The lecture wraps up with an overview of the principal policy hurdles for the West in terms of implementing proper cybersecurity now and in the future.Now I will go over, basically, the policy hurdles that the West faces (see right-hand image), specifically this country, the United States. This portion of the talk is largely taken from Professor Michael Nacht’s 2011 work called The Cyber Security Challenge. I had the pleasure of meeting him and listening to a number of his presentations at the Sandy Summer Institute this Summer.
He was introduced to the group as a living national treasure, and after looking into his history I can definitely see why – because he has been instrumental in shaping US policy all throughout the Cold War and has so many insights into the inner workings of government, the executive branch and foreign policy and how everything really comes together. And so his insights on cyber security policy and how they were paralleled to, basically, nuclear deterrence in the Cold War are really worth looking into. So that’s what we’ll be going over in this section.So, we face 8 hurdles. The number 1 hurdle he declares is, basically, we lack a solid declaratory policy (see left-hand image). By that I mean war declaration policy. We have said we reserve the right to use military force in response to cyber attacks, but there’s no real line drawn in the sand. It’s left intentionally vague. And the problem with specifying: if you cause X amount of damage, an attacker will always just do X-1 amount of damage as long as possible; he’ll asymptotically basically approach that line in the sand.
So, because of that challenge and all other things it hurts us more than not to have actual line in the sand drawn, because when all the plans for how we should coordinate in event of a major cyber attack against perhaps our military forces, or instead perhaps our command and control systems, or perhaps instead our electrical grid, financial networks – there’s no unified plan as to what we should do, what initiatives should be basically started in the event of some major attack.Secondly, there’s no real deterrence policy (see right-hand image). In the nuclear, basically, Cold War, it was a game of mutually assured destruction: “If you attack us, we’re going to wipe you out and everyone’s going to die”.
In cyber space you can see some parallels, because, say, I have basically super Stuxnet. If I attack you, it’s going to be in the wild and somebody can copy/paste it and use it against everyone else. So, it requires some finesse in using these weapons, because they’re not like atomic bomb – once you use them, they’re out there and they can be reused. So it’s a whole different game, but there’s some sort of similar deterring parallels.
But at the same time there’s no attribution at the same level that there was in the Cold War. If an ICBM were launched, you can detect it from space and from radar systems. You can detect what part of the world it’s been launched from. Cyber attacks – there’s proxies, there’s TOR, there’s anonymous VPN, and then people could be on their own home turf or they’re from another country and they’re attacking you. Attribution here is very difficult, so therefore that also compounds the deterrence problem and hurdle. And even when attacks are detected, and perhaps even if there is attribution, some level of attribution, the damage that was done may not actually reveal until later: maybe they’ve inserted a logic bomb that will basically detonate half a decade or a decade later.The third hurdle is there’re no well-established policies on who are to be the authorities and what their responsibilities are in the event of, basically, cyber attacks (see left-hand image). If we responded with military force, if one country responded with military force to another country’s cyber attacks – that would indubitably involve some violation of that nation’s sovereignty.
So, that throws into the mix all sorts of legal concerns: you have to establish, basically, legal basis to conduct such operations to not be seen as a bad guy in the world court. And so, there’s no real legal basis for establishing and initialization of military conflict as a result of some sort of cyber conflict; that cyber and kinetic tie isn’t really there. The cyber and kinetic attacks have been used in conjunction at the same time. But that’s after kinetic attacks have already started, such as in Russia or Georgia. More, when Russia decided just to go ahead and invade its neighbor, they just used cyber attacks to supplement their strategies.
And it’s worth noting that establishing these basics for traditional kinetic attacks, traditional military force attacks, takes weeks to months. And in cyber space we all know that things happen in microseconds and milliseconds. So there’s this huge time lag and a speed gap as well in order to establish effective policies. You can have policies where we’re going to go after we suffer some major cyber attack, go to our congressional committee and find out what we should do. That’s going to take weeks, so you’ve got to not only defeat all these legal hurdles for tying the cyber and kinetic legal problems; you have to also establish policies that are going to be effective and not suffer from massive amount of lag of bureaucracy.The fourth, and perhaps, what I can say is one of the most important ones: you have to have policies that guarantee civil liberties. As we’ve seen with the SOPA and PIPA bills, as well as CISPA, they do nothing to solve the problem they declare that they intend to solve. And they are easily circumventable. And on top of that, they create exponentially more civil liberty problems. SOPA and PIPA absolutely do no possible good being proposed.
CISPA does nothing to protect civil liberties; there’s no responsibility to notify a citizen if their data is mishandled under following, under compliance with the CISPA act. The CISPA act is the Cyber Intelligence Sharing and Protection Act. It circumvents all these privacy acts, and these acts expressively declare that you’re allowed to initiate lawsuits against a company that goes too far in divulging your private information. However, CISPA allows them to resell and share data with anyone for cybersecurity and other purposes.
So this does nothing to address civil liberties; it actually does everything to trample on them in some regards. Although, perhaps, the original authors of these bills didn’t mean for it to go this way. If you don’t take care to address civil liberty concerns and guarantee that established civil liberties will be maintained, you are going to basically be exacerbating the whole cybersecurity problem.
So, which brings me to the next and related point – it’s that you have to set some sort of effective oversight that insures that, basically, the civil liberties are being guaranteed, that all these other policies are working, and that it doesn’t also bureaucratically lag down the whole process. You can have an oversight committee that slows down everything by weeks or days. And then there has to be consideration as to establish some entity to be in the role for oversight; perhaps Congress. And we’ve all seen how few Congressmen really even understand the Internet.Since we’ve just finished talking about sharing information and how to establish policies that do it to guarantee civil liberties, the reason for sharing information is to increase situational awareness (see left-hand image). If you’re completely unaware of your situation, you’re completely unable to defend yourself. If you don’t know you’re being attacked, you can’t really do anything to stop being attacked, unless you just get lucky. And we all know that you can’t just rely on being lucky in this field.
So there’s a great need to actually share such cybersecurity information, not just at a domestic level – between companies and between government and private industry, but between governments and between countries at an international scale. So, the US already shares select information intelligence on various different things with its key allies, but should it broaden the audience for sharing information on cybersecurity?
Perhaps there is a botnet going around that utilizes some 0day and is just spamming everything and taking down stuff, and perhaps stealing intellectual property. What could it gain from broadening the audience of information sharing at government levels? Perhaps, a lot; however, when you give something, you should always expect something back, so if we broaden the audience, what should we expect to gain from said cooperation?
Perhaps, there could be formal treaties established in this area as one way to address this challenge, but that may be too constraining and may end up being a bad idea, as treaties often, when implemented, end up going wrong. Once they’re ratified, they get misconstrued in law, and everything gets twisted and goes wrong. So, it’s an interesting hurdle in itself.And so, speaking of deterrence, since the Internet is basically worldwide, we do need to share this information with a more global audience to raise situational awareness. We also have to have some sort of collective effort for deterrence (see right-hand image). This is basically a messy area, because some will argue that the best way to do this is to have universal cybersecurity laws, universal intellectual property laws that expand the whole world. I don’t know how realistic that is. Another policy hurdle is you have to strengthen the private sector and government cooperation (see left-hand image). I think the recent one was trying to do that, and it was called the Cybersecurity Act. Compared to the rest it was well-written, because it made expressed requirements that citizens’ data is not shared with the intelligence communities, it’s not shared with the NSA, and not shared with this and that, it’s not shared with the military, because this act is only for raising cyber security awareness for critical infrastructure.
So, basically, the DHS and FBI will collaborate with critical infrastructure companies, so your power grid, your air traffic control, your sanitization for water, and traffic control will all collaborate; they’ll all monitor info. And now, clearly, we’re not sharing our social security numbers and stuff like that with all of these companies, and we’re not usually visiting them on a regular basis, so it leads less to them being able to track your data, because you probably pay these bills once a month. So it’s not as intrusive as CISPA, perhaps. It also makes expressed guarantees to establish least privilege in the bill itself for who needs access to this information, not just: “You can share it with anyone for cybersecurity or other purposes”. Obviously, that’s the worst wording you can use.He wraps up his wonderful article by saying that we are still in the infancy of understanding cybersecurity (see right-hand image). I completely agree. He says it’s also analogous to the late 1940s in the nuclear age. We hardly understood the rules and the game back then. And hopefully, it will not take us more than a decade this time as well. In the future (see left-hand image) we’re probably going to expect seeing much more state-sponsored cyber attacks and malware, and then those being repurposed by criminals. More research in honeypots and counterintelligence systems that basically lure in the attackers and then waste their time – this is my research area. And then there’s a lot of push towards globally adopting IPv6, and what this possibly means for attribution, and there’s a lot of myths about that. But it does help to an extent. So, it’s all really pretty crazy. The main needs of the security world (see right-hand image) at this stage are: we need better situational awareness. And a lot of people are arguing that the only way to do this is to improve big data analytics, because if you’ve ever set on the side of a sys administrator, you can’t watch the logs in real time. There’s tools to basically help you analyze these logs and all the events going in real time for that network. And so these tools are pretty helpful, but they’re not that great. So there need to be better tools to analyze all the huge, massive data that is going on in the network in order to be more situationally aware at the given moment. You can easily understand how that problem has worsened the larger your network gets.
There’s also a big strive for having more threat intelligence. There’s a lot of companies actually that sell consulting for threat intelligence. Hundreds, if not thousands of exploits come out, and vulnerabilities come out every year, but only a dozen or two dozen are actually commonly used by the majority of attackers for mainly their reliability, ease of use and for what they provide. Some vulnerabilities only allow denial-of-service. Some other vulnerabilities allow remote code execution and privilege escalation. They’re not all the same, so instead of worrying and saying: “Oh my god, everything is so insecure”, basically, a consulting company is going to say: “No, look, you just have to really pay attention to these main ones, secure against these ones, and you mitigate 90% of your risk. And you can go about resuming normal code auditing, penetration testing and security assessment”.
Another big need of the security world is that there needs to be more harmony on cyber law. I don’t know how well universal intelligence IP right laws are going to work, and people, especially policy makers, need to be more aware of how the Internet of things is really going to impact the future.