Cyber Scene #36 - Cybersecurity's Changing Face
Cyber Scene #36 -
Cybersecurity's Changing Face
From the Encryption Dilemma to War
US Attorney General (AG) William Barr presents his view of cybersecurity as the largest game changer in his nearly 30-year bookend tenures as AG (Bush 41 and Trump) at a Fordham University conference sponsored by the NY FBI Field Office. He poignantly notes that in the "vast and expanding digital infrastructure" that we depend on, we are challenged by "...making our virtual world more secure...but not at the expense of making us more vulnerable in the real world." One particular example is encryption to defend against cyber attacks while still retaining the ability to lawfully respond to criminal activity. He boils it down to balancing a citizen's and the general public's interests, as intended by the Fourth Amendment. He lays forth Supreme Court case history, the issue of "going dark," and suggestions from the UK's GCHQ for mitigating encryption challenges as well as examples of other nations which are moving on to establish statutory frameworks to better create a balanced way forward.
Another lead attorney, NSA General Counsel (GC) Glenn Gerstell in his 10 September NYT op-ed, underscores concern about technology "upending our entire national security infrastructure." He writes of the US Intelligence Community in its entirety and expands to include partners such as the Five Eyes community (US, UK, Australia, Canada and New Zealand) and other like-minded countries as warfare morphs increasingly into digitized expressions. The GC had earlier served on the president's National Infrastructure Advisory Council, where infrastructure includes digital bridges derived from the imperative to embrace the future and plan for a "whole of government" + partners solution.
Moving from the (attorney) general to the specific--Army General, NSA Director and Cyber Command Commander Paul Nakasone--NYT intelligence experts David Sanger and Julian E. Barnes look on 23 September at the context of possible cyber attacks against Iran. The Pentagon has held for several years that a cyberattack may be viewed as an act of war. The possibility of spiraling retaliations, digital and tactile, could ensue. General Nakasone has reportedly informed the White House that a "cyberscenario is no magic bullet" for deterring Iranian aggression. As noted above by GC Gerstell, such a scenario would not only engage the whole of government but would have broad-reaching international implications.
For those curious as to how inching into a cyberwar without a magic bullet, or perhaps a clear end state and means to get there could play out in an era of denial of service (hospitals, electricity, water supply) , captured ships(recent history), or boots on the ground, aural learners might appreciate Episode 84 of the "Dead Prussian Podcast" military strategy series, the Prussian being the revered military strategist Carl von Clausewitz. In this broadcast aired on 20 September, the host discusses a recently published book on "The Day After" the cessation of combat. The author, Lieutenant Colonel Brendan R. Gallagher, a serving US Army battalion commander ("Princeton Ranger" on Twitter), analyzes the last 20 years of US military engagement regarding success or failure. This is viewed from the existence or absence of clearly articulated goals paired with a strategy, working backwards, to get there. An inconsistent tension underlines these wars: choosing "enduring democracy" or “bring the troops home now," but not both. He argues that the decision to go to war needs to be reached after this strategy is determined, the means to execute it to the desired end state with obstacles identified and mitigated, and teed up by the National Security Council apparatus for whole of government engagement. This approach may be applied to cyberwarfare as well as 21st Century sea/land/air combat.
Cybermetrics, Anyone?
Former DHS Deputy Assistant Secretary for Policy and Senior Chertoff Group Advisor Paul Rosenzweig writes in Lawfare that cybersecurity is similar to (well, you know...): "we know it when we see it" but struggle to define or measure it. This impacts on our ability to judiciously make "tradeoffs, cost-benefit assessments, and (address) issues of practicality and scalability." He opines that measuring cybersecurity is foundational for policy, law, and business decision-making. He notes that "trust us" is no longer a rational response, particularly in the current environment of "tech-lash." Granted, there have certainly been improvements but how much, how fast, how effective are they? Some are considered "secret sauce" not openly disclosed, so transparency and accountability are left wanting. Or is the "quest for good cybersecurity metrics a phantasm?" The answers to cost, value and benefit are unknown if this exceedingly elusive quest for metrics remains unresolved. Science and art seem to be inextricably linked for those seeking a solution.
Up Hill Toward Intelligent Decisions
In the wake Director Mueller's headline-monopolizing Congressional testimony in late July, a reflection of extremely encouraging bipartisan unity also occurred at that time: the move forward in Congress of the Intelligence Authorization Act for FY 2018, 2019 and 2020. This provides a means of resolving some of the challenges noted by AG Barr, GC Gerstell, and lawyer Rosenzweig above. The HPSCI approved the bill and moved it forward. The House added a few amendments, "overwhelmingly passed" in a bipartisan show of strength: 397-31 (92% yea, 7% nay, 1% not voting).
The SSCI had approved it unanimously on 14 May, but recommended a full Senate vote. With strong votes in the full Senate. For cyber practitioners reading this Cyber Scene, the act not only specifically calls out Russian cyber threats relating to election interference and creating a task force within the ODNI to protect the US tech supply chain, but also, notably, "...enhancing career path flexibility and benefits for cybersecurity experts working within the Intelligence Community."
Distrust and Verify
In the US
With attempts to measure, balance, and fund the future cyber developments as noted above, interaction between the tech giants and the Hill continues to accelerate. This includes discussion about regulation. The US Department of Justice (DOJ) decided to open an antitrust review regarding tech giant competition and market power, which ups the game. On the one hand, the 10 August Economist posits that the big tech firms are solidly ensconced. The article notes that not only are these firms exceedingly successful, they also pour vast bullish proceeds into innovation and advertizing for their customers. These customers, however, are more concerned than in the past about big tech's negative impact on society. DOJ is not alone. Kevin Roose, in the 12 August NYT criticizes the tech leadership for swapping hoodies for flag pins to woo Congress by "conspicuous patriotism." This approach from tech leadership may not yet be successful: on 9 Sep the NYT published charts on "16 Ways that Facebook, Google, Apple and Amazon are in Government Cross Hairs." The leading, detailed offenses across the board, as denoted by tech company and the particular agency or committee that was in the mix, were privacy and antitrust infractions.
Foreign Relations Trick or Treat: Cybersecurity Month and Leif Erikson Day
In the shadow of this year's DHS designated Cybersecurity Month, NYT Adam Satariano reports from Copenhagen on 3 September that Big Tech is so powerful and so global as to merit collective superpower status there. He notes that in 2017, Denmark acknowledged that such a superpower required diplomatic treatment and named a career diplomat, Casper Klynge, as Ambassador to the Tech Industry. His war experience involves Kosovo and Afghanistan (two of the wars discussed in the above-cited podcast) and also harkens to the classic Clausewitzian definition of war as "the continuation of politics by other means." A case could be made relying on the diplomatic tool of statecraft to avert cyberwarfare or tech-bashing. The future may offer the readership an opportunity to weigh whether diplomacy or Congressional regulation is more effective. On a lighter note, there have been unconfirmed rumors that this Viking nation, whose early explorer discovered the new world, may be considering a "Make Denmark Great Again" agenda by repossessing New England. (N.B. This is unrelated to the self-designated "Great Dane," the prescient and late Victor Borge.) Minnesota may also be in the mix. The Danes appear to be disinclined to sell Greenland. The 9 October traditional US presidential proclamation on Leif Erikson Day, should it occur this year, may shed some light on the future of US-Danish partnership.
Near and Far
As facial recognition improves by leaps and bounds, its applications and countermeasures do so as well. The Economist 15 August "Face off” scans across San Francisco, CA, through the UK and Hong Kong tech developers and academics who are moving full-frame ahead, so to speak, in perfecting AI-based techniques and expanding face-recognition applications. Some US cities disallow their use as an affront to privacy. Protesters in Hong Kong have hidden their faces or pointed hand-held lasers at cameras. Although face recognition is broadly used in UK surveillance, some members of parliament have called for a ban on police use. How good is it? The US National Institute of Standards and Technology (NIST) says that as of 2018, face-recognition technology was over 99% accurate. The article goes on to analyze academic research across the globe, summing up that there are still loopholes. Sunglasses, anyone?
For those who deem these countermeasures insufficient, Consumer Reports is running an October Guide to Digital Privacy entitled "Who is Watching You" and how to help individuals implement privacy controls.
Farther: The Great Wall
China is reloading to thwart damage to Huawei's market share by unveiling a new mobile operating system, Harmony, as reported by the NYT's Raymond Zhong on 9 August. Although some of the impact on Huawei's ban is slightly mitigated now, it remains the world's second greatest smartphone provider, behind Samsung but ahead of Apple, per Mr. Zhong.
The overarching issue for Huawei, however, is creating a means to verify what they can deliver in an atmosphere of distrust, as captured by the Economist's Chaguan in Distrust and Verify on 8 Aug.. Customers expect a tech life commitment based on trust. Even more challenging, the present globalized marketplace has created an international supply chain based, in some markets, on "ABC: Assume nothing. Believe nobody. Check everything." This is basic caveat emptor. The Chinese dismiss queries into national intelligence requirements of tech companies to share with the national government by saying that these laws only apply within China. The article concludes by suggesting that China's tech companies retool their marketing approach to argue for acceptance of low- or non-existent trust. But the reporter does not except that to be acceptable to the Chinese government. More recent developments in mid-September include the eviction of the Chinese telecom company by an international cybersecurity group in order to comply with US sanctions. The reported downside per Wired, is the increased vulnerability of customer systems to malware attacks.
Forecast: Cloudy Weather for Capital One
As customers are checking to see what is in their wallets (and bank statements and social security cards), the Washington Posts' Rachel Siegel reported that Capital One's reliance on cloud security was misplaced as, per the article, cloud services themselves were compromised. The Economist's Schumpeter dubs this breach the "Exxon Valdez of cyberspace." Like the single-hulled Exxon Valdez, Capital One's "security web application firewall" was penetrated by the hacker. With the oil spill serving as a "watershed" (? oil shed?) moment for Exxon, the cyber world should, Schumpeter argues, learn from Exxon's 30 years of course correction.
Black Hat Snippets from Wired
For those not attending the Black Hat conference this August, Wired has highlighted cybersecurity threats for you. Two examples of likely broad concern are the following.
Dreamliner or Nightmare?
Cyber experts have discovered a flaw "in the gut" of the Dreamliner Boeing 787, adding to Boeing's 737 MAX and stock price woes. The discovery of a security glitch in the aircraft's code, while dismissed by Boeing, is viewed by its discoverer as a serious concern.
I Phone,They Text
A second eye (I)-catching Black Hat summary, courtesy of Wired, is a discussion of how hackers can access Iphones via a text without the Iphone user ever clicking on the text. The interaction-less iOS attack is an offshoot of the WhatsAPP flaw that allowed phone calls to attack phones without being answered.