Cyber Threats Abound, but Their Effects Are Not Certain
AFCEA Global Intelligence Forum Online Show Daily, Day 2
Quote of the Day:
“Whether it is national security information for the president, or financial information for a chief executive, when you don’t know whether the data is true or false, it’s a really bad day.”—Sean Kanuck, national intelligence officer for cyber at the National Intelligence Council in the Office of the Director of National Intelligence
Protecting the nation from cyber attack entails deterring or preventing marauders from carrying out their malevolent plans. But, while government and the private sector endeavor to fight the menace jointly, evildoers constantly change their approaches and learn new ways of striking at vulnerable points. So many variables have entered the equation that even the likelihood of attacks—along with their effects—is uncertain.
Experts in government and industry grappled with those issues during the final day of the AFCEA Global Intelligence Forum in the National Press Club in Washington, D.C. Panelists and two keynote speakers explored the threat of cyberattack in terms of both consequences and solutions.
Some popular misperceptions came under attack. Sean Kanuck, national intelligence officer for cyber at the National Intelligence Council in the Office of the Director of National Intelligence, disparaged the concept of a massive cyberattack bringing the entire country to its knees. This “digital Pearl Harbor Armageddon” is not likely to happen for a variety of reasons, he declared. Instead, a successful cyberattack is likely to have a regional rather than national impact and last only a few days at most.
And the only nations that are most capable of launching a devastating cyberattack are not likely to do so, he offered. It would not be in the best interests of these nations to bring down the United States, except possibly in an existential military conflict that threatens their regime or as a part of a major war. Instead, they likely will use their advanced cyber capabilities to pursue a wide range of espionage—which they are doing today, he noted.
The same holds true for non-state cyber players, who are more interested in profiting from criminal activities than sabotage. “They do not want to kill the goose that lays the golden egg,” Kanuck noted. “They want to profit, but they don’t want to bring down the law upon themselves.” However, less capable nation-states such as Iran might be the most likely cyber players to launch a destructive attack on the United States, he suggested.
But the most devastating cyberattack might not even be visible, he continued. While distributed denial-of-service attacks and malware that crashes operating systems dominate most headlines, the most serious national security threat looming in cyberspace may be the potential for vital data to be altered by cybermarauders. Kanuck warned of the day that a corporate chief executive officer or even a U.S. president might not be able to trust the normally reliable data needed to make a crucial decision. That situation might be even more damaging than cyberattacks currently envisioned as realistic near-term threats. If data is altered without people immediately realizing it, they only discover it after financial records are not clearing and balancing, for example.
“The question will be, can I trust my data from being altered?” he offered. “Whether it is national security information for the president, or financial information for a chief executive, when you don’t know whether the data is true or false, it’s a really bad day.”
While bringing down the nation may not be in the cybercards, other types of cyberattacks loom as potentially destructive threats. Eugene Kaspersky, chief executive officer and co-founder of Kaspersky Lab, described cyber sabotage as “the worst innovation of this century.” He particularly warned of the potential for attacks on supervisory control and data acquisition (SCADA) systems, citing examples that included collateral damage to systems that were not targeted by renegade malware.
Kaspersky even offered that democracy may be at risk in 20 years. Today’s youth spend most of their time online, and when they are older they will opt in large numbers for online voting. Absent an effective way of verifying voter identities online, the election system may collapse from organized fraud that destroys the fidelity of elections and, with it, true representative government. Kaspersky’s proposed solution is “a 100-percent, biometric-based digital identification card.”
He did suggest that the day of the cybercriminal may be numbered. Kaspersky described how governments are gaining on cybercriminals, and Interpol is opening a cybercrime center in Singapore next year. Kaspersky went so far as to predict the demise of cybercrime in short order.
“Next year, cybercrime will be an old story—done!” he declared.
While much of the day’s discussions focused on the threat environment, solutions to the burgeoning cyber threat came up in a panel discussion. The growing role of industry in cyber defense raised the topic of information sharing, and one industry representative pointed out that the private sector must learn to exchange information among its own elements.
Robert Mayer, vice president of industry and state affairs at the U.S. Telecom Association, called for more cross-sector activity and engagement so that the industry sectors share more information. The same threats may imperil different sectors, so it is in their best interest to help prevent cyberattacks across the board. “We in industry have a responsibility to bridge across the silos and create cross-connections,” he stated.
That will not be an easy task. Industry traditionally has been reluctant to share information with government; sharing with other sectors will raise similar concerns. Larry Zelvin, director of the National Cyber and Communications Integration Center at the Department of Homeland Security, cited a lack of clarity with industry on information sharing. Many companies are fearful, he noted, and longtime cultural issues must be overcome.
These cultural issues vex both industry and government. “We need to change the paradigm of how we think about things,” said Vice Adm. Michael Rogers, USN, commander, U.S. Fleet Cyber Command and commander, U.S. Tenth Fleet. “How do we educate our senior officers about how we live in this [new information sharing] world?”
Zelvin pointed out that cyber security is a competitive business; not everybody is going to share. “People may not want to be as open as we think they ought to be—for some very good reasons,” he added.
Paul Tiao, a partner in the law firm of Hunton and Williams, called for leadership and a community-wide dedication to information sharing. This should include metrics for measuring the sharing that takes place. And, personal contact is important for overcoming cultural barriers “People have to sit with each other and talk with each other—not videoconference. If you want to collaborate, do more than just share information,” he suggested.
Ultimately, private sector companies are the defenders of cyberspace, Zelvin offered. “It’s not the government that will protect us, it’s the private sector.”
AFCEA’s Global Intelligence Forum returns to the Le Plaza Hotel in Brussels, Belgium, on December 10-11, 2013.