war. These threats are all executed using the same collection of tools and tactics; their main difference is the objective of the perpetrators. In cyber crime, the perpetrators are ordinary criminals, most often motivated by monetary gain. In cyber spying, the perpetrators are typically state actors seeking data. In cyber war, the culprits can be state or non-state actors, whose goal is to disrupt a society.
Cyber warfare, an issue that seems to defy definition, was the next topic of Mr. Husick’s discussion. He referenced former Deputy Defense Secretary William Lynn and Dr. Olaf Theiler of NATO Operations, both of whom concur that there is no agreed upon definition of cyber warfare, and thus no effective response. This lack of definition came into play in 2014, when Chinese military officers hacked over 1,000 servers, including stealing 6.5 terabytes of information from U.S. military contractor Lockheed Martin. President Obama met with Chinese President Xi Jinping and indicted five officers involved in the hack. The Chinese government used the lack of definition of cyber warfare to dismiss the indictment and characterize the hack as standard information gathering. China is not the only nation using cyber threats. The U.S. and Israel worked together to create a worm known as Stuxnet to prevent Iran from building a nuclear weapon. The virus was transmitted through infected flash drives that were able to breach the air gap surrounding the nuclear facilities. Stuxnet targeted a specific configuration of industrial computers used in Iranian enrichment plants. It overrode safety controls and made the centrifuges spin to a high velocity, destroying them. These examples demonstrated the increasing damage cyber attacks are able to inflict, and made clear how cyber weaponry could function as a weapon of war between major nations.
Mr. Husick then went on to address U.S. doctrine surrounding cyber threats. Under the current defense doctrine, formulated by former Defense Secretary Ash Carter, a cyber attack on U.S. infrastructure would be viewed as an act of war and any response would be viable. However, cyber threats present a unique challenge because it is so difficult to conclusively identify the culprits involved, and even if they can be identified, counterattacks are equally challenging. Non-state groups of hackers lack the infrastructure that would traditionally be a target for counterattack. Mr. Husick argued that a shift has occurred from MAD (Mutually Assured Destruction) to MUD (Multilateral Unconstrained Disruption). He argued that cyber war is multilateral because it deals with state and non-state actors. It is unconstrained. Cyber warfare does not confine itself to military infrastructure. Just as modern terrorists attack civilian locations like busy streets, cyber attacks often take place on civilian systems. A cyber attack on infrastructure such as a power grid would affect civilians and military alike. In the past, MAD used a Deterrence Response Model, meaning that the threat of future counterattack was enough to deter an attack, but MUD does not have a deterrence model. Cyber attacks make retaliation difficult, undermining the traditional idea of deterrence. Within the cyber world, Mr. Husick argued, unconditional surrender is impossible. Instead, the goal of cyber attacks is to disrupt systems to achieve capitulations to desired political ends.
There a number of steps individuals should take to increase their own cyber security. Mr. Husick’s advice centered on the idea that cyber security is best left to experts, primarily large technology companies. These companies have a vested interest in keeping their users’ trust and confidence. Companies have millions or billions of dollars on the line, and thus a strong incentive to continually fix problems. To that end, all software should be kept up to date, using only updates from the manufacturer. When possible, one should use two factor authentication rather than a traditional password. Mr. Husick argued that there is no such thing as a good password, because it is simply not feasible to maintain a long, complex, ever-changing password.
Mr. Husick finished the seminar with his predictions for the future of cyber threats. He predicts that all future wars will use cyber weaponry and no nation will be able to ignore cyber threats. This future will necessitate a new American military doctrine that specifically addresses cyber warfare. Mr. Husick condensed the challenge of fighting cyber threats into a few words: “Attribution is difficult; retribution is even harder.” The U.S. must formulate a way to defend and retaliate against attacks when identifying the attacker is difficult. Mr. Husick also recounted examples of hacks of private companies such as CSX Transportation and Merck. He used these examples to demonstrate that the private sector is falling behind in dealing with cyber threats. Furthermore, computers are increasingly prevalent in everyday life. Supervisory Control and Data Acquisition (SCADA) devices operate industrial processes such as sewers, electric power grids, and gas pumps. The Internet of Things (IoT) functions like SCADA on a smaller scale, controlling home devices such as garage doors, thermostats, and ovens. These devices were created decades ago, before cyber threats were a pressing concern and therefore lack security. Additionally, more malware has been released in the first six months of 2017 than in the rest of history combined. Instances of cyber attacks are continually rising, and the world is becoming increasingly automated, providing more and more targets for cyber attack. Both the U.S. government and private sector are struggling to protect its citizens, infrastructure, and customers against cyber attack. Mr. Husick did not claim to answer how the world will learn to cope with cyber threats, but it is clear from his talk that cyber insecurity must be addressed.