The recent indictment of 12 Russian intelligence officers by the Justice Department for interfering in the 2016 U.S. presidential election underscores the severity and immense reach of cyber attacks, like no other in history. To influence the election’s outcome, authorities said these agents hacked into the computer networks of the Democratic Party to get information, and strategically released it on the internet. In the private sector, companies have to step up their game against cyber attacks that are becoming all too common.
Against that backdrop, fighting cyber threats has never been more important. It is the “greatest terror on the economy, bar none,” but policy makers’ response to it has been moving at a snail’s pace, according to high-ranking cyber-security and risk management experts who spoke at a panel discussion on cyber risks at the Penn Wharton Budget Model’s first Spring Policy Forum, which was held last month in Washington. Experts called for greater awareness of cyber threats at all levels, an inclusive approach to protect all parties affected, and steps to “harden our defenses to make the cost too high for the payoff to carry out these cyber attacks.”
Russia is at the top of the list of sophisticated cyber adversaries faced by the U.S., a group that also includes Iran, China and North Korea, according to Matthew Olsen, co-founder and president of IronNet Cybersecurity and former director of The National Counterterrorism Center. “Russia has made information conflict a critical and central pillar of its national security strategy,” he said. “Cyber is a means of carrying out their geopolitical strategy.” And Olsen believes such political meddling will continue. There is “every reason” for Russia to interfere in the 2018 and 2020 elections as well, he warned, and “with even more fervor and more effort.”
A Frictionless Weapons System
Any complacency over cyber attacks is dangerous, warned Ira (Gus) Hunt, managing director and cyber strategy lead at Accenture Federal Services and former chief technology officer at the CIA. “Despite the increasing of pace of attacks, we actually have, through technology, [ways of] stopping more and more of these attacks,” he said, pointing to recent studies by Accenture and by Verizon and others. In terms of cyber losses, “it has actually been a pretty steady state in the last two to three years across the board,” Hunt added. “But I look at this with great suspicion.”
In fact, “we are exhibiting the classic signs of insanity,” added Hunt. “We are like the little boy with his finger in the dike,” referring to the folk tale of a Dutch boy who stayed up all night to plug a leak and save his country, until the adults woke up the next morning and got it repaired. “Things are about to get much, much, much worse, and it’s going to happen very, very quickly, and very, very suddenly.” This is driven by the proliferation of devices that people use, and because of that, “the threat surface is going to expand by some three to five orders of magnitude,” he added.
“We are exhibiting the classic signs of insanity. We are like the little boy with his finger in the dike.”–Ira (Gus) Hunt
According to Hunt, “cyber is the most difficult threat environment the world has ever seen … and as a weapons system, it is unlike anything previous[ly] in history.” He said “the velocity of innovation around cyber itself is unparalleled,” pointing to one study that found that more malware is released in a month than all the legitimate code in a year. “It’s highly asymmetric,” he continued. “We’re at the point now with cyber that not just nation-states but single individuals can wreak massive havoc by marshaling all of the available resources they can find on the dark web and pointing it at something, and turning it loose to attack things.”
The “scariest” aspect of cyber threats is that they are “frictionless,” said Hunt. “Cyber is the world’s first frictionless weapons system. The moment [they are] released and discovered in the wild, everybody’s knowledge is suddenly elevated and [they] turn around and come back at us in different ways.” For example, he said, days after German magazine Der Spiegel revealed the use of the Stuxnet computer worm in attacking Iran’s nuclear program, variants of it developed and spread — and then were used to attack U.S.-based systems like SCADA, a data tool for critical infrastructure and automated factories. “It’s the tip of the iceberg, not the bottom of it,” Hunt warned.
Tim Murphy, president of Thomson Reuters Special Services and former FBI deputy director, shared his own encounter, in 2008. “I’m sitting at my desk in the FBI, and I’m the number three in the FBI and I am attacked by a state sponsor — in the building — on my unclassified network,” he said. “If that doesn’t cause you to be scared and take action, not only in the organization, but give you a greater outlook on how big the problem was and is, [nothing will]. That was 10 years ago so you can understand the scope of it today.”
More Vigilant Americans
Even as those scary scenarios loom, one reason for optimism is that “we are slowly but surely seeing an awakening of vigilance by the American people about this threat,” said Daniel Kroese, senior advisor, National Protection and Programs Directorate in the U.S. Department of Homeland Security. The first major wakeup call for ordinary Americans was the data breach at health insurer Anthem in 2015 involving some 80,000 medical records, he said. Around that time, another massive breach was underway at the U.S. Office of Personnel Management, showing that “even some of the most sensitive government records were not immune to these threats,” he added. Subsequent major attacks include WannaCry and NotPetya ransom ware, the Uber breach that hit 57 million accounts in 2016, and the 2017 Equifax breach of nearly 150 million.
Murphy said people don’t take cyber threats as seriously as they should. “I want people to be scared, I want the government to be scared, and I want the private sector to be scared, because I don’t think we are scared enough,” he said. “And by scared I don’t mean fearful; I mean scared into taking some action.” He added that the response to these threats must be improved. “This works at network speed, at code speed, and we’re working at human speed to solve this problem,” he said, noting that the FBI didn’t have a cyber division until 2003, two years after 9/11.
Olsen saw the U.S. response to Russian attacks as underwhelming, and also raising troubling questions. “How seriously have we taken that threat? What has Congress done? What has the administration done? What have companies done to defend ourselves better? What pain did we inflict on Russia for the attack on our election? How do we even think about an attack on the fundamental pillar of our democracy when it’s carried out by a nation state? How do we think about it from a doctrinal standpoint?”
“We are slowly but surely seeing an awakening of vigilance by the American people about this threat.” –Daniel Kroese
“We need a holistic view and we need it now,” said former FBI deputy director Murphy. The U.S. needs “that holistic view on what is happening with intrusions into anything that touches the supply chain of our electoral process, and on what is happening with the influence, which also plays a major role in our next election.”
Securing the Digital Borders
David Lawrence, founder and chief collaborative officer of the Risk Assistance Network + Exchange (RANE) and former Goldman Sachs associate general counsel, said the “overarching theme” of the 9/11 Commission and the findings from the 2008 financial crisis are helpful pointers in tackling cyber threats. “Those events were less a failure of intelligence and of information than of imagination, connecting the dots in advance,” he said.
“This is the greatest tax on the national economy bar none, and it’s the greatest terror on our economy, bar none.” –David Lawrence
Lawrence said that “because cyber is about technology, it becomes an overly complex puzzle” and intimidates people with its language and science. “The [cyber] crimes we are witnessing are of biblical proportions. They are theft and fraud and espionage and various [means] of sabotage and extortion and blackmail. The actors are precisely the same people who always meant us harm. Criminals and organized crime groups, terrorists, various hostile states and state sponsored groups.” Paraphrasing President Trump’s remark that “Without borders there is no country,” he said that “without digital borders there is no financial security or protection for our national economy.”
Those that have sufficient resources, such as large and wealthy organizations, do a good job of making the requisite investments to protect themselves from cyber threats, said Accenture’s Hunt. But firms or groups with fewer resources will continue to struggle. “We have this new digital divide, and I call it cyber haves or have-nots, and other people have spoken about a cyber poverty line,” he said. What makes matters worse is a “critical shortage” of cyber personnel, which in turn drives up costs further, he added.
Even with large organizations, Hunt said cyber attacks could creep into their systems through a vendor that may be small and without the security infrastructure to deal with these nefarious actions. For example, the massive breach of Target four years ago was traced to its heating and air conditioning services contractor. “When we have this massively interconnected world, we’ve got to think of an approach that can lift all boats,” he said. Hunt noted that the Defense Logistics Agency (DLA) does business with 60,000 small firms. “Each one of these potentially puts us at risk from a national security perspective, just from that DLA engagement alone.”
“This works at network speed, at code speed, and we’re working at human speed to solve this problem.”–Timothy Murphy
The seriousness of the situation is made clearer when one considers how little it costs hackers to unleash such massive disruptions. “You have actors who can spend very little money, scale their resources very effectively, and have an asymmetrical destructive impact while using our own technology,” said Lawrence. “This is the greatest tax on the national economy bar none, and it’s the greatest terror on our economy, bar none.” Olsen said that while there are various estimates of the cost of a data breach, a Verizon study puts the average cost of a breach at between $5 million and $15.6 million in “a mammoth breach.” But that doesn’t include litigation costs and the hit to a company’s reputation. Hunt said cyber crimes have cost the U.S. 0.7% or 0.8% of GDP for the last three or four years.
But some costs are just so high it is impossible to put a price on them. “What’s the cost of undermining your democracy, or stealing your intellectual property in the billions?” Murphy asked. “The cost is much bigger. It’s the way of life here in the U.S.”
A Leadership Vacuum?
Lawrence wanted to know what might provide the crucial trigger for legislative action. “Is it going to take a crisis?” he asked. “Or can we begin to apply what has worked in the past to deter enemies of the country, criminals, organized crime groups in these activities, and begin to have a unified response that will protect all?”
An effective, national response to cyber threats has to take shape in public policy. Murphy wondered as to what might provide the impetus to achieve that goal. “Maybe it takes one of those major events,” he said. “What we’re advocating is, let’s get ahead of it.” He referenced a Knowledge@Wharton opinion piece by Lawrence and SEC chairman Jay Clayton, where they call for the creation of a “9-11-type Cyber Threat Commission.” Murphy pointed out that the public policy response to cyber threats has been slow. “[Cyber crime] is at net speed and we’re moving at policy speed and debate speed. We have to move faster, that is the call.”
Lawrence added that “it is not about the people and resources that are now focused, but it is about our approaches to risk management.” Further, “we’re at the pre-9/11 moment, or the pre-financial crisis moment, where many people are looking and seeing things, and watching with increasing concern, but the centralized leadership is yet to be there,” he said. “Something more is owed to the American people. We have yet to have ownership of this issue, and we have yet to have fully [transparent reporting]. It is episodic to episodic.”
“Russia has made information conflict a critical and central pillar of its national security strategy.” –Matthew Olsen
One issue is that members of Congress might not be knowledgeable enough about cyber issues. Homeland Security’s Kroese said while more work needs to be done, “there is very good coordination and cooperation between the executive branch and between the legislative branches on things that happen underneath the surface.” Members of Congress attend more briefings on the subject these days, and visit DHS offices to get more acquainted with the cyber issues, he added. In some cases, cyber issues also get bipartisan support, he noted. In sum, he saw a “reinforcement and redoubling [of their efforts in] understanding the nuance of these issues.”
Lessons from Counterterrorism
The response to the terrorism threat in the U.S., especially after the 9/11 attacks, hold useful lessons in how the country could prepare for cyber threats. “One is that it’s a team effort,” said Olsen, recalling his previous role as the director of The National Counterterrorism Center. “We learned that the hard way. [9/11 showed that] we weren’t, as a government, well-coordinated in sharing information. We need to do better to share information and work the private sector with the public sector … more effectively.”
Second, “we need to address the lack of people, the lack of expertise,” said Olsen. “We did that with expertise around counterterrorism. But there are hundreds of thousands of unfilled cyber security jobs in this country. [Third], we need to harden our defenses. We’ve hardened our terrorism defenses. We’ve all experienced what it’s like to get on an airplane — that’s the way in which we’ve hardened the aviation sector from a terrorist attack. But we haven’t done enough to harden our networks and our data.” While technological resources exist, the problem is bigger as it involves people, processes, and the policies that need to be modified. “We need to harden our defenses to make the cost too high for the payoff to carry out these cyber attacks,” he said.
But Olsen also pointed to one critical difference between counterterrorism and cyber security that make security in the latter harder to achieve: Much of what is need to be done in cyber security lies in the hands of the private sector, and 98% of the critical infrastructure of this country is in the hands of the private sector, leaving a smaller role for the government, he said.
Meanwhile, lawmakers are taking cyber security more seriously than ever before. The number of hearings on cyber-related issues has risen from one a month to six or seven a week, Kroese said. “Almost every authorizing and appropriating committee now wants to find a way to engage in cyber, really understanding and making sure that we are engaging with a nuanced view of what those lanes are to ensure that the legislation that comes out is smarter.”