19 January 2018

TRUST WAR: DANGEROUS TRENDS IN CYBER CONFLICT

NEAL A. POLLARD, ADAM SEGAL, AND MATTHEW G. DEVOST

This test was an example of the “bytes and blood” scenario that national security analysts generally predict when they talk about “cyber war” or conflict in cyberspace. For most of cyberspace’s short history, defense analysts, policymakers, and many computer experts have been focused on cyber-attacks that cause physical destruction and death. In 2012, for example, then-Secretary of Defense Leon Panetta cautioned Americans that they someday could face a “cyber Pearl Harbor” as a terrorist group or enemy state gained control of “critical switches,” to “derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals.”

However, so far, cyber conflict has taken a different path. While the threat to factories, power grids, and refineries remains — and may be growing as more things are connected to the internet — cyber-attacks have generally sought to subvert the integrity of political, social, and economic systems, rather than destroy physical infrastructure. The most prominent operations of the last year — Russian attempts to undermine the 2016 American presidential election through the hacking of the Democratic National Committee, the release of emails, and the use of fake Facebook and Twitter accounts — were designed to undermine trust in institutions through manipulation, distortion, and disruption.

Cyber-attacks on trust are more worrying than those intended to produce physical effects. Attackers find it easier, and perhaps more effective, to weaken the bonds of a military alliance rather than go after fighter jets, or to corrupt financial data rather than destroy banks’ computers. Cyber-attacks on trust and integrity have a much lower threshold, are harder to detect and deter, and can cascade through interconnected systems.

Cyberspace works when three elements interact: security controls over risks and vulnerabilities to networks and devices; privacy of data on those networks and devices; and trust in the integrity of that data. The U.S. government and private sector have generally put more resources into trying to keep systems online and attackers out, than into protecting and restoring trust. But given the reality of most cyber-attacks so far, to prepare for the next wave of conflict, data integrity and trust must receive far more attention. The United States needs to elevate the protection and assurance of trust to the same level and priority as privacy and controls for cybersecurity.

Doom and Mass Hysteria Have Been Postponed

Though they are the nightmare scenario of defense planners, and have driven the plots of several moviesabout elite hackers, destructive cyber-attacks are rare. Most attacks are perpetrated to steal data, rather than destroy or damage data or systems.

Just one known cyber operation has created physical damage — the malicious software (malware) known as Stuxnet, which caused centrifuges to spin out of control at Iran’s Natanz nuclear facility in 2010. A less severe instance of cyber-attacks causing a physical outcome came in December 2015, when Russian-based hackers turned off the lights and heat in the Ivano-Frankivsk region of Western Ukraine. The hackers began opening breakers, taking almost 60 substations offline and leaving more than 230,000 residents without power.

States also launch disruptive attacks designed for influence and coercion. In August 2012, hackers infected Saudi Aramco, Riyadh’s state oil giant, with malware named Shamoon. The attack, which was attributed to Tehran, corrupted tens of thousands of hard drives and shut down employee email. Starting a month later, Iranian hackers launched roughly two hundred distributed denial of service attacks on almost 50 financial institutions, including JPMorgan Chase, CitiGroup, Wells Fargo, and HSBC. While the technology used was quite sophisticated, it was directed against online retail banking, temporarily inconveniencing some customers but not affecting the integrity of the financial data.

In November 2014, North Korea reportedly attacked Sony Pictures Entertainment in retaliation for The Interview, a movie that made fun of North Korea’s leader. Hackers calling themselves the Guardians of Peace uploaded five unreleased Sony films; stole terabytes of internal emails, sales plans, salaries, and Social Security numbers; “doxxed,” or posted embarrassing emails from, senior executives; and damaged company servers and computers.

None of these attacks created a significant disruption in operations, or even lasting technical effects on the computer systems that were targeted. The attackers did not primarily seek to undermine users’ trust that networks and computers would be available on demand and that stored data would remain protected, although this trust was incidentally damaged in each case. Bringing down the network was the goal, creating a sense of unreliability an afterthought.

Trust No One

The erosion of trust is increasingly becoming the primary goal of the attack itself, rather than just a collateral effect as in denial of service attacks. In the wake of a hack, an individual can lose faith both in the specific computer systems and in the institutions and values that rely on those networks.

Cyber-attacks on trust and integrity are harder to detect, defend against, and recover from than attacks designed to cause physical destruction or widespread disruption. When a denial of service attack happens, a site goes down and it is pretty clear something has gone wrong. Theft of information is somewhat harder to detect, but existing security tools are often able to determine what data left the system. It is, however, extremely difficult for the defender to know whether an attacker manipulated data or weakened system integrity, and even harder to restore trust. The global financial system, voting systems and campaigns, and the media are particularly vulnerable to such attacks.

While trust attacks have not yet occurred on the financial system, the sector is particularly vulnerable to infiltration that would undermine faith in the payment systems that process everyday transactions. An example is the clearing house that acts as a middleman between parties to securities transactions to ensure the seamless transfer of securities, and in the event of delay or default, acts as a backstop for brokerages. These utilities are central to the functioning of the global financial system, and an attack on them could be disastrous. Gary Cohn, director of the National Economic Council, echoed an October 2017 U.S. Treasury report, seeing a “major risk” emerging in clearing houses, given the volume, values, and concentration of transactions they handle, the risk inherent in that concentration, and their interconnectedness to the global financial system.

Hackers could devastate the financial system by inserting fake data or changing existing data in clearing houses or payment and settlement systems. To restore data integrity, the infrastructure would need to be taken offline, as analysts sorted out what was real and what wasn’t. In the interim, banks and traders would no longer be able to trust affected clearing houses or settlement systems, and consequently, the numbers on their balance sheets related to transactions that the affected systems had processed. Payment and settlement systems would become unreliable. If the trust failure seeped into retail and merchant payments and settlements, shops and businesses would not operate normally. All along the chain of payments, partners to the transactions would not be certain of how much they owed or whether the payee had the necessary resources.

Restoring data integrity would be a slow, laborious process of comparing data to previous versions, which might not exist. Even if they did, the payment and settlement community would have to agree upon the validity of previous versions. Convincing users that data integrity has been restored would take much longer. Some disputes over the integrity of clearing or transfers might never be reconciled.

U.S. and European elections in 2016 and 2017 saw both direct attacks on the systems underpinning the national voting apparatus, as well as indirect efforts to distort information in social and news media. In June 2016, the cybersecurity firm CrowdStrike reported that Russian government-affiliated hacking groups (also known as Fancy Bear and Cozy Bear) had breached the networks of the Democratic National Committee. Soon after, someone calling themselves Guccifer 2.0 began leaking the documents. Other embarrassing emails and documents were published on the websites of DC Leaks and Wikileaks, resulting in the resignation of Democratic National Committee Chair Debbie Wasserman Schultz. Leaks from emails stolen from Hillary Clinton advisor John Podesta continued until Election Day, reinforcing the view among some in the electorate that the Democratic nomination system was corrupt and rigged. Rather than undermining trust in a physical system, as the hypothetical financial clearing house example would, the Democratic National Committee hacks undermined trust in a political institution and in the broader political process.

Social media has also been hijacked to sow distrust in the media and democracy. In September, Facebook said it had identified more than $100,000 worth of divisive and false ads purchased by Russia’s “Internet Research Agency,” a shadowy group based in St. Petersburg with links to the Kremlin. This group used a battery of fake accounts to post on social media networks and news websites. Executives from Twittertestified that the site closed some 200 accounts it had traced to the Kremlin, including several linked to Russia Today, a propaganda arm of the Kremlin that spent $274,000 on social media ads. The ads and posts focused on issues that were polarizing the U.S. electorate: race, LBGTQ rights, gun control, and immigration. Crucially, the posts often suggested that these issues were being ignored or willfully distorted by the mainstream media, sowing distrust of traditional outlets.

States that wish to undermine trust in systems face a lower barrier to entry than those who wish to take power grids or the financial system offline. As a result, in the future there will be more players, more attacks, and thus more opportunities for miscalculation and escalation. With few accepted rules of behavior in cyberspace, countries as big as China or as small as Bahrain can be expected to engage in these kinds of attacks.

Trust But Verify 

How to lessen this threat? Governments and industry already pour significant resources into security controls and privacy protections. Far less has been done to prevent the manipulation of integrity and data in institutions, or to recover from such trust attacks. The United States should develop ways to measure the trustworthiness and integrity of data and systems; realign security research, investments and priorities toward protecting trust; and work with allies to prepare for and reduce state attacks on integrity.

The United States should lead the international community, regulators, and standards organizations such as the National Institute of Standards and Technology and the Center for Internet Security, in developing protocols for measuring and assuring data and system trustworthiness and integrity. There are already some models for measuring and assuring integrity. Cybersecurity companies provide daily ratings for companies’ security performance (similar to consumer credit scores); retail websites display security certifications from independent auditors or security companies to highlight their trustworthiness. Clint Watts and Andrew Weisburd have proposed something like a “nutritional label” for social media, a technical scheme that uses sophisticated algorithms, human judgment, and media company input to rate the quality and integrity of information online. As artificial intelligence makes it possible to manipulate audio and video, media companies will have to develop technological authentication methods to assure trust. Such an effort would place trust on an equal footing with controls and privacy in cybersecurity standards, practices and technology (as well as equal priority for research and investment).

The next step, after measurement, would be establishing regulations to place trust on par with controls, catalyzing investment from the private sector in systems that ensured the integrity of data. Investments are also necessary to shrink the interval between successful detection of an attack and containment and recovery. This is especially important in attacks on integrity, since early intervention and rapid response can attenuate loss of trust.

The private sector also has experience in restoring the integrity of data after it has been attacked. From 2014 to 2016, the Treasury Department ran cybersecurity exercises called the “Hamilton series” to help banks prepare for an attack that could manipulate data related to transactions or trades. In the wake of those exercises, the U.S. financial services industry established Sheltered Harbor to restore consumer banking accounts in the event of a widespread outage or denial of service attack. Members, who range from banking giants such as Bank of America, Citigroup, and JPMorgan Chase to local institutions, commit to creating a backup vault of data that is unalterable once it is recorded. In addition, digital ledger technology such as blockchain can also help restore data integrity by creating a distributed, immutable, and trusted mechanism to record and re-establish transactions.

International efforts to develop confidence-building measures will also play a role in sustaining trust. Just as U.S. analysts have mostly focused on destructive cyber-attacks, U.S. diplomacy has been primarily concerned with international law and norms related to cyber conflict, rather than trust attacks. A group of government experts at the UN, for example, endorsed the norm that states should not interfere with critical infrastructure during peacetime and should not attack another country’s computer emergency response teams.

Most trust attacks would clearly fall below the threshold for the use of force or armed attack in international law. While there is little hope for any international agreements on these types of cyber operations, the United States can work with like-minded countries on responding to threats to complex institutions. To raise the costs of and perhaps deter state-backed trust hacks, the United States and its allies should generate a consensus of expectations that details what types of interference will provoke what types of reactions, from sanctions to retaliatory cyberattacks. In a promising first step, over the last several years, NATO has created a network of centers that will help the alliance better understand the danger, including the Cooperative Cyberdefense Center of Excellence in Tallinn, and the Strategic Communications Center of Excellence in Riga. NATO and the EU also recently established the European Center of Excellence for Countering Hybrid Threats in Helsinki. This network should be able to provide a comprehensive picture of the threat to democratic institutions as well as to generate countermeasures to attacks on the media and elections.

Love All, Trust a Few, Do Wrong to None

In the summer of 2016, the Pew Research Center asked over 1,000 technologists, scholars, practitioners, and others whether people’s trust in their online interactions would be strengthened or diminished over the next 10 years. Surprisingly, 48 percent believed that trust would increase, 28 percent said it would stay the same, and 24 percent thought it would decline. Most of the optimists thought some combination of new technology and regulatory standards would increase security and trust. They also predicted a generational change, arguing that since younger users’ habits are more fully “digital,” they would demand that online services became more dependable and trustworthy.

It is hard to imagine that the optimists still outnumber the pessimists. Over the last year and a half, trust has not just been a collateral victim of attacks on control and privacy. Attackers have demonstrated the efficacy of directly targeting trust. The hacks are cheap, seemingly effective, and difficult to deter.

The immediate risk is that the next wave of trust attacks sparks regional military conflict. According to U.S. intelligence officials, in late May, hackers from the United Arab Emirates infiltrated Qatari government news and social media sites, and planted false quotes by Qatar’s leader. The Emirati government, along with Saudi Arabia, Bahrain, and Egypt, used the planted quotations as a pretext to ban Qatari news outlets and break off diplomatic and trade relations with Qatar. While the effects of this particular hack were eventually contained, cyber-attacks that embarrass or threaten the legitimacy of weak leaders could cause them to overreact, leading to conventional conflict. The other fear is that trust hacks expand to the internet of things, health, legal records, and other institutions central to modern society.

The United States has an opportunity to elevate trustworthiness on par with security controls and privacy in cyberspace. With malicious actors increasingly targeting data integrity, it is important for governments and businesses to protect confidence in fragile political, social, and economic systems connected to the internet. Still, states, corporations, and international organizations cannot do it alone. Individuals must also be active participants in defending and rebuilding trust. Basic behaviors, or “cyber-hygiene,” can make a significant difference — change passwords regularly, update and patch software, don’t click on strange links or attachments, keep a barrier between your online personal and private lives, read the news, and maintain a healthy balance between trust and skepticism. States and individuals have degraded trust on the internet, and now states and citizens will have to work harder to defend and rebuild it.

Neal A. Pollard is a Principal at PricewaterhouseCoopers LLP, where he leads cyber incident response services in their New York Metro offices. He is also an adjunct professor at Columbia University and Fordham Law School. Prior to joining PwC, he was a senior intelligence officer in the US counterterrorism community. Opinions and positions contained herein are solely those of the authors and do not represent the opinions, positions or policies of current or past affiliations

Adam Segal is the Ira A Lipman Chair and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. His most recent book is The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age,

Matthew G. Devost is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. He was a co-founder and President and CEO of the Terrorism Research Center from 1996-2009 and co-founder and CEO of FusionX LLC which was acquired by Accenture in 2015 where he went on to lead Accenture’s Global Cyber Defense Practice.

No comments: