Cheap Cyber Weapons Threaten Unintended Consequences
A new framework helps agencies prepare for cyber surprises.
A new report on the commoditization of cyber weapons suggests that the easy availability of inexpensive offensive cyber tools is reshaping the cyber threat landscape. The report is being briefed to officials across the federal government, including elements of the Department of Defense, Department of Homeland Security (DHS), FBI, Senate Cyber Caucus and the Secret Service.
The report, The Commoditization of Cyber Capabilities: A Grand Cyber Arms Bazaar, was created by the Public-Private Analytic Exchange Program, a joint effort between the DHS and the Office of the Director of National Intelligence. The program brings together experts from the government and the private sector to tackle some of the nation’s toughest challenges.
On November 19, for example, several co-authors briefed a group hosted by the Joint Staff, and the next day it was presented to the Secret Service Electronic Crimes Task Force in Chicago. It will likely be presented to the Atlantic Council, and early next year officials in New York from the financial sector will probably be informed of the results. Personnel from think tanks in the Washington, D.C., area also have been briefed, says Guillermo Christensen , a former CIA officer and a partner at the Ice Miller law firm, who helped work on the report.
“These capabilities, these technologies are becoming like a commodity, cheaper, easier, more accessible. The main takeaway we want people to have is that our current politics and our current policies with respect to these threats are woefully below standards,” Christensen says.
He adds that simply focusing on attribution—discovering who is conducting attacks—is no longer enough. “The reality is that as more countries use these tools, we’re going to probably see some very unintended consequences develop. I always tell my clients that the law I am most concerned about with respect to national security or cybersecurity … is Murphy’s Law, the law of unintended consequences.”
Furthermore, the concept of deterrence may not be effective in the cyber realm. “Unfortunately, a lot of people who think about this issue from a doctrine of operations are steeped in nuclear theory, so deterrence is a natural concept for them to default to,” Christensen says.
The report explains that the idea of a grand bazaar is motivated by the plethora of cyber tools available to the full array of state and non-state threat actors. “One influencing factor is their ability to ‘professionalize’ cyber capabilities in mature organizations that integrate a mix of technical, operational and other skills and develop repeatable processes for conducting cyber operations,” the report states. “Another factor is operational intent, which spans a range from simple ‘smash and grab’ collection (theft), to complex operations calibrated to achieve precise and reliable disruptive effects.”
No country will turn down the opportunity to use cyber weapons, Christensen predicts. “Cyber is an essential component to any type of warfare, and before you go and start dropping bombs, you might as well give it a shot to try to use the bits. They are perceived as being less hostile, less violent, than a physical attack. No country—I’m 100 percent convinced of this—no country is going to pass up the opportunity to use cyber weapons, especially if they’re about to go to physical, kinetic war.”
Christensen suggests the need for international agreements on acceptable behavior in the cyber realm—for example, what is a proper response to the Chinese stealing data from the Office of Personnel Management compared to attacks designed to destroy critical systems or that risk people’s lives.
The established actors in the cyber realm are well known. China, Russia, North Korea and Iran tend to make a lot of headlines. But Christensen suggests that with the commoditization we may someday be talking about the cyber expertise of Vietnam, Morocco or Malta. “We tried to think about where are the unknowns in this space. And then we realized that was probably very interesting but of relatively narrow use and better would be to think about a concept for how to analyze this problem, and that’s what we ended up really coalescing around.”
That led to the development of a framework to help distinguish among a growing range of actors, all having access to advanced capabilities, based on their organizational maturity—advanced, emerging or opportunistic—and operational intent, collection, profit or disruption. “We went to the next step to ask what we can do about this, what we should be worried about. What is the reality that this is now a commodity and can be easily sold, traded, acquired. What does this do for the geopolitical landscape? It’s not a good result, obviously, especially for the United States and Europe that have open economies and that are very reliant on the Internet and e-commerce,” Christensen says.
The framework, he indicates, offers a way for government or private organizations to plan for surprises. “One way I would use it with my clients, for example, would be to create a more informed conversation around the concept of strategic surprise in the cybersecurity environment. Companies—especially companies that are more exposed internationally, companies that are in businesses that might be more exposed from a national security perspective, or might be in a place that’s sensitive, need to include in their assessment of their risk profile, the fact that we are living in a zero network conflict world.”
He admits to making up the term zero network conflict world but explains it as personnel behaving as if their networks and data are totally exposed, as if they are using the wireless network at the local coffee shop. “We’re all essentially in a Starbucks. We need to protect but also act as if we are constantly in the same high state of vulnerability,” he says.
The group compiling the report offered four case studies to illustrate use of the framework, but Christensen says it could probably use some finessing before being adopted by government agencies. “We developed the ideas, and we came up with the structure of a concept. I think for it to be at the point where you could adopt it, say, for thinking through government policies, probably requires at least another step of thinking through the issues.”
With serious cyber weapons so readily available, both government agencies and the private sector should prepare for more serious threats. “They can’t just worry about the guys who can inject some ransomware, lock up a system and demand some bitcoin or the ones who can hack into the systems, change an email and redirect funds to a fraudulent account,” Christensen says. “What I want [organizations] to think about is that they are always potentially on the front lines of a global cyber war.”