The shutdown of the federal government is likely to ratchet up the dangers of the Internet, but the actions of nation-states, criminals, and rogue actors, such as terrorists, already are sufficient to worry even the most hardened of cyber warriors.
“It is very concerning to me that we would allow any part of the national security structure … to shut down,” said Gen. Michael Hayden, former director of both the National Security Agency and CIA. “Our adversaries are trying to fill the hole.”
Panels of experts convened by the Washington Post and Lockheed Martin’s Cyber Security Alliance last week all agreed that the Internet landscape is becoming a more dangerous place for government agencies, companies, and ordinary citizens.
“There are layers of threats, nation-state actors coming at us,” Hayden said. “For the most part they want to steal stuff,” whether it is a government’s negotiating position on a trade treaty or the design of a new product. “We steal stuff – I admit that – but we do that to protect citizens, not to get rich.”
Beyond concerns about China, or Russia, or India, or any country looking for a competitive edge through industrial espionage, Hayden warned, new threats are trying to cause damage, not just commit theft. He pointed to last year’s attack against Aramco, the Saudi national oil company, where hackers erased 35,000 hard drives as an example.
“I think people need to understand that in the last 12 months there’s been a qualitative change,” said Craig Mundie, senior advisor to the CEO at Microsoft. “Threats are moving to destructive attacks. Unlike conventional weapons, every time someone shoots one of these [cyber] weapons, the bad guys get to watch it, then clone it. The capability escalates globally very rapidly.”
And companies are not able to strike back. Several panelists warned that vigilantism is illegal.
“It’s illegal to chase bad guys up the wire, even if you have the capability to do so, it’s illegal to shoot back. … There is no legal self-defense [concept,]” Mundie warned.
“Over 80 percent of our networks are private sector networks. Companies do have the capability of chasing you up the wire, but [the bad guys] can come back, not perhaps on you but your weakest link,” said Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee.
Rogers said the challenge is finding the right balance in the “offensive defensive posture,” that is, how aggressive to be in defending networks.
“I worry about this debate. We’re slow to the party and we’ve got to shake ourselves,” he said. “We need better policies, better authorities, and [to understand] what does an offensive operation look like when it’s for the purpose of defense.”
Panelists agreed that computer hygiene – measures running from installing software patches as soon as they are issued, to keeping firewalls in place, to adopting two-factor authentication – will protect computers from 80 percent of malware lurking on the Web. If computer users, whether at companies, agencies, or in their homes, would attend to those basic measures, it would allow resources to be concentrated on the 20 percent that are new, unique, most sophisticated, or most damaging.
From a national security perspective, Hayden noted, “the essence of ‘sigint’ – signals intelligence – is vulnerability. Both offense and defense hinges on vulnerability. What do you do, patch it or exploit it?”
He said intelligence agencies look at the issue differently than others concerned about cyber security.
“[I]f a vulnerability requires substantial computational power, who else can do it?” Hayden said. “If you still need four acres of Cray [supercomputers] to exploit it, we’re not ethically or legally required to patch it.”