Cyber Scene #34 - Grid Lock, Here and There
Cyber Scene #34
Grid Lock, Here and There
Before discussing somewhat somber cyber-related issues developing or breaking over the prior month, let's look at the June "celebration of cyber" edition of ”Wired," in a sense a counterpoint to Roger McNamee's dour "Time Magazine" technology review, all of which is linked directly or indirectly to cybersecurity. "Wired's" Paul Ford launches "Why I (still) Love Tech: In defense of a difficult industry" to remind us why he is "proudshamed" (sic) of the growth of technology. His journey begins with the annual Davos global conference themes of 1996 "Sustaining Globalization" and 1997 "Building the Network Society" and their logical linkage. On a personal level, he envisions someone in his youth, unimaginably at that time predicting that he could carry "a few thousand Cray supercomputers in my pocket." He goes on to ask how one can change an industry that "just won't stop" and morphs in incredible ways, like U2's worldwide success leading to "Bono hanging out with Paul Wolfowitz." Surrealist, indeed. He reviews a day in his contemporary life and closes with "Proudshamed, yes, but I still love it ... down to the pixels and processors, and up to the buses and bridges ... but the miracle is over, and there is an unbelievable amount of work left for us to do."
And as to that work ...
Grid Lock, Here and There
In a dystopian world, things fall apart. Digital cyberattacks to the infrastructure, e.g., the systems directing the buses and toll booths for the NYC bridges Paul Ford discussed above, cripple an individual's daily life. Baltimore, MD, and Riviera Beach, FL, know this life. Beyond the press discussions of who has the digital "smoking gun" and who created it, Baltimore has been subjected to extortion costing $18M to repair the computer shutdowns impacting health alerts, real estate sales, water bills and other services, according to a series of articles by NYT's Scott Shane and Nicole Perlroth (NYT 25 May, 31 May). While portions of this group of, so far, attacks on Baltimore, Allentown PA and San Antonio TX may have been related to a lack of Microsoft patches (updates, updates!!), the attacks occurred. Riviera Beach, as reported by Patricia Mazzei (NYT 20 June) simply sent a Bitcoin "check" equivalent to $592,000 to cancel the ransomware attack which closed down the entire city computer system, starting with the policeman who opened an infected email.
Sanger and Perlroth go on to report separately (NYT 15 June) that National Security Advisor John Bolton on 11 June warned " ...Russia, or anybody else that's engaged in cyberoperations against us, 'You will pay a price." The article goes on to discuss digital land mines reportedly laid in Russia's power grid to return the favor. CYBERCOM Commander General Paul Nakasone is quoted as advocating the need to "defend forward." The return volley arrived on 17 June, with the Kremlin spokesman warned of an escalation of tension that may lead to a cyberwar, despite his confidence in Russia's capability to defend itself, per NYT's Ivan Nechepurenko (NYT 17 June).
“…the Terrible SWIFT Sword?”
In a discussion of an intermingling of trade and cyberwar, the "Economist" (6 June) addresses the vulnerability of interdependent tech supply chains. It opens in "Pinch Point" with a description of the mayhem in the literal wake of the earthquake that knocked out Japan. It points out that cataclysmic events--floods, fires, tsunamis, earthquakes (and more of them)--provide rude tests of the supply chain in a digital world. It transposes these events to a "geopolitical shock" linked to Cyber Scene's earlier discussions of Huawei and its 5G blacklisting by the US. Citing two US academics, Henry Farrell of George Washington University and Abraham Newman of Georgetown University, the "Economist" refers to the temptation of weaponizing interdependence. One option the US is reportedly considering is blacklisting countries who deal with Huawei from the SWIFT international banking/clearning network hosted in the US.
The "Economist" article also includes an informative chart entitled "Interdependence days" laying out a smartphone example of digital supply chain interdependence in a globalized world.
An aside from your author: "weaponizing trade" is becoming a ubiquitous term, but the use of economics as a tool of statecraft is not a new arrival to the strategic toolkit. The National War College (motto: "Strategy in war and peace") teaches the "DIME" approach (chapter IV page 13): diplomacy, information (to include intelligence), military might, and economic power. Note that several prominent military leaders --Generals Jim Mattis, Colin Powell, Dwight D. Eisenhower, and George C. Marshall himself, inter alia-- have underscored starting with the "diplomatic dime" instead of the "military dollar" to avoid General Powell's Pottery Barn rebranding: "you break it, you own it." General Marshall also invested in a version of "E." Japan and Germany remember; Afghanistan and Iraq not so much.
Back to the Future
Elections, Also Here and There
The European Union Commission's foreign policy and security arm determined that Russia and other, non-state, actors undermined the EU elections through disinformation to "suppress turnout and influence voter preferences," in the EU May 2019 elections, as reported by the NYT's Adam Satariano (14 June). Satariano continues, noting that many investigators, academics and advocacy groups had warned of this. They feared the Kremlin's spread of divisive content online "to inflame and stoke electorates all over the world."
Just days earlier (NYT 6 June), Nicole Perlroth and Matthew Rosenberg analyzed how the legal roadblocks are impeding US 2020 presidential candidates from accessing a wide range of cybersecurity assistance, some of it offered free of charge or discounted to all candidates, as this cybersecurity support is considered an "in-kind donation." The issue was addressed in early June when lawyers at the Federal Election Commission advised the Commission to deny a request from a Silicon Valley tech firm asking to provide services to all candidates at a discount. A US Senate bill to allow political parties to provide greater cybersecurity assistance to candidates stalled in the Senate when the majority leader declined to bring it to the floor for a vote. On the other hand, FBI Director Christopher Wray is cited as warning in April 2019 that Russian election interference continued to pose a significant counterintelligence threat and that 2016 and 2018 efforts were "a dress rehearsal for the big show in 2020." The article cites JPMorgan Chase Jamie Dimon as saying that the bank spends nearly $600M a year on security; Bank of America's CEO says his bank has a "blank check" for cybersecurity. Several additional cybersecurity experts reinforce this looming crisis and point out that the 2020 campaigns have neither the expertise nor the finances to deal with this nation state threat.
On the academic front, Matthew Lepinski, MIT PhD and cybersecurity expert teaching at the New College (Florida's honors college), gave a public presentation on 11 June, sadly not on video, entitled "A Cybersecurity Perspective on Elections." (Recall last month's Cyber Scene reference to two Florida county 2018 elections being hacked.) Dr. Lepinski had been engaged in the 2000 Cal Tech-MIT Voting Technology Project studying malicious cyber adversaries, so concerns about election tampering are nearly a decade old and no longer involve Chicagoans voting from the grave. He mapped out three areas of direct election interference: registration, polling operations, and counting/aggregation. He discussed and rated the danger-level of each of these from the perspective of availability/denial of service, integrity/falsifying data, and confidentiality/theft of data. He then arrived at the "quo vadis" portion, noting that election legitimacy matters because it validates democracy through institutionalizing the peaceful transfer of power. Discussing the broad picture, he also made specific suggestions to standardize the cyber side of the election process and also to ensure a backup process to legitimize the voting such as a paper ballot in addition to voting machines for the purpose of auditing and transparency, and empowering the states to regulate and standardize this across their electorate.
In Tech We Trust?
“Barron's” (10 June) Eric Savitz leads off with options for thinking differently about regulating the tech world. Savitz references the early June announcement that the FTC and Department of Justice (DOJ) would be launching investigations of sorts regarding Facebook and Amazon (FTC) and Apple and Alphabet’s Google. To date there is no open source information about these DOJ and FTC activities. However, NYT’s Cecilia Kang, David Streitfeld and Annie Karni wrote on 3 June about the “tough scrutiny from all sides” the tech giants would face on the subject of competition and new antitrust considerations. Two days later, Cecilia Kang and Kenneth P. Vogel (NYT) wrote of the “army of lobbyists” these four tech leaders are deploying, at the combined cost of $55M for 2019, and the interface they have with particular political figures. The registered lobbyists—238 of them as of the first calendar year quarter—come largely (75%) from earlier government employment.
Antitrust and Verify
The Chairman of the House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law announced, as reported by the NYT on 3 June, that the subcommittee planned to hold a set of hearings over the next 18 months to focus on digital platforms. True to his word, the subcommittee held the first of these on 11 June on “the impact of digital media on the news industry.” Incredibly, this is the first hearing on media antitrust issues since the Ma Bell breakup. Chairman Cicilline (D-RI) opened with a reference to the importance of the free press as the backbone of our democracy. David Pilofsky, the General Council for News Corps which includes publications such as the Wall Street Journal, said that the media industry is in economic freefall with massive workforce reductions. He included the example of the Cleveland Plain Dealer, the city’s only remaining daily, which just announced an 80% layoff. This decline for both on-line and traditional media, according to the testimony, is due to the “erosion of advertising revenue." There was much discussion around how to “reset” and how to regulate the monetization of data. The definition of antitrust had been traditionally very narrow, but in the digital age several Members and guests agreed on the need for a careful and different approach. The hearing is available for your viewing.
Elsewhere on the Hill, the House Permanent Select Committee on Intelligence (HPSCI) also engaged media experts in exploring the problem of deepfake videos. Chairman Adam Schiff (D-CA) discussed the issue of what appropriate response should be taken for the election, while Ranking Member Devin Nunes (R- CA) confirmed that media manipulation was a real problem, and sought information regarding details of deepfake issues themselves. Those testifying included a former DARPA project manager, David Doerman, who considered the taking down of such videos a “cat and mouse game which is a new major concern." Danielle Citron, a law professor at the University of Maryland, argued that immunity law protected the guilty and needs to be updated. She also pointed out that when the media withheld posting an item that they might believe to be fake, and err, they themselves can “get burned.” This particular hearing was particularly edifying. The Members were genuinely concerned, and those testifying came with brilliant credentials in both the public and private sectors.
The Senate Select Committee on Intelligence (SSCI) held five hearings in June on “intelligence matters” but all were closed. Their last open hearing was on 1 May. “Holding one’s tongue in public” matters too.
Though only indirectly related to cybersecurity, if you need a Senate fix, watch the Senate Foreign Relations Subcommittee on Europe and Regional Security Cooperation look at Russia's activities in Ukraine. This aired, presciently, just before the Netherlands released the names of the Russians under indictment for the shootdown in Ukraine of Malaysia Airlines Flight 17. The Senate subcommittee hearing, chaired by Ron Johnson (R-WI) was very balanced: current State Dept Special Rep for Ukraine negotiations, a former US Ambassador to Ukraine, and experts from the Heritage Foundation and Brookings Institution provided rational and highly experienced discussions with these Senatorial inquiring minds. Cyber did play a role in detection and indictment, but not to (at least public) knowledge in the attack itself.