However, there may be nothing to fear but the threat of cyber apocalypse itself. By Patrick Tucker
A major cyber attack will happen between now and 2025 and it will be large enough to cause “significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars,” according to more than 60 percent of technology experts interviewed by the Pew Internet and American Life Project.
But other experts interviewed for the project “Digital Life in 2015," released Wednesday, said the current preoccupation with cyber conflict is product of software merchants looking to hype public anxiety against an eternally unconquerable threat.
It’s the old phantom of the “cyber Pearl Harbor,” a concept commonly credited to former Defense Secretary Leon Panetta but that is actually as old as the world wide web. It dates back to security expert Winn Schwartau’s testimony to Congress in 1991, when he warned of an “electronic Pearl Harbor” and said it was “waiting to occur.” More than two decades later, we’re still waiting. The Pew report offers, if nothing else, an opportunity to look at how the cyber landscape has changed and how it will continue to evolve between now and 2025.
Potential Infrastructure Vulnerabilities
A key concern for many of the experts Pew interviewed is infrastructure, where very real cyber vulnerabilities do exist and are growing. Stewart Baker, former general counsel for the National Security Agency and a partner at Washington, D.C.-based law firm Steptoe & Johnson told Pew, “Cyberwar just plain makes sense. Attacking the power grid or other industrial control systems is asymmetrical and deniable and devilishly effective. Plus, it gets easier every year. We used to worry about Russia and China taking down our infrastructure. Now we have to worry about Iran and Syria and North Korea. Next up: Hezbollah and Anonymous.”
Jeremy Epstein, a senior computer scientist working with the National Science Foundation as program director for Secure and Trustworthy Cyberspace, said, “Damages in the billions will occur to manufacturing and/or utilities but because it ramps up slowly, it will be accepted as just another cost (probably passed on to taxpayers through government rebuilding subsidies and/or environmental damage), and there will be little motivation for the private sector to defend itself.”
Today, cities around the world use supervisory control and data acquisition (SCADA) systems to manage water, sewage, electricity, and even traffic lights. Last October, researchers Chris Sistrunk and Adam Crain found that these systems suffer from 25 different security vulnerabilities. And it’s not unusual for them to have the same security passwords that came direct from the manufacturer. As writers Indu B. Singh and Joseph N. Pelton pointed out in The Futurist magazine, the failure to take even the most basic security precautions leaves these systems open to remote hacking.
Its one reason why many security watchers were hopeful that the Obama administration’s Cybersecurity Framework, released earlier this year, would force companies that preside over infrastructure components to take these precautions, but many in the technology community were disappointed that the guidelines did not include hard mandates for major operators to fix potential security flaws.
Partner, Steptoe & Johnson
But some political leaders say that the response from industry to cyber threats has outpaced that of government. Just ask Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, who said that private businesses were increasingly asking government to defend them from cyber attacks from other nation state actors, and even launch first strikes against those nations. “Most of the offensive talk is from the private sector, they say we’ve had enough,” Rogers said at a recent Washington Post cyber security summit.
(Read more: House Intel Chief Wants To Increase Cyber Attacks)
It’s worth noting that the Pew survey was made public one day after the group FireEye released a major report stating that a Russian-government affiliated group was responsible for hacking into the servers of a firm keeping classified U.S. military data. In his remarks at the summit, Rogers singled out Russia as a prime target for future, U.S.-lead cyber operations.
But SCADA vulnerabilities look quaint compared to the exploitable security gaps that will persist across the Internet of Things as more infrastructure components are linked together. "Current threats include economic transactions, power grid, and air traffic control. This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure,” said Mark Nall, a program manager for NASA [emphasis added].
Other experts told Pew that military contractors, facing declining business for missiles and tanks, have purposefully overblown the threats posed by cyber attacks to scare up an enemy for the nation to arm against.
“…This concern seems exaggerated by the political and commercial interests that benefit from us directing massive resources to those who offer themselves as our protectors. It is also exaggerated by the media because it is a dramatic story,” said Joseph Guardin, a principal researcher at Microsoft Research. “It is clear our leaders are powerless to rein in the military-industrial-intelligence complex, whose interests are served by having us fearful of cyber attacks. Obviously there will be some theft and perhaps someone can exaggerate it to claim tens of billions in losses, but I don't expect anything dramatic and certainly don't want to live in fear of it.”
Guardin, (remember, he does work for Microsoft) is joined by other experts who agree that future cyber attacks will resemble those of today: big headlines to little real effect. Data and intellectual property theft will happen, possibly causing inconvenience for consumers and revenue loss for corporations, but the digital apocalypse is not nigh.
"There will have been major cyber attacks, but they are less likely to have caused widespread harm. They will be stealth attacks to extract information and exploit it for commercial and political gain. Harm to an enemy is only a desire of less sophisticated individuals. Anyone who amasses the ability to mount a major cyber attack, better than their opponent, also doesn't want to lose their position of advantage. They are likely to shift to strategies of gain for their own position, rather than explicit harm to their victim, which would alert their victim and close off their channels of attack, and set back their advantageous position,” said Bob Briscoe, chief researcher in networking and infrastructure for British Telecom.
Still others, such as lead researcher for GigaOM Research Stowe Boyd, said that the growing cyber capabilities of states like China almost promise bigger cyber attacks of growing international importance.
“A bellicose China might 'cyber invade' the military capabilities of Japan and South Korea as part of the conflict around the China sea, leading to the need to reconfigure their electronics, at huge cost. Israel and the United States have already created the Stuxnet computer worm to damage Iran's nuclear refinement centrifuges, for example. Imagine a world dependent on robotic farm vehicles, delivery drones, and AI-managed transport, and how one country might opt to disrupt the spring harvest as a means to damage a neighboring opponent,” Boyd said.
Chief researcher in networking and infrastructure, British Telecom
However real or overblown the threat, the military is rapidly ramping up protective measures. Many of which are also in line with what experts in the Pew report predicted.
Cyber-Security’s Future: Battle of the Botnets
What are some of the tools we will use to defend networks and individuals from future cyber boogie men? Nall looks to ever-smarter, more self-directed cyber defense software systems. “In addition to current methods for thwarting opponents, growing use of strong artificial intelligence to monitor and diagnose itself, and other systems will help as well.”
Vint Cerf, a research pioneer who was instrumental in the creation of the Internet, notes that “systems that observe their own behavior and the behavior of users may be able to detect anomalies and attacks. There may well be some serious damage in the financial sector especially.”
Roboticized cyber-defense is a project that the military is already pursuing through the Defense Advanced Projects Research Agency’s Cyber Grand Challenge, a capture-the-flag style competition to develop “automated security systems,” to defend core cyber assets, in other words-- programs that detect and respond to threats with minimal human intervention.
“I hope you start to see automated cyber-defense systems that become commercial," DARPA director Arati Prabhakar told the crowd at the Post summit. “A lot more work has to happen before we can show that it’s possible.”
The Lack of a Red Line on Cyber-Threats
Regardless of what sorts of good botnets protect us from evil botnets, cyber attacks could have growing geopolitical implications. Sen. Jim Inhofe, R-Okla., the ranking member of the Senate Armed Services Committee, lamented what he perceives as a formal doctrine on when and how to launch offensive cyber operations. Inhofe, at a Senate hearing in March said:
“...I am concerned by the lack of progress by the administration in developing a policy for deterring the growing number of adversaries in cyberspace. This lack of a cyber deterrence policy and the failure to establish meaningful norms that punish bad behavior, have left us more vulnerable and at greater risk of continued cyber aggression.”
Rep. Rogers reiterated the concern that in terms of U.S. policy regarding cyber attacks, there is no firm red line. “You would be surprised at how far we are from a sound policy” to conduct offensive cyber warfare, he said recently while calling for the United States to ramp up its efforts to launch offensive cyber operations.
The next questions become what might those look like and what rules govern their scope?
The Pentagon recently made public a formerly secret, 2013 Joint Chiefs document, (JP 3-12) explaining its doctrinal approach to launching major cyber attacks against nation-state enemies. It limits potential targets to “military” but then goes on to define that broadly as "those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage."
In theory, that designation could include corporations or even U.S. corporations, individuals that aren’t on anyone else’s target list, as well as computers or systems hijacked to launch cyber attacks by unseen third parties.
Predicting What Future Cyberwar Will Look Like
Speaking to Pentagon reporters in June, Adm. Michael Rogers, commander of U.S. Cyber Command and director of the NSA, offered his own projection for the future of cyberwar in the year 2025, which would look a lot like regular war with more cyber activities thrown in. Soldiers on the front lines would use cyber-weapons as readily as they use live ammunition.
"In the year 2025, I believe ... Army commanders will maneuver offensive and defensive [cyber] capability much today as they maneuver ground forces," Rogers said. "The ability to integrate cyber into a broader operational concept is going to be key. Treating cyber as something so specialized, ... so unique -- something that resides outside the broader operational framework -- I think that is a very flawed concept."
For evidence of that, look to the integrated Field Manual for Cyber Electromagnetic Activities, a first of its kind how-to guide that combined cyber operations with jamming and other electromagnetic activities associated more traditionally with combat operations.
Signals Intelligence, CyberWar and You
You may believe that a major cyber attack is likely to occur between now and 2025, or you may view the entire cyber menace as a scheme by security software companies. (The truth may be a mixture of both.) However, one thing that the threat of cyberwar will certainly do is increase the amount of computer, and particularly network government, surveillance to detect “anomalous behaviors,” possibly related to cyber attacks. The same recently released Pentagon paper on offensive cyber operations made a pointed mention of networks and the cloud as a potential source of signals intelligence of relevance to cyber-operators. Networks were “a primary target for signals intelligence (SIGINT), including computer network exploitation (CNE), measurement and signature intelligence, open source intelligence, and human intelligence.”
Make no mistake, signals intelligence collection means watching how individuals behave online.
As for the Pew’s 2025 date, Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, told Defense One that he considered it to be arbitrary. “We just don’t have a clue when it’s going to happen,” he said, adding that a single cyber attack on the scale of Pearl Harbor frightened him less than the prospect of a massive cyber failure, absent of malice but with real-time market implications.
“I’m less concerned about attacks and more about a shock” of the size of a major market collapse, he said and argued that pre-occupation with a “cyber Pearl Harbor” ignores the “larger complexity” of the issue. “What do we do if one of these IT companies that’s too big to fail has a Lehman Brother’s moment? The data was there on Monday and is gone on Friday? If a major cloud provider fails, how do we get our data back?”
While Healey was incredulous that a country like Russia would launch a cyber attack resulting in loss of life, he acknowledged that much has changed between today and 1991 when the electronic Pearl Harbor concept first emerged. And the changes are coming only more rapidly, as are potential vulnerabilities.
“The more that we plug things to the Internet, things of concrete and steel and connect them to the Internet, the more likely we are to get ourselves into the state where this will happen in 2025. The dynamic that will make that more and more true is the Internet of Things,” he said.