Virtual Monsters Among Us

By Hank Thomas

Co-Founder and COO at Strategic Cyber Ventures

In the 21st Century, America need not go abroad any longer to destroy monsters the threaten our way of life. The monsters we once had to hunt in far off lands currently stalk on American soil, poised for attack. These monsters colonize America through new domains and outside of traditional infiltration methods and warfare. The most lethal American enemy today is using cyberspace to establish a virtual footprint to drain capital, expand influence, conduct espionage activity, and construct platforms for future operations, including but not limited to destructive physical attacks. America’s enemies create and control the digital forces that storm the virtual beachheads they’ve established on our networks from the safety of protected foreign sanctuaries abroad, often in collusion with regimes diametrically opposed to the values and prosperity of the U.S. and other western democracies. Monsters no longer need set physical foot on our shores and America need not cross land or sea to fight them. The monsters are already amongst us.

Long before the internet, foreign governments and criminal syndicates attempted to penetrate U.S. business and defense organizations for reasons spanning from profit to wartime espionage. Fortunately, even given American open society, it was a mostly arduous task that often involved trained humans on the ground an ocean away. It simply didn’t scale. Once the U.S. Department of Defense (DoD) launched the Advanced Research Projects Agency (ARPA) net, commonly known as ARPAnet, in 1969 effectively connecting four major U.S. universities, we began to create one virtual undefended entry point into our country after another. At first slowly, but as more systems in the U.S. rapidly connected to the internet, opportunity for access to various types of U.S. information and systems grew. We were creating virtual landing points along our digital shores that were mostly undefended, highly lucrative, and of course very inviting.

By the end of the 1990s, the virtual cyber beachheads into American society were gaining significant traction, and the effects of the forces storming them were beginning to be felt. So much so that in 1997 the National Security Agency (NSA) conducted a major wargame known as Eligible Receiver to assess the vulnerability of government and military computers to a cyberattack. The wargame, for the first time, made clear to the U.S. national security community that the country was vulnerable at almost every level to cyber invasion and attack. In December 1998, the DoD established the Joint Task Force Computer Network Defense (JTF-CND) to defend the department’s networks and systems from intruders and other attacks (Healey & Grindal, 2012). Since then our reliance on networked systems and the storage of our most valuable and sensitive data online has grown by orders of magnitude that the creators of ARPAnet, and the eventual internet we know today, could have never predicted or planned for.

Enemy nation-states and cyber criminals are now in every major industry and government agency throughout American society. And it is not just generals and admirals concerned about these threats. The front lines have bled into every corner of America, and the targets of foreign militaries, criminals, and terrorists could now be any connected device (e.g. cell phone, refrigerator, a smart fish tank etc.) for innumerable military or criminal reasons. The enemy is increasingly focused on seemingly innocuous targets, to support lateral movement across our networks, and ultimately reach their desired effect.

American national security in the 21st century is witnessing a paradigm shift in traditional warfare, as the cyber domain provides an unfettered landscape for enemies to avoid U.S. border and defense mechanisms. This revolution in modern warfare significantly decreases the U.S.’s security advantage provided by our historically advantageous geographic isolation from global threats. Senior government official and military leaders must respond accordingly and adapt the way we approach our national security. A strategic mental shift from physical, kinetic warfare, to conflict on the electromagnetic spectrum (EMS) is essential for American defense. However, because cyber-attacks can quickly transfer into the physical realm, or simply enable or compliment traditional military land, air, and sea forces, they must work in close coordination with both defensive and offensive traditional and cyber warfare capabilities. Last December’s power outage in the Ukraine was the second time in two years that hackers have taken down portions of the Ukraine’s power grid. These blackouts were harbingers of kinetic military actions taken by Russian security forces against the Ukraine. While a physical military force will always be necessary, the American military must drastically increase cyber defense in order to keep our determined virtual enemies at bay.

Former director of the NSA, Vice Admiral Mike McConnell (2015), predicts a coordinated cyber-attack on the underlying financial infrastructure of the United States and western world as “the most significant threat to our national security” (1). It is not, importantly, “the thievery of the data itself” from American financial systems that represent the major threat. Instead, it “is a perpetrator with purpose, who could cause our financial infrastructure to collapse.” A cyber-attack of this magnitude, which targets our financial system as a whole, could easily destroy the “hard’ infrastructure including servers, routers, networks, software and fiber optic cables, through which stocks are traded, bonds are purchased, money is deposited, and derivatives are initiated and settled. More impactful, these acts could weaken or destroy the “soft” infrastructure, which is the vulnerable underbelly integral to keeping financial transactions flowing: credit by trust. By disrupting the flow of financial transactions and shaking international confidence in the U.S. financial system, such an attack could trigger a large-scale, market crash, with inestimable multiplier effects that would reverberate deeply throughout the entire economy.

The American election system felt similar effects during and after the recent 2016 presidential election. While there is little proof that the physical voting machines were hacked, there is evidence to show attempts were made to subvert the supply chain of the voting machines we rely on in an attempt to compromise them. And at the recent Def Con hacking conference in Las Vegas hackers in a competition were able to successfully breach the software of voting machines used in U.S. elections in short order. Overwhelming evidence also points to significant and successful social engineering through information operations and espionage conducted by the Russian security services in an attempt to influence our election process. At the 2017 Berkshire Hathaway’s annual shareholders meeting Warren Buffett stated, “I’m very pessimistic on weapons of mass destruction generally although I don’t think that nuclear probably is quite as likely as either primarily biological or maybe cyber.” Buffett continued in saying, “I don’t know that much about cyber, but I do think that’s the number on problem with mankind.” Buffet’s comments came only days after PasteBin’s release of thousands of documents related to the French president Emmanuel Macron, before the second round of the election. Considering that America and the vast majority of the world entirely depends on the cyber domain to operate, every institution and government that forms the foundation of our democracy and economy are vulnerable and perpetually under these assaults. For well over a decade, many experts predicted this rise in hacking and the distribution of state backed propaganda outlets and fake news, through studying Russian efforts to expand their increasingly aggressive information warfare and operations campaigns (Trend Micro Corporation, 2016). The barrier to entry for cybercrime is lower than ever, without any need for sophisticated code – one only need a Facebook account and devious creativity.

While America should not singularly focus on the cyber domain moving forward, cyber must become an imperative part of every policy, political, and security discussion. In certain business verticals, cyber has become a critical part of most C level conversations, as the financial impact of cyber-attacks on businesses are increasingly more than just rounding errors or minor hits to their brand. The damage from the half-life of breaches can negatively impact a business or federal institution for years. No other warfighting or criminal domain exists where the adversary can so quickly develop weapons (known as tools or exploits in the cyber domain) that move close to the speed of light and easily target valuable or critical government and institutional assets the federal and military spaces must move in concert with their financial counterparts to heighten defense against foreign adversaries. While oceans separate America from many physical global issues, the cyber domain has virtually bridged the country and now the enemies are amongst us.

Questions remain about the increasingly interconnected global economy and the dampening effect it will continue to have on nation-state sponsored cyber military operations. Unlike military capabilities, damage to the financial infrastructure impacts not just Americans, but the entire international financial system. Applying the theory of mutually assured destruction in asking: “Why would China, or even Russia, try to damage an infrastructure that is vital to their economic well-being?” provides very little insurance against full-scale global cyber war. While worthy of consideration, and ideally reduces the likelihood of a state actor significantly tied to our economy from targeting our financial system, it does not rule out the possibly. Adversarial countries can bypass these dependencies by removing ties to the U.S. economy via various economic levers, or quickly through physical military attacks. However, with increased cyber capabilities residing in states like North Korea, and non-state actors with an anarchist agenda, the list of monsters not tied to the global economy and readily capable of cyber-attack is longer than ever.  Regardless of dependent ties to American institutions, the country’s industry and government leaders must react to these ever-present monsters.

There are many strategic security priorities that America must pivot towards in the 21st century. Cyber defense and war being the most urgent. It is also by far the most complicated to address due to the level of anonymity it provides its actors and the complexities related to the foundational computer science. The nature of the warfare has changed and the speed at which information and weapons can affect targets is more rapid than ever. To protect imminent threats to our homeland, corporate networks, financial systems, other critical and essential infrastructure, and the basic foundations of our democracy like our election system, we have no choice but to aggressively hunt, deceive, divert, contain, and destroy the virtual monsters amongst us now, and that continue to storm our virtual shores.

 

References

Buffett, Warren. (2017, May 6). Speech presented at Berkshire Hathaway’s annual shareholder meeting. Omaha, NE. Retrieved from http://thehill.com/blogs/pundits-blog/technology/333026-warren-buffetts-cybersecurity-wake-up-call-are-we-listening.

Healey, J. & Grindal, K. (2012). Lessons from the First Cyber Commanders. Atlantic Council. Retrieved from http://www.atlanticcouncil.org/blogs/new-atlanticist/lessons-from-the-first-cyber-commanders.

McConnell, M. (2015, October). Cyber Threat. Speech presented at Booz Allen Hamilton Global Executive Summit. Washington, D.C.

Trend Micro Corporation. (2016). Operation Pawn Storm: Fast Facts and the Latest Developments. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-pawn-storm-fast-facts.

 

Leave a Reply

Your email address will not be published. Required fields are marked *