There are strong arguments to be made that we are currently in a low-intensity cyber war. If the damage North Korea did to Sony had been done by kinetic means undoubtedly some would have been calling for strong military retaliation, possibly even a kinetic attack. The U.S. has issued sanctions on Russia for interfering in our election. Based on the vulnerabilities of our voting infrastructure it could have been worse. It was recently revealed that a foreign government thought to be Russia has been preparing cyber-attacks against our power grid and other utilities. Numerous public figures and journalists have declared that we are now fighting a cyber war.
Georgia Tech lost 1.3 million records. Arizona Beverages USA was unable to sell product for at least 5 days. Baltimore City suffered an attack that will cost tens of millions of dollars. I could go on and on, but the common theme here is poor IT operations. Georgia Tech had a flaw in a web application. Arizona Beverages was running out-of-support servers. Baltimore City had machines that had not be patched in years. This is not a problem just for those organizations these are national security problems.
A high intensity cyber war either as a standalone operation or combined with other types of attacks could be devastating. Attacks on our critical utilities that are designed to not only bring down services but to keep them down could cause deaths and disruption. Attacks across multiple industrial sectors could be even more devastating. Much as our strategic bombing campaign during World War 2 was designed to focus the raids so that a much broader sector of our enemy’s economy was damaged than just what was bombed, cyber-attacks can do the same. An attack that contaminates a region’s water supply combined with attacks on the transportation, and retail sectors would cause drinking water shortages. Disinformation and attacks on the communications industry can magnify the impact or any attack just like terror attacks are designed to hurt beyond the physical violence.
There really are very few sectors of our society that could declare themselves to not be viable targets. Many small companies, local governments or industries that don’t think themselves targets of criminals or other nations are not well protected. Remember that computers are great at scaling so attacking lots of small organizations would not be too resource intensive to a determined attacker. A foreign military might have a more damaging attack by directly attacking our power grid, but those systems are relatively well protected. They may be able to be just as effective by going after softer targets. WannaCry, NotPetya, and SamSam come to mind as very destructive attacks for a relatively small investment in resources. An attack that is timed to detonate after it has penetrated tens of thousands of networks would be disastrous. Most companies don’t have the ability to function without their information systems. A slowdown across food producers, transportation, distribution, and retail could severely limit a region’s ability to feed itself.
Should another nation or terrorist group wish us ill, it is unlikely it will launch a limited attack. We’ve seen short-duration attacks that probe how far a nation can go before the U.S. responds. These in no way represent the maximum capability of our major adversaries. The ability to persist in a network and thinking through multiple phases of a sustained cyber operation are widely available today.
Many nations and non-state actors have the capability and the will to engage us in high intensity cyber war. I believe it is only a matter of when.
In the preamble of the U.S. Constitution there is a phrase, “provide for the common defense” as one of the main functions of the federal government. Also, in the constitution are numerous provisions to limit the federal government’s ability to conduct military operations inside the U.S. This constitutional framework has served the nation well for over two centuries. Our country has never been invaded. Our democratic government has never been threatened by military leaders. Except for reconstruction, Federal troops have rarely been used on U.S. soil.
Cyberwar throws this all into chaos. By design, the federal government has limited ability to defend our networks from foreign attackers. They are limited by law and as a result the government doesn’t really have the capability to protect our networks. As one FBI agent told me when discussing the help the FBI could provide in dealing with an attack on our network, “we are like vampires, we can only come in if you invite us.” Some states, like Michigan, have begun building cyber capability in their national guard. The Governor can deploy that National Guard in an emergency where the Federal government cannot. Some states have also developed a civilian cyber corps that can also be called out by the governor in an emergency, just like the governor can call out citizens to sandbag a flooding river. These are great initiatives, but the members of the Guard and civilian cyber corps will also be needed by their companies in a widespread attack.
So, until we change the constitution our system administrators and help desk staff are it. Much like the colonial and early days of our nation where the Federal government was too weak to defend the frontier, we banded together to defend ourselves. We formed local militias who had an ability to defend themselves against those who wished them ill. We now must do the same thing. We must be able to defend ourselves because the U.S. Cavalry will not be riding to our rescue.
What does this mean? We must build defensible IT infrastructure. For years we’ve patched things together, did limited documentation, under invested in IT so that what we needed worked. But only that. In very few instances did we build software or infrastructure that won’t fail. It is much more expensive to build systems that won’t fail, and businesses won’t do this on their own when they have tight margins. Regulations can help, but we need to change the culture. When we build buildings today they are sound and safe. Laws, insurance companies, engineering standards, etc. allow us to have great faith that the buildings we work in won’t fall, that fires won’t be fatal and that the air and water in them are safe.
We need IT systems that are robust and securely maintained. That are designed to not fail. That are run professionally, by people that understand their responsibility to society. We need security teams that are resourced to fill the gaps the Federal Government can’t. That can detect and respond to attacks before the damage is done. We need a strong partnership among all of us. We must share information, help each other and work together in a crisis. We must demand better from our vendors, from our government, from our business leaders and from ourselves.
Realistically, it will probably take a 9/11 type attack to motivate us to take some of these steps. But wouldn’t it be nice if we started taking these steps so that a “cyber Pearl Harbor” never arrived? And if we took those steps maybe the “death by a thousand cuts” would only be “wounded by a dozen cuts.”
Another lesson revealed in our Allied Strategic Bombing Campaign during the Second World War is, what was first quoted in British Parliament in the early 1930’s, that the “bomber will always get through.” I propose the same is true of nefarious cyber attackers. Just as waves of interceptors and AAA were eventually ineffective against masses of long-range bombers, no cyber defense is impregnable.
The State of Maryland’s Defense Forces (state-recognized militia) already has a cyber component. Cyber professionals from the private sector and academia make up the personnel who serve in this capacity. We have exercised their use in conjunction with National Level Exercises where simulated bad cyber actors attacked critical infrastructure under the cover of a hurricane.