There is no “magic bullet” for cybersecurity to ensure that hackers never steal millions of credit card numbers or cripple part of a country’s power grid. The conveniences of living in an interconnected world come with inherent risks. But cybersecurity experts do have ideas for how the world can “survive on a diet of poisoned fruit” and live with its dependence upon computer systems.
Cybersecurity risks have grown with both stunning scale and speed as the global economy has become increasingly dependent upon the Internet and computer networks, according to Richard Danzig, vice chair of The RAND Corporation and former U.S. Secretary of the Navy. He proposed that the United States must prepare to make hard choices and tradeoffs—perhaps giving up some conveniences—in order to tackle such risks. Such ideas became the focus of a cybersecurity talk and panel discussion hosted by New York University’s Polytechnic School of Engineering on Dec. 10.
“You are trading off the virtue in order to buy security,” Danzig said. “To the degree that you indulge in virtue, you breed insecurity. The fruit is poisonous, but also nutritious.”
The Internet and its related computer networks represent incredibly useful technological tools that provide open communication and speedy transfer of digital information across the world. Cybersecurity risks arise because such useful tools can easily be misused. That means countries and corporations face some tough choices. Danzig cited an online commentator’s analogy: Would we ban automobiles from driving around banks just because they’re sometimes used in bank heists? Such added security comes with costs.
For instance, the U.S. National Security Agency adopted a new rule that requires two people’s passwords to download certain files—a belated countermeasure that only came after former NSA contractor Edward Snowden downloaded as many as 1.7 million documents exposing the U.S. intelligence agency’s worldwide surveillance programs. Such a measure provides some added security, but also sacrifices the ability of individuals to download documents by themselves for normal work purposes.
There is also the potentially huge problem of tracking and securing the electronics hardware found in everything from Internet servers to smartphones. As an example, Danzig asked Intel researchers to calculate how many transistors are manufactured worldwide every second. Intel came back with the “disorienting” estimate of 8 trillion transistors manufactured worldwide every second.
“I don’t believe policymakers, when talking about Moore’s Law and hardware, have any grasp of the magnitude of the challenge in tracking items that go into these systems,” Danzig said.
So how can U.S. lawmakers and CEOs deal with such daunting challenges? Danzig laid out some recommendations found in his Center for a New American Security report titled “Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies”—recommendations that generated both encouragement and debate among the cybersecurity experts gathered at the NYU talk.
One possible defense involves going the “Battlestar Galactica” route of isolating some computers and networks, or reducing dependence upon digital systems in favor of returning to analog. Danzig suggested merging digital systems with analog and human systems so that a cyber attack by itself can’t compromise the security of a nuclear launch facility or power plant—it might still require a human somewhere to throw a physical switch or perform another action.
Other cybersecurity ideas include making “lean systems” that don’t have extra exploitable features such as getting rid of printer features that digitally track all the documents you’ve printed. Or creating more air-gapped system “enclaves” that don’t have any Internet or local network connections to safeguard certain information.
Danzig also recommended the U.S. government take the steps of recognizing the private sector is “too important to fail” in terms of cybersecurity. Rather than have one cyber czar official applying a “one size fits all” solution, he suggested individual government departments could work with their industry counterparts. For instance, the Department of Energy could work with utilities on cybersecurity risks relevant to the power grid.
Both U.S. government agencies and private companies could also consider sharing anonymous data on cybersecurity threats in a collaborative database—not unlike what U.S. airlines do with a shared database on near misses and other risky incidents that didn’t lead to accidents.
Danzig also suggested that the U.S. could also approach China and Russia to discuss agreements on preventing common cyber attacks from morphing into future “cyber-physical attacks” that directly damage power plants or take down airplanes, the Stuxnet worm attack on Iran’s nuclear centrifuges being the most famous such case. Danzig urged the U.S. to encourage clear agreements on “red lines” for cyber attack behavior that is in everyone’s best interests, such as not launching cyber attacks that penetrate the nuclear missile commands of various countries.
The threat of cyber-physical attacks will only grow as more “non-computer” systems such as cars, medical devices, industrial machines and household appliances become connected to the Internet. That future “Internet of Things” could leave individuals, homes and entire economies vulnerable to hackers whose cyber attacks play havoc with physical objects.
Many industrial systems don’t even have authentication or authorization codes, so that hackers could metaphorically walk in the front door of a power plant’s control system. Other vulnerabilities may exist for everything from heart implants to the car systems that may someday become part of the Internet of Things.
“For those things not [yet] Internet-connected, we have enormous vulnerabilities that are not backdoor,” said Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications in the U.S. Department of Homeland Security, during the panel discussion following Danzig’s talk. “They are built-in system vulnerabilities that we are going to really struggle to fix.”
One way to tackle that daunting problem is to narrow the focus of the challenges involved. A Windows operating system may be open to all sorts of malware, but the scope of cyber-physical attacks on a power plant are necessarily limited by what they’re trying to physically accomplish, said Ralph Langner, director and founder of Langner Communications.
“Not all hope is lost, because we don’t have to analyze millions of samples of malware,” Langner explained. “We just need to analyze promising cyber-physical attack vectors, which is much easier than you might think.”
It’s also important for cybersecurity experts to not lose sight of the human element in the threat, Danzig said. He and other experts recommended more behavioral studies that look at the incentives driving the people behind certain cyber attacks—whether those people are Chinese military hackers or Eastern European criminal gangs. By understanding the motives and incentives, cybersecurity experts could come up with defenses better tailored for deterring such attacks.
Cybersecurity experts can often fall into the trap of believing there is a technical fix for everything, said Stefan Savage, professor of computer science and engineering at the University of California, San Diego. He pointed out that computer systems just represent the medium through which human conflict takes place. Therefore experts might do better to consider the who and why of cyber attacks.
“You could spend all day looking for every threat that could exist or every vulnerability that could happen,” said Stefan Savage, professor of computer science and engineering at the University of California, San Diego. “To limit that to what’s likely to happen, you have to understand your adversary.”