New U.S. Cyber-offensive Policy

The White House issued a warning to foreign adversaries last week that offensive cyber operations are now a part of the US defense arsenal. The new strategy clobbers the difficult rules that the Barack Obama administration imposed on offensive cyber-activity, back in 2012.

The Obama-era policy required the military to consult with the State Department, intelligence community and as many other agencies as could be reached before mounting a cyberattack. Which essentially guaranteed that we would never mount a response to a cyberattack by anyone.

This new policy gives the military substantially freer rein to address incoming warfare attempts in much the same way it does now regarding physical attacks. As a result, we may finally begin to progress against the rising tide of asymmetrical cyber-warfare that we have been fighting for the last 10 years.

The new cyber strategy places the US on a greater offensive stance against threats, and national security adviser John Bolton was delighted to announce to our adversaries that the U.S. is now ready, willing and able to respond to threats in cyberspace.

As followers of this blog know I have consistently taken the view that the U.S. is attacker-defender asymmetric in 4 major categories of cybersecurity readiness that has put us in an extremely vulnerable position with respect to our ability to counter any serious threats from International state sponsors of terrorism. These are known as the TIEE, Technology, Information, Economics, and Education.

Economic asymmetry pits a simple malware exploit kit available for $50 on the dark web and a self-taught teenage assailant with a PC and an Internet connection against a bank with a $500 million annual cybersecurity budget, and the teenager wins.

Informational asymmetry sets our siloed and segmented defenses up against masquerading attackers about whom we have almost no information who require very little of their own to be successful. A brute force attack is simple and easy to launch, turns almost all connected devices into an army of network bots and can result in the complete take-down of Internet access across much of the US for an extended period as we saw in the DDoS attack on October 21st, 2016.

Informational asymmetry also results in our continuing failure to identify the exploitation of legitimacy or ability to correctly attribute the source or nature of our attackers. We are never sure whether Russia or Iran or China or young Elmer Thompson living in his Mom’s basement down on 17th Street is the actual attacker and it of course dramatically affects our ability to respond or even develop a policy for response protocols.

As an example, it now looks like China likely recruited the hacker who pulled off the massive cyber-attack on Anthem where 78.8 million consumer records were exposed … but we don’t know that for sure. Seven state insurance commissioners conducted a nationwide examination of the breach over the last 2 years and hired Mandiant to run its own internal investigation.

In spite of uncovering only the apparent source IP address, they concluded that the hack originated in China and began when a user at an Anthem subsidiary opened a phishing email which gave the hacker access to Anthem’s data warehouse. Devastating to Anthem and the 80 million covered who lost all of their sensitive PII, but we still don’t know who did the crime.

Anthem has since invested some $260 million into improving its IT infrastructure and beefing up its cybersecurity apparatus, but the insurance commissioners and Mandiant agree that without assistance from the Federal government to hold these threat actors accountable, we will not be able to stop foreign governments from assisting in cyber-attacks of this nature.

As an aside, Anthem settled that matter last year for $115 million.

Resource asymmetry stacks up our small contingent of trained defenders protecting millions of applications and systems located in fixed positions against tens of thousands of unknown global cyber attackers examining tens of millions of dispersed targets. In terms of military tactics, state armies like ours generally fight in an orderly framework while non-state and individual terrorist organizations successfully use guerrilla cyber-methods designed to overcome the disparities in power.

Since we don’t know who we are fighting, and we must defend fixed positions without specific rules of engagement, it makes it quite difficult to successfully engage, even with this new cybersecurity policy. While I applaud the Trump administration’s courage in clearing the way for the military to make military decisions without State department interference, we are still stuck with this skewed attacker-defender dynamic.

In addition, infrastructural asymmetry highlights the actual nexus of our physical vulnerability as the imbalance offers our attackers fixed and aging targets upon which all of us depend for the most basic of functions like heat, light, communication and power and water, food, health and transportation.

Assuming we actually have technological superiority (which in light of China’s progress with quantum computing, is doubtful), it will be quickly cancelled by the destruction of the electric grid, roads, ports, food and water supply systems in highly populated areas, which will dramatically impact the economy and affect our national morale, while our attackers neither require nor depend on any infrastructure beyond the Internet and the dark web.

Lacking a unity of purpose, we compound our imbalances. We have no idea who the enemy is, and we possess only a vague notion of why we should be engaged.

The last time this happened, we fought a brutal war in a little country called Iraq.

If asymmetric warfare doesn’t give us enough to worry about, we are also surging ahead with IoT (Internet of Things) device integration in all aspects of our daily lives. We are adopting increasingly complex mobilized access via our smartphones, our clothing is now connected, and we will soon be adopting driverless vehicles.

All of this technological advancement creates scores of new attack surfaces that we are not sufficiently addressing as we rush new products out the door. With the billions of objects that are expected to be networked within the next few years, issues of identity and trust, data protection, access control, and device control should all be areas of grave concern, not just for business, but increasingly for public sector agencies and personal safely as well.

Our failure rate in combating ransomware is a small example of how poorly we have been coping with the onslaught thus far. Imagine the terrifying convergence of ransomware and the expanding IoT raising questions like how much you would be willing to pay to regain access to your TV programming, or your refrigerator, your baby monitor, your car, or your defibrillator?

Today, over 75% of hospital network traffic goes unmonitored, putting connected devices with access to sensitive patient information at risk. Think about that number the next time you are being wheeled into surgery.

Do you think the future of cybersecurity defense will be [a] harder or [b] easier? And, given that in spite of increased spending of 15% per year on cybersecurity to the tune of $89 billion in 2017, our current success rate diminishes steadily year over year (36% more successful breaches in 2017 than in 2016), do you think we will be [a] more successful in the future, or [b] less successful?

If we continue to approach cybersecurity in isolated product silos the way we have, we will end up where we are today, only less safe and increasingly less protected against future threats. So much is at stake now that I look forward to future RSA Conferences, not with the hope or expectation that we will see some shared vision Cyber-Moonshot forming to fight the forces of evil, but rather a glimmer of progress toward the recognition and acknowledgement that we are [1] in a war and that [2] we are losing.

Instead, I fear we will see the launch of another thirty-five venture-backed point solutions based on predictive analytics, advanced data science, adaptive machine learning, artificial intelligence and cognitive piped neural networks that will surely rock those bad guys back on their heels this time and ban them forever into the deep recesses of cyberspace. A handful of investors and entrepreneurs will get rich, yet we won’t be one step closer to a secured business, organizational or homeland environment than we were before.

This new policy is a bold step in the right direction. Many will argue that it is a bold step toward cyber-war and an offensive strategy raises ethical and legal questions. But in fact, we have been in the early stages of a cyber-war for years now without anyone willing to call it what it is. All wars raise legal and ethical issues, and this one will test the outer limits of our tolerance for collateral damage. I’m just hopeful that national security issues have prevented us citizens from having a better understanding of our counter-offensive capabilities in cyber-space, and that we’re really good at this stuff. Based on what we’ve seen so far, the dog don’t hunt.

Because when the lights and heat go off and can’t be turned back on again, it won’t matter a whit whether it was the Chinese, North Koreans, Russians or Iranians who were clicking that mouse, or whether it was in provocation, retaliation or just out of global insanity. The lights will still be off.