Cyber Warfare: The Real Cold War
A successful cyber-attack on a country’s critical infrastructure is not a question of if, but when.
- A successful cyber-attack on a country’s critical infrastructure is not a question of if, but when.
- Cyber war is upon us – and it can be hugely incapacitating, even destructive.
- As was the case with the first nuclear weapon, nation states currently perversely revel in the power of cyber weapons.
- Just like drones, cyber weapons are hard to resist.
- Given the proliferation of cyber weapons, we must negotiate a global Cyber Arms Limitation Treaty (C.A.L.T.)
- All nations must commit themselves to a “no first cyber strike” doctrine.
- Will there be illegal “cyber arms” dealers? Yes, just as there are in traditional weaponry.
- Compliance with C.A.L.T. could be undertaken by inspectors from an organization equivalent to the IAEA.
It’s a beautiful Monday morning in New York City. The air is crisp on this early spring day in April as blue skies and bright sunshine reflect off Manhattan’s skyscrapers. Given the refreshing start of the day, people are hustling about more joyfully than usual.
On his way to work at 8:32 a.m., John Miller stops at his bank’s ATM machine. After he enters his PIN, he receives a strange response on the screen. “Security code not recognized”. He tries again. To no avail.
John walks into the bank to speak to a manager. He would be the first of millions of customers of this major U.S. financial institution on that day receiving the same odd message.
At 9:00 a.m., Mary Smith, running a little bit late for her job at City Hall, needs to pick up some cash for lunch and she tries to make an ATM withdrawal at another major U.S. financial institution. She has the same bad luck as John did just 28 minutes earlier. Millions of customers of her bank, too, would share her fate on this sunny spring day.
Alarmed by these events, the chief information security officers (CISOs) of the two banks immediately hold emergency meetings with their teams. Independently from each other, each team immediately suspects that their firm has been target for a cyber-attack via what is called distributed denial of service (DDoS) in the IT security world.
Not what was suspected
Both banks had dealt with many DDoS before. These attacks had largely become a disruptive nuisance. An attacker sends excessive data traffic to the banks’ network which overloads their servers and renders them temporarily inoperable.
Financial institutions now have defensive toolkits that include a series of remedies to restore service – in almost all such cases – in fairly short order.
However, to their horror, the two banks’ CISOs and their teams quickly determine that there was no server overload. Instead, the account information of all their customers and all overnight interbank transaction data had simply been wiped out at 8:32 and 9:00 a.m., respectively.
Stranger yet, neither institution had money disappear. It simply could not be found. The two banks are confronted with their worst nightmare: loss of data.
Emergency board meetings are called in both institutions. The U.S. Federal Reserve Bank is informed of the situation to contain the systemic impact of this disaster. By the end of this beautiful Monday in April, it is not just bank customers who are affected. Confidence in the safety and security of all online internet activity has eroded – and on a worldwide basis.
Not if, but when
If this scenario sounds far-fetched, it is not. A successful cyber-attack on the critical infrastructure of the United States or any other country for that matter, be it the financial system or a country’s electrical grid, is not so much a question of if, but a question of when.
To be sure, the successful launch of such an attack is very complex in its preparation and execution. It takes both significant financial and human resources.
After all, critical infrastructures – including data backup centers – have been mandated by their regulators for some time now to have resilient disaster recovery plans in place.
In most instances, these data backup centers are synchronously fed the same transaction or activity information as the main data center. In other words, there is not as much as a nanosecond of an informational gap among the various centers.
That means even if data is that compromised either physically or digitally at one or even two of such data centers, it does not result in the destruction of records.
Originally, these disaster recovery plans were designed to address the physical impact of natural catastrophes or terrorist attacks. And they are resilient against such events. The reason is simple: The likelihood of either event disabling all data centers at the same time is remote, as these data centers are situated in different – and sometimes secret – locations.
Hard to be resilient
Beyond attacks or catastrophes that render facilities physically inoperable, cyber-attacks have taken center stage in more recent years. A cyber-attack takes on a different dimension. The attacker aims to concurrently and permanently disable all data centers of a financial institution, for example by using malicious code, worms, viruses or malware.
This is a feat far more likely to succeed than concurrent physical attacks. Still, it requires large resources. It is therefore, most likely to be state-sponsored.
The threat scenario is also asymmetric. The interconnectedness and accessibility to systems around the globe make those who are technologically most advanced most vulnerable to such an attack.
War is in the offing
Most likely, a successful attack of this nature would be considered an act of war.
Cyber war is upon us and it can be hugely incapacitating – even destructive. In fact, cyber weapons can cause massive loss of life without any shots fired, any bombs dropped or any missiles launched. This could happen, for example, by turning off the power supply for an entire nation or by deactivating public drinking water treatment systems.
In theory, it could happen tomorrow. On a daily basis, nations large and small increase their arsenal of cyber weapons. We must take collective action in order to avoid what we can avoid.
However, just as was the case with creating the first nuclear weapon and then a nuclear arsenal, nation states currently perversely revel in the power of cyber weapons.
Little wonder then that in considering how best to stall the efforts by Iran to build a nuclear bomb, the National Security Administration (N.S.A.) of the United States and Unit 8200 of Israel launched a massive cyber-attack on Iran in 2010.
In an operation named “Olympic Games”, the U.S. and Israel created a cyber-worm, Stuxnet. Stuxnet was targeted at Iranian computers controlling the centrifuges at the country’s nuclear facility of Natanz.
The worm, which was introduced to the Iranian computers via a USB stick, ingeniously reprogrammed the infected computers. In so doing, the computers instructed the centrifuges of the nuclear facility to change speeds over a number of months, while all monitors were displaying normal operations.
The centrifuges were not designed to withstand such changes in speed and eventually 20% of them were destroyed.
Needed: A C.A.L.T.
Just like drones, cyber weapons are hard to resist. But as Howard Schmidt, a former White House cybersecurity coordinator, stated: “Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries.’ The problem is that we all fundamentally become less secure.”
Given the proliferation of cyber weapons, it is therefore important that we negotiate an international Cyber Arms Limitation Treaty (C.A.L.T.).
The treaty’s purpose is to prohibit national governments to finance, develop or distribute cyber weapons designed to disrupt or destroy the critical infrastructure of other nations. In addition, all signatories must commit themselves to a “no first strike” doctrine.
Following Ronald Reagan’s principle of “trust, but verify” to guide arms reduction negotiations with the then-Soviet Union, it is unquestionably far more difficult to meet this standard in the cyber world.
In the case of cyber weapons, it is often impossible to assign responsibility behind an attack or threat of an attack. This is partly the nature of the cyber environment. Partly it is due to government outsourcing often to shady businesses and third parties in order to cover their tracks.
In some ways, the latter can be addressed, at least to an extent. It should simply be illegal globally to establish a business that sells cyber weapons.
Will there be illegal “cyber arms” dealers? Yes, just as there are in traditional weaponry. Even nuclear arms technology was hawked by the rogue Pakistani nuclear scientist Abdul Qadeer Khan. But knowing that we will fail in creating the perfect system should not give us an excuse to stop at least preventable threats.
An international cyber protection agency
Much like in the nuclear arms world, supervision of compliance with C.A.L.T. could be undertaken by an organization equivalent to the International Atomic Energy Agency. It would be equipped with inspectors who, routinely and continuously, monitor the cyber activity of every signatory country.
Finally, every responsible country needs to build firewalls around its critical infrastructure. And by that, I do not simply mean computer-based firewalls.
Yes, this will be costly. But these expenditures are the logical flipside of the IT revolution of the past decade.
The business logic of systems integration often leads to greater efficiencies, lowering the cost of services. But in an open digital environment and with the emergence of cyber weapons, such integration also comes at great cost, the systemic collapse of an entire financial system or a multi-nation electrical grid such as in Europe.
Cheap then, expensive now
Where possible, integration must be wedded with decentralization, meaning that the components of systems that were merged can stand on their own. Whenever such an approach is not feasible, a rule of thumb holds that less integration leads to less vulnerability. Hence, it provides a natural defense shield against a broad-based cyber-attack.
This is a tall order. To be sure, some of these ideas outlined above run counter to today’s drive for an ever-more interconnected world. However, the risk of inaction has immeasurable consequences.
Unless, of course, one is prepared to accept that our fictional story ends on that beautiful soon-to-be April day ends somewhat like this:
“By the end of the day, chaos had gripped global financial markets. Because of their interconnectedness, the attack had virtually destroyed records at all major U.S. and global financial institutions. Cash became king, but even the well-prepared eventually ran out of it. The Fed printed trillions of dollars that were handed out to its citizen. Six months later, most records were restored. By then, the global economy had collapsed.”