Cyberwar is an ugly word, not only because of what it implies, but because the term is ill-defined. It's suggestive of digital attacks alone. That's simply not the case. It is far more likely that cyberattacks would be only one form of aggression in the otherwise familiar hells of war.
The biggest question of all, for corporations and citizens alike, is: Are we here in the US simply in the midst of informal nation-state aggression, or are we in a full-fledged cyberwar?
The distinction between the two situations may not matter for IT's purposes, since neither poses a serious threat to corporations. Nonetheless, it's important to understand the nature of the threat in order to prepare an effective defense.
To help answer these questions, InformationWeek interviewed 57 experts for this three-part series that explores where we stand today, where we're headed, and what CIOs and other IT leaders need to do to prepare.
"Regrettably, in a way akin to the notion of mutual assured destruction [MAD], we are in the midst of a cyberwar at present that could have severe consequences for major nation-states," said Joe D. Whitley, chairman of law firm Baker Donelson's government enforcement and investigations group, in an interview with InformationWeek. Whitley was the first General Counsel of the US Department of Homeland Security and is former Acting Associate Attorney General for the US Department of Justice.
If we are in the midst of a cyberwar, why hasn't such been publicly declared by the US government and broadcast across all of the news media? The coverage has been piecemeal, at best. This summer, NBC News obtained an exclusive NSA map of cyberattacks reportedly perpetrated by China against US targets. Even so, there's been no formal government declaration of a cyberwar. Why not?
"Cyberwar is a vague concept, and must be viewed within the larger strategic context of relations between [nation] states," said Andrea Little Limbago, principal social scientist at Endgame, in an interview with InformationWeek. Endgame is a cyber-security company with roots in protecting the US government's national security assets.
[When good data intentions go bad. Read 14 Creepy Ways To Use Big Data.]
"The recently released [Department of Defense] Law of War manual outlines the digital activities that may constitute war, largely based on the physical impact of digital operations," Limbago said. "This includes things ranging from cyber-operations that result in a nuclear plant meltdown, to undermining the military's logistic systems, to destroying a dam. It does not include those attacks that have dominated the media lately, such as website defacement or theft of private information."
Federal hacks -- such as those of the Veterans Administration (VA), the White House, the State Department, the US Postal Service (USPS), the Government Publishing Office (formerly the Government Printing Office), and the Office of Personnel Management (OPM) -- may not fit the DoD's criteria of acts that constitute war. But that doesn't mean that American lives and corporate livelihoods aren't in danger.
It also doesn't mean that IT need only worry about data breaches in a business-as-usual state of mind, for there's nothing usual about this situation. For perhaps the first time ever, IT in private companies is, for all practical purposes, the first line of defense for both these organizations and the country.
"Our defenses to a cyberattack in the United States are much weaker than they should be," Whitley said. "The reasons for our vulnerabilities are many, but they have their roots in a free-market society where 85% to 90% of our critical infrastructure in the United States is in private hands. As a consequence, we are much better positioned to launch attacks than to defend against them."
Not only is most of our critical infrastructure in private hands, but IT is already charged with defending against the tactics used to attack it, regardless of whom the attacker is. Whether or not the government labels it as war, and whether or not the aggressor is a terrorist or a nation state, IT is on-point.
Take for example, the tactic used in the OPM hack, wherein an employee's user credentials were stolen and used to access and copy data. The user was an employee of government contractor KeyPoint Government Solutions, which was working on OPM's systems at the time of the theft of credentials, according to KeyPoint CEO Eric Hess's testimony during a House Oversight and Government Reform Committee hearing. The theft happened on IT's watch -- at OPM, or KeyPoint, or both -- and reflects the general and prevailing lack of attention IT is giving to security weaknesses in systems.
In other words, it's not that hackers are smart. It's that IT, as a general rule, is not mounting much of a defense. Even though it's obvious that the risk has grown significantly and far surpasses merely a loss of digital data.
"The significance of the OPM hack is so profound that no matter what is written, it's underreported," said Valerie Plame, the former covert CIA operations officer outed in 2003 by the Bush administration in the lead up to the Iraq war, in an interview with InformationWeek. "From what I understand, NSA and CIA employee data wasn't included in that hack, but I still wouldn't want to be serving overseas now."
Information is power, Plame said, and this much power is deadly to operatives and other key government workers in myriad ways.
"It's all about human relationships. That's what I did [at the CIA] -- I learned about and formed relationships to build trust," said Plame. "It's all about building trust to get what you want, and the OPM hack gives an adversary a huge advantage in that regard. People don't realize how much information was gained from the OPM hack and that it puts family, friends, spouses, previous lovers, college roommates, landlords, neighbors, and previous employers -- everyone that anyone documented in that dataset ever came into contact with or got close to -- at risk."
That information can be acted upon with harmful or deadly effect now, and/or it could be the prelude to something much bigger later.
David J. Venable, CISSP, a former intelligence collector at the NSA and currently director of professional services at Masergy, which owns and operates a global cloud networking platform, says there are three prime categories of vulnerabilities in this country: our utility infrastructure, our government, and our finance sector.
A serious attack on any one of those could prove disastrous, but an attack on all three would be catastrophic. That scenario would go something like this, he says:
In each case, IT is at the head of defense and response. Preventative and fast-response planning should be put in place, tested, and drilled regularly by IT staff members to ensure that defenses are tightened and, should the worst happen, that they regain immediate and unfettered control of systems. This means not only that security must be implemented and prioritized at every level, but also that such efforts must be ongoing, diligent, and increasingly sophisticated.
Further, IT should design and be prepared to deploy robust and resilient recovery tactics that include -- but go far beyond -- data backup and recovery. While this is true across all industries, it is especially so in
Page 2: Are China and Russia the true culprits?
(Continued from page 1)
cyber-physical systems (CPS), where computers control physical things such as electrical grids, dams, and other utilities; IoT systems in manufacturing and elsewhere; and connected car systems.
Business continuity planning is no longer a back-burner nicety but a necessity, since it is the survival plan not only for the organization, but perhaps for the country too.
"This [coordinated attack approach] would require an incredible amount of coordination, sophistication, and luck," Venable told InformationWeek. "But the example makes it easy to see how three attacks that we've seen work already could come together to create a perfect storm of chaos -- and it could be made worse by coordinating it with physical attacks."
It's obvious that any one of the federal hacks previously cited delivers a chilling amount of information to any adversary -- but especially to a well-funded, well-armed, and very motivated state aggressor. Who got the data? Was it China or Russia, as the White House has repeatedly asserted? How can we really know who did it?
Cyber-security experts say that attacks are so complex that it's impossible to say with certitude who the attacker actually is. Yet the President has named a nation-state as the culprit in many cases, and so have others in the government.
There are even specific individuals named on the FBI's Cyber's Most Wanted list, including five members of the People's Liberation Army of the People's Republic of China.
Even so, President Obama walked back his assertion that China was behind the OPM hack.
Which is it? Does the government know that China is behind the OPM and other hacks or not? If it does, how exactly does it know that? Can IT and cybersecurity experts learn to identify attackers by those means as well?
[What's your disaster response plan? Read Crisis Response: 6 Ways Big Data Can Help.]
"There's no doubt nation-states are doing this," Rear Adm. (ret.) Ken Slaght told InformationWeek. The US Navy retired rear admiral was Commander of the Space and Naval Warfare Systems Command, where his duties included delivering and maintaining computer and intelligence systems (C4I). Slaght is currently co-chair and president of the nonprofit San Diego Cyber Center of Excellence (CCOE).
"I'm about 90% sure that the government does know exactly who is behind each of these hacks," he said. "The government has the advantage of all the rest of its intelligence operations to assist in tracking down the aggressors, on top of its abilities in digital tracking and surveillance. People tend to forget that the country has a lot of intelligence to work from."
There's the rub. To prove that China or Russia is behind any given attack in an international court or in the public's eye means revealing exactly how the US knows for certain. Hence the President's careful and public walk-back from blaming China.
Yes, that means the government isn't going to share this information with IT in the private sector. This reticence isn't going to help already strained relations between IT, including its cyber-security brethren, and government agencies. For decades private companies have complained about the federal government's unwillingness to share threat information.
Given IT's increasing defense role in protecting the country, the government's reluctance to share threat details no longer chafes -- it's outright hobbling the defenders.
It's left to IT to assess and understand the danger on its own. The vital question remains: Are we already in the early days of a cyberwar -- or in a cold war of sorts that could one day take us to the brink of a physical war?
"The probability of cyberwar is directly linked to the likelihood of war in general. It must not be viewed as stove-piped and distinct from the geopolitical context," Endgame's Limbago told InformationWeek. "In the near future the likelihood of war between the US and a major power like China is not very high; rather, cyber-operations will continue to focus on espionage campaigns and reconnaissance efforts."
In any case, all 57 experts polled and interviewed for this series agree that, whether the threats come from nation states or terrorists, the threat in the physical world is real and imminent. It is only the timing that's in question.
"At the end of the day, I'm not sure how much difference it makes as to who caused the devastation if we end up addressing it after the fact," says Slaght. "As it is, it doesn't take much sophistication to create considerable damage and chaos. Because of that, we'll probably end up combatting terrorists first, which will then amount to a big part of our future protections from nation states."
"Remain calm. We can't turn the clock back, but we must adapt more quickly and better than our adversaries," advises Whitley. "We are at war, but it is a winnable war if we can better coalesce as a society in acknowledging the problems and vulnerabilities we will face today and tomorrow."
For IT, it's time to occupy the battle stations in earnest.
[In part 2 of this series, learn how the private sector is at risk from government cyberattacks.]
**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.Pam Baker is author of Data Divination: Big Data Strategies, which met with rave reviews and is currently being used in universities as a textbook for both business and tech courses. It's also sold to business audiences in the general market. The US Chamber of Commerce and ... View Full Bio