If I could summarize the current state of US cyber defense policy, I would ask you to imagine a huge castle with towers, walls, catapults, and armed guards, but with a broken shutter door on the side of the castle people could simply walk away and invade.
As a journalist, I have covered many important defense issues over the years ranging from lost nuclear weapons to terrorist cells, but I don’t think any topic worries me more than electronic warfare and how unprepared we are for the next phase of it.
So this week the staff and I decided to assemble a large portion of the next phase of Cyber-Warfare and take a look at Cyber’s “first strike” capabilities.
On this week’s board it was
TOM UREN >> Australian Strategic Policy Institute
Brandon Valeriano >> Cato Institute
Jodi Westby >> Global Cyber Risks
Bruce Schneier >> Harvard University
The US Stuxnet’s 2010 attack on Iran unleashed a new public cyber arms race between major powers, and it showed us all what can be achieved with these new weapons. Largely simplistic for the sake of brevity, the Iranians were using a uranium enrichment facility for weapons production, and the United States wanted to put an end to this without having to resort to launching a missile and starting another conflict in the Middle East. The United States managed to plant a bug in the facility through one of the worker’s laptop computers that then connected the facility’s internal network, thus giving the US access to the rest of the network. The Stuxnet virus then directed the centrifuges (machines that enrich uranium) that usually rotate at about 450 revolutions per second to spin up to 2000 revolutions per second, then back down to two revolutions per second, then back to 2000 revolutions per second, then back down to two cycles In the second, and continue the process until the centrifuge itself destroyed and damaged the facility. All of this happened without the knowledge of any of the scientists out there as the virus was also advanced enough to make everything appear normal to all the tools and communication that the scientists used to monitor the centrifuges. The United States managed to paralyze an Iranian facility without dropping any bombs, or set foot in Iran, and was able to withdraw them only through a cyberattack.
Since 2010, cyber attacks have become more common and can usually be categorized into 3 different groups. The first is Ransomware and Phishing, where someone persuades you to click a link or fill out a fake form to give the attacker your password or basic information. Once the other party gets this information, they can log in with your name and either your computer takes it hostage with the Ransomware or Simply steal your information and ransom you. This is the method used to hack DNC by the Russians, and regularly by petty criminals and rogue states like North Korea.
The second is effectively like throwing spaghetti on the wall and seeing what’s getting stuck. Many countries like China might launch up to 50,000 cyberattacks on the United States per day knowing that most of them will not succeed, but if one or two countries succeed, they can bury themselves in the system (they are called “zero-day vulnerabilities”). The goal is to bury the error in the operating system and in order for it to remain dormant for as long as possible until it is activated to perform its task, these may bury themselves so well that it is almost impossible to detect them using standard virus checks. On some occasions, we have been able to find and patch it, but even at the highest levels of defense, we have no idea how many Zero-Day vulnerabilities might still lurk in the system pending requests.
The third is more accurate attacks like Stuxnet. Russia especially likes to use it to target things like Estonian banks and the Baltic / Ukrainian power grids, which opens up a huge “gray area” when it comes to the rules of engagement here. If Russia bombed an Estonian power grid with an air strike, it would almost certainly be seen as an act of war and would be answered that way, but since it is a cyberattack, nobody really knows how to respond. This is likely due to the tremendous difficulty of attribution, because with Cyber it is very difficult to prove 100% that he was a particular perpetrator. When we look at the complexity of the code, we can usually determine the level at which the attacker is located, but higher-level attackers can also work to make it appear as if someone else is opening a can of worms.
We raised exactly this issue to one of our guests regarding a cyber attack on American soil. Due to the fact that the private sector has a much larger role in the major infrastructure of the United States, we often see things like Dams operating with shrinking budgets, and doing little at all to protect themselves from attacks, and in many cases operating systems like Windows XP still operate under control. Dam. From public reports that we know, everyone from Iran, to Russia, to China, to North Korea at some point had access to a lot of vital infrastructure for the United States, and what they did while at home is still not fully understood. Our experts told us that it is very difficult to make an attack look like someone who is more advanced than you, but it is not difficult to make it look like someone who is less than you; So China or Russia will have the ability to launch an attack and make it look like Iran or North Korea.
Our scenario was for China or Russia (somewhere around the time of the election to achieve maximum effect) using their exploits to open a dam in a state like Pennsylvania and flood a valley in the middle of the night (losses estimated at 3000+), and then leave enough bread crumbs to guide Investigation towards Iran. With a disinformation campaign used on social media to support it, I don’t think it will be difficult to spark a wave of anti-Iranian anger in the United States, and in an election year I can’t see a politician swing decisively saying ‘Well, we can’t be 100% sure, Let us give Iran the benefit of the doubt “without their opponent classifying it as a defender. In this scenario, it is not difficult to see how the United States could be pushed through internal pressure into a horrific, bloody conflict with someone like Iran even though they may have nothing to do with it. This scenario is what worries me a lot
The other extra angle that’s really interesting here too is knowing that in most cases once you launch a cyberattack, you give your enemy a piece of code / program, and we saw this after Stuxnet where the code used for the attack was discovered and then studied by several different countries. On the contrary, when you launch a guided missile at something, it will explode and cannot be reverse engineered, but with cyber attacks, it can often be done, so all sides here are reluctant to have their best weapons waiting for the right moment to launch them (worried that launching too soon will give the opponent time To study it and prepare a defense against it). This adds another layer of tension because we simply do not know for sure how strong the cyber capabilities of other parties are and what they are maintaining, unlike nuclear weapons where we can guess their size. The largest weapons with satellite imagery, shock detectors and atmospheric readers.
The Internet itself is not my area of expertise which is why we have entered this panel, but I cannot be alone in being disturbed by the number of unknowns that exist about it. We simply have no idea at this point how devastating the first strike would be, or whether we could 100% correctly attribute that blow to the correct source.
Would I like subscribers’ opinion about this? Should we take the internet more seriously? What do you think of the public’s response to the Pennsylvania scenario? Is there a way to protect our basic infrastructure without spending billions of dollars?
Thanks again everyone here for your links and suggestions.
If you’d like to hear the entire clip, you can check it out on any of the links below.
YouTube >> https://youtu.be/ktC67vqGpDE