LANDING ZONE 6.17.21
BY ALAN W.DOWD
As
American citizens, businesses and government agencies come under
increasingly disruptive attacks in cyberspace, a change in our approach
to defending this relatively new domain is long overdue. As they
undertake this effort, policymakers can find some helpful lessons in the
history books.
ATTACKS
Before we get into those lessons, it’s important to
discuss some of the assaults our enemies are unleashing on America’s
corner of cyberspace.
There were 203 million ransomware attacks targeting U.S. entities in
2020. These are attacks that lock a computer network and then demand
ransom money to allow the network’s owner to regain control.
In May, Colonial Pipeline, which administers the major fuel arteries
serving much of the East Coast, was hit by ransomware from a group
called DarkSide. As Emily Harding of the Center for Strategic and
International Studies explains,
DarkSide is “a Russia-based entity…no cyber-group operates there
without Moscow’s knowledge.” The attack triggered a spike in gasoline
prices, gas-station closures and panic hoarding, as the food supply,
livelihoods and freedom of movement of 100 million Americans were held
hostage.
Less than a month later, a ransomware attack targeted meatpacking
giant JBS, which processes much of America’s beef, pork and chicken.
Again, the ripple effects were widespread: Plants were idled; wholesale meat prices jumped;
livestock deliveries were delayed; slaughterhouses were forced to slow
production; restaurants and families faced higher retail prices. And
again, a Russian hacking group was behind the attack.
These are just the most recent examples.
In early 2020, hackers working for Russian intelligence piggybacked onto a software update issued by IT management firm SolarWinds.
Unbeknownst to SolarWinds or its customers, the sophisticated Russian
malware reached into 100 companies and a dozen U.S. government agencies,
including Microsoft, Intel, Cisco, and the departments of Defense,
Treasury, Justice and Energy. It’s been described as a “nightmare”
attack.
The Department of Homeland Security discovered in March 2016 that
“Russian government cyber-actors … targeted government entities and
multiple U.S. critical infrastructure sectors, including the energy,
nuclear, commercial facilities, water, aviation and critical
manufacturing sectors.”
China has used cyberattacks to infiltrate subcontracting systems
related to the development of the F-35 and C-17. China launched
“spearphishing” attacks against Westinghouse, Alcoa, Allegheny
Technologies and U.S. Steel. And according to IT security firm Mandiant,
a cyber-force within the People’s Liberation Army (PLA) known as “Unit
61398” has stolen “hundreds of terabytes of data from 141 companies.”
Equally worrisome, China penetrated the Office of Personnel
Management and compromised the financial and personal data of 21.5
million Americans. U.S. officials describe it as “the most devastating
cyberattack in our nation’s history.”
North Korea has launched cyberattacks against U.S. companies conducting COVID19 research.
Iranian cyberattacks have siphoned intellectual property from 144 U.S. universities and 36 U.S. companies.
DESTRUCTION
What America is weathering in cyberspace is nothing less than economic
warfare: China alone steals between $225 billion and $600 billion of
American intellectual property — every year.
Yet the cyber-siege extends far beyond espionage and
intellectual-property theft. We learned during the JBS and Colonial
hacks that disruption of services and supplies caused by cyberattack
represents a serious threat to U.S. interests. Such cyber-disruptions
can lead to real-world destruction of wealth, property, health and civil
order.
For instance, cyberattacks against hospitals in Oregon, New York and Nevada — all emanating from a group called
Ryuk, which is tied to Russian intelligence — crippled their ability to
deliver critical care.
North Korea’s WannaCry attacks triggered chaos in Britain’s hospital
system. Pyongyang’s DarkSeoul attacks destroyed 32,000 computers at
South Korea’s largest banks and broadcasting companies.
In early 2021, the water treatment plant of a Florida town was
hacked, and its sodium-hydroxide levels remotely altered. If not for an
alert technician, 15,000 people would have been poisoned.
Iran’s Shamoon computer virus destroyed 30,000 computers supporting the Saudi oil industry.
In 2015, Ukrainian utilities were hit by a Russian malware attack,
leaving 80,000 people without power in the dead of winter. There are indications China conducted a cyberattack against India in 2020 that triggered blackouts in Mumbai.
AWARENESS
Since these attacks are largely confined to that invisible realm of
terabytes and code, rather than the realm of blood and bullets and
bombs, most Americans have overlooked this new form of warfare. That
mindset may finally be changing.
“There’s a growing awareness now of just how much we’re all in this
fight together,” FBI Director Christopher Wray said after Colonial and
JBS.
Indeed, there’s broad support across the political spectrum for going after state-sponsored cyber-groups.
“They’re terrorists,” President Obama’s defense secretary Leon Panetta says of the hackers striking U.S. infrastructure. “They’re operating out of
Russia, and they are going after some very important infrastructure in
this country…it is weakening the United States.”
“We need to go on offense,” Sen. Lindsey Graham, R-S.C., said after
the Colonial hack. “It’s time for the Russians to pay a price here
because none of this would happen without their looking the other way or
actively encouraging it.”
“They can’t allow international criminals to operate with impunity
within their borders,” Sen. Angus King, I-Maine, says of Putin’s
intelligence services.
Panetta, Graham and King are pointing Washington in the right
direction, and there’s evidence U.S. agencies are beginning to punch
back.
A large portion of the ransom Colonial paid to unlock its network was
seized by the U.S. government. Plus, “Within a week of the Colonial
Pipeline attack, DarkSide disappeared,” Harding reports. Perhaps this
was the result of a decision within DarkSide’s leadership aimed at
self-preservation. Perhaps the Kremlin stepped in. Or perhaps DarkSide’s
disappearance was the result of a U.S. cyber-strike.
We may never know what caused DarkSide to disappear or how the millions it stole from Colonial was recovered.
What we do know is that Lt. Gen. Stephen Fogarty, commander of Army
Cyber Command, says, “We’re using cyberspace to reach out through the
electromagnetic spectrum to…deliver effects.” U.S. CYBERCOM adds that
its strategy of “continuous engagement” imposes “strategic costs on our
adversaries.”
We know the CIA has been given broad authority to conduct offensive cyber-operations.
We know that someone hacked into the operations and hardware of Chinese telecommunications firms.
We now know that ahead of the 2018 midterm elections, CYBERCOM
blocked a Russia-based hacking army known as the Internet Research
Agency from accessing the Internet. We now know that CYBERCOM “conducted
more than two dozen operations to get ahead of foreign threats before
they interfered or influenced our elections in 2020,” CYBERCOM commander
Gen. Paul Nakasone reports.
We know that North Korea’s swath of the Internet has inexplicably gone dark for stretches of time. We know that “a large number of the North’s
military rockets began to explode, veer off course, disintegrate in
midair and plunge into the sea,” according to open-source materials,
around the time the U.S. conducted cyberoperations targeting
Pyongyang’s missile program. One North Korean missile saw failure rates
of 88 percent.
We know that Iran was the target of a massive U.S. cyberoperation
known as Olympic Games. A key element of Olympic Games was the Stuxnet
computer virus, which became the first cyberattack “used to effect
physical destruction,” according to former CIA director Michael Hayden.
TERRORISM
Even so, clearly more must be done to punish and
deter cyberattacks targeting America’s economy and critical
infrastructure, which brings us back to those lessons from the history
books.
Panetta points us toward one helpful history lesson: State-based
hacker networks are very much like terrorists, and they should be
treated as such.
Russia, China and their ilk are obligated, as sovereign nation-states
and members of the United Nations, to prevent the use of their
territory and computer networks as launchpads for cyberattacks against
other nation-states — just as the Taliban, Saddam and Qadhafi were
obligated to prevent the use of their territory as spawning grounds for
international terrorism.
To be sure, we have to be deliberate and careful in dealing with the
cyber-terrorists protected by Russia and China. As great powers, they
are in a different category than the Taliban’s Afghanistan, Saddam’s
Iraq and Qadhafi’s Libya. But by the same token, Russia and China must
understand that they should be deliberate and careful in dealing with
the United States. So, while Washington should give Moscow and Beijing
face-saving alternatives and keep certain targets off limits, U.S.
policymakers should make clear that certain actions are considered
hostile — and that such actions will no longer go unanswered.
Toward that end, U.S. cyber-assets could preemptively cut off hacker
armies from cyberspace, destroy their software and hardware, arrest
their footsoldiers when possible, and seize their cryptocurrency assets.
Further up the ladder, the CIA’s cyber-taskforce, CYBERCOM or other
agencies (depending on U.S. law) could zero-out the off-shore accounts
of Putin’s oligarch cronies; disable the banks and mobile-phone system
in Crimea, just as Putin did in Estonia; implant bugs or backdoors in
the intellectual property Beijing is stealing from U.S. defense
contractors and then activate those digital timebombs to yield defective
military hardware for the PLA; disable network pathways used by Chinese
nationals to deliver what they harvest in their hack-and-steal
operations; create cracks in the Great Firewall of China and thus enable
the Chinese people to share information and ideas.
PIRACY
Harvard law professor Noah Feldman offers another relevant history
lesson: These hacker groups are modern-day pirates. “Ransomware-piracy
comes from states that either don’t bother to suppress the practice or
else actively participate in it,” he explains, concluding that the only
way it can be curtailed is if the U.S. and other countries use “their
power and influence to change the incentives” of those harboring the
cyber-pirates.
The weapons in this war on cyber-piracy, according to Feldman,
include sanctions against state sponsors, targeted cyber-counterattacks
and a clear pronouncement that ransomware-piracy could be considered an
act of war.
The State Department is parceling out sanctions. The CIA, NSA and
CYBERCOM are carrying out counterattacks. Perhaps it’s time for the
White House to let it be known that the actions of cyber-pirates and
cyber-terrorists — under the wink-and-a-nod protection of Moscow and
Beijing — could trigger real-world military consequences. It’s worth
noting that Russian military commanders contend that “the use of
information warfare against Russia or its armed forces will
categorically not be considered a non-military phase of a conflict,
whether there were casualties or not.” Related, NATO recently declared that “malicious cumulative cyber activities might…be considered as amounting to an armed attack.”
A U.S. cyber-defense doctrine might sound something like this: “Any
use of cyberspace to interfere with, disable or attack U.S. critical
infrastructure — including systems that support military operations,
military communications, and military command and control; energy
extraction, storage, supply or delivery; transportation arteries;
financial and banking activities; civilian communications and computer
networks; the delivery, storage or supply of water, food and medical
care — will be considered a hostile act and will be met with a
retaliatory response in a time, place, manner and domain of America’s
choosing.”
While Washington goes on the offensive, it’s crucial that American
industry and government pursue digital resiliency (the ability to
maintain offline backups of data needed to run operations) and
non-digital redundancy (the ability to carry out at least rudimentary
operations without depending on cyberspace). It pays to recall that not
long ago, American government and industry delivered essential services,
maintained critical infrastructure, and defended the nation without the
Internet.