THE WORLD IN 2050 THE FUTURE OF CYBERSECURITY
A Bookazine Edition by
THE WORLD IN 2050 THE FUTURE OF CYBERSECURITY ANA C. ROLD EDITOR
DIPLOMATIC COURIER | MEDAURAS GLOBAL WASHINGTON, DC
A Global Affairs Media Network
Editor-in-Chief Ana C. Rold Editorial Board Andrew M. Beato Fumbi Chima Sir Ian Forbes Lisa Gable Mary D. Kane Greg Lebedev Anita McBride Editors Kathryn H. Floyd Michael Kofman Paul Nash Creative Director Christian Gilliham Photographers Michelle Guillermin Sebastian Rich
Book Contributors Sean S. Costigan James Lovegrove Jae-Eun Kim Mike Baker Amb. Sorin Ducaru Joshua Noonan Jack Lester Richard Rousseau Chrisella Herzog Pierce Blue Emily Pehersson Ryan Burkhart DC Contributors Akshan de Alwis Charles Crawford Justin Goldman Sarah Jones Arun S. Nair Richard Rousseau Winona Roylance Mary Utermohlen
Social Media Director Alexcia Chambers Editorial Research Bailey Piazza Anne Harris David Clements Jacob Argue Danika Li Yuki Preechabhan Ad Sales Please email info@medauras.com to request Media Kit and Rate Card. Contact Us 1660 L Street, NW, #501 Washington, DC 20036 info@diplomaticourier.org
Copyright Š by Diplomatic Courier/Medauras Global Publishing 2006-2016 All rights reserved under International and Pan-American Copyright Conventions. First Published 2016. Published in the United States by Medauras Global and Diplomatic Courier. 1660 L Street, NW, Suite 501, Washington, D.C., 20036 www.medauras.com | www.diplomaticourier.com Library of Congress Cataloging-in-Publication Data Rold, Ana C 1980The World in 2050: The Future of Cybersecurity / Ana C. Rold, Editor ISBN: 978-1-942772-07-1 (Digital) ISBN: 978-1-942772-06-4 (Print) 1. Rold, Ana, 1980-. 2. Megatrends. 3. Cybersecurity. 4. Big Data. 5. Security. 6. Title. NOTICE. No part of this book may be reproduced in any form, except brief excerpts for the purpose of review, without written consent from the publisher and author. Every effort has been made to ensure the accuracy of information in this publication; however, the author, Diplomatic Courier and Medauras Global make no warranties, express or implied, in regards to the information and disclaim all liability for any loss, damages, errors, or omissions. For permissions, email info@medauras.com. EDITORIAL. The articles in Diplomatic Courier both in print and online represent the views of their authors and do not reflect those of the editors and the publishers. While the editors assume responsibility for the selection of the articles, the authors are responsible for the facts and interpretations of their articles. Every effort has been made to ensure the accuracy of information in this publication, however, Medauras Global and the Diplomatic Courier make no warranties, express or implied in regards to the information, and disclaim all liability for any loss, damages, errors, or omissions. PERMISSIONS. None of the articles can be reproduced without their permission and that of the publishers. For permissions please email the editors at: info@medauras.com with your written request. 4 | THE WORLD IN 2050 ART | PHOTOGRAPHY. All images and photos by Bigstockphotos.
MEDAURAS GLOBAL PUBLISHING
THE FUTURE OF WELLBEING | 5
CONTENTS 08
INTRODUCTION BY ANA C. ROLD, EDITOR
10
2016: THE YEAR OF THE STATE-SPONSORED BREACH BY SEAN S. COSTIGAN
16
THE IMPLICATIONS OF CYBER-ATTACKS ON GOVERNMENTS BY JAMES LOVEGROVE
20
IMPLICATIONS OF CYBERSECURITY ON ORGANIZATIONS AND OBAMA ADMINISTRATION’S COUNTER MEASURES BY JAE-EUN KIM
26
BETTER LATE THAN NEVER: DEALING WITH THE DANGERS OF ECONOMIC ESPIONAGE BY MIKE BAKER
30
SNOWDEN AND NSA SURVEILLANCE: RISKS VS. REWARDS BY MIKE BAKER
38
CYBERDEFENSE: AN INCREASING PRIORITY BY AMBASSADOR SORIN DUCARU
42
THE FUTURE OF INNOVATION IN RUSSIA BY JOSHUA NOONAN
46
PARTNERING FOR CYBER RESILIENCE: TOWARDS THE QUANTIFICATION OF CYBER THREATS BY ANA C. ROLD AND JACK LESTER
53
CYBERSECURITY, THE INTERNET OF THINGS, AND THE ROLE OF GOVERNMENT BY SEAN S. COSTIGAN
61
CHINA: THE INTERNET AND THE BIRTH OF CYBER DIPLOMACY BY RICHARD ROUSSEAU
64
DUCK AND COVER: CYBER INSTABILITY BY CHRISELLA HERZOG
THEWORLD WORLDININ2050 2050 66| |THE
CONTENTS 69
THE FUTURE OF CYBERSECURITY LEGISLATION: WILL CONGRESS ACT? BY PIERCE BLUE
70
MAKING THE GRADE: INTERNATIONAL REGULATORY FRAMEWORK FOR CYBERSECURITY BY EMILY PEHRSSON
76
INFORMATION SUPERIORITY: TURNING “BIG DATA” INTO ACTIONABLE INTELLIGENCE BY ANDREW SERWIN
82
ASIA’S CYBER SECURITY BATTLEGROUND BY RYAN BURKHART
84
THE TERRIFYING PROGENY OF STUXNET BY CHRISELLA HERZOG
THE FUTURE THE FUTURE OF CYBERSECURITY OF WELLBEING||77
INTRODUCTION BY ANA C. ROLD
M
ost of us can recall a time before mobile phones, or at least the days before Netflix. But as devices facilitating inter-connectivity infuse the corners of our lives, being online is as natural as breathing. We have always breathed, we have always had the Internet, right? The advent of new technologies, whether artificial intelligence, sensors, robotics, 3D printing, big Data, genomics, and stem cells (to name a few), is changing everything, from setting an alarm clock to increasing your life expectancy. In this newsletter, we explore cybersecurity, the Internet of Things (IoT), and what technology means for the future, however close that may be. The good news? We are on the cusp of witnessing the biggest breakthroughs humanity has ever seen. And everyone is in on it. 8 | THE WORLD IN 2050
By 2020, more than 50 billion internet-connected devices will be installed globally—that’s more than 4 devices for every human on earth. The Internet of Things first came to us on PCs. Then it moved to smartphones, tablets, smartwatches, and TVs. But now it’s coming to all of our everyday devices that fall under the IoT umbrella. This IoT revolution has the potential to change our homes, transportation, work, even our cities. But how will we arrive in this new era? This year our World in 2050 series took us from the future of jobs and education to wellbeing and health and war and peace. Our last installment in the series this year concerns how cyber and IoT are shaping the future. And there’s perhaps no better time than now to take a look at how these security concerns affect every aspect of our lives. As we launch this edition on the eve of one of the most historic presidential elections in the United States, we can’t help but think how much of the fate of this coveted presidential seat rests on the very essence of cybersecurity. How will cyberspace evolve? What does that mean for cybersecurity? And what can we do to ensure that security gets better not worse? In a series of new as well as archived articles, interviews, and essays, we explore a diverse range of topics looking at cybersecurity of the future. How will we secure growing networks of cars, health devices and other “things”? What can we do to ensure that our cyber workforce is more diverse and representative? How can complex networks of actors work together to mitigate the next Heartbleed-scale software vulnerability? How will global trends affect the cybersecurity challenges that will threaten the United States? Businesses and entire governments are under relentless attack from cyber fraudsters, industrial spies and saboteurs, terrorists, foreign states, politicized hacking groups and others. The ingenuity, ruthlessness and sophistication of the perpetrators know no bounds. Leaders need to rise to the challenge but many are failing to do so. Even those who have implemented cyber defense strategies incorporating the latest procedures and technology are discovering they are often inadequate. Security is still being breached. Federal, state and other public sector initiatives designed to protect businesses in cyberspace are struggling to make an impact. Ana C. Rold, Editor Diplomatic Courier Washington, DC November 2016 THE FUTURE OF CYBERSECURITY | 9
2016: THE YEAR OF THE STATE-SPONSORED BREACH BY SEAN COSTIGAN
2016: THE YEAR OF THE STATE-SPONSORED BREACH BY SEAN COSTIGAN
C
ybersecurity is now a topic worthy of presidential debates and boardroom agendas. Counting back from last month’s revelations of the largest breach to date with over 500 million Yahoo accounts, consider this short list of big names that have come forward over the past 12 months to reveal they have been targets of cyberattacks: The Internal Revenue Service, Dropbox, LinkedIn, Snapchat, Oracle, and Verizon. By now it should be no surprise that nation-states have developed an enormous appetite for information. And the sheer concentration of information systems has led to a massive uptick in nation-state hacking. Information is, after all, political. But why would a nation-state want to hack Yahoo, for instance? Scale is key. The company was sitting on one of the juiciest targets: hundreds of millions of email accounts and related user data. Such data can be all encompassing, as people freely share their entire lives through the Internet, very often reusing passwords and other crucial details. Furthermore, in a story that has received little attention, one researcher noted that Yahoo provides email services to over 560,000 domains, which include legal firms, pharmaceutical and medical companies, churches and other potentially valuable sources of sensitive information. As in the Yahoo case, some might wonder why it could take a company years to discover and reveal such breaches. The simple answer is that in many instances companies may not have taken cybersecurity seriously enough in the first place. Running fast and loose with security may be considered normal operating procedure in commercial entities that seek growth at all costs or feel that they must always show growing numbers of users to appeal to shareholders. Additionally, malware may reside on networks for years in what cybersecurity experts call “advanced persistent threats.” Such stealthy methods are often created and deployed by nation-states and are likely to continue to surpass the abilities of many targeted entities. 12 | THE WORLD IN 2050
To complicate matters, as with banks and their unflagging worry that knowledge of thefts might reduce trust in their offerings, large service providers like Yahoo fear mass defection of users will result should details of breaches be made public. And perhaps that is not an unwarranted anxiety. Yahoo especially, appears to have been a poor guardian of its users’ data. Consider, for instance, that not only were passwords stolen years ago and are just now coming to light, but answers to security questions such as your mother’s maiden name or favorite pet—which are typically nigh impossible to change—were also taken. By contrast, after the Chinese PLA attack dubbed Operation Aurora was discovered in 2010, Google went on the offensive by “hacking back” and also is widely credited for having committed considerable resources to securing users’ data and their infrastructure. For both commercial and government entities, heterogeneous IT environments, messy cybersecurity internal policies—if any exist—and outdated legacy systems are just some of the challenges that today’s information officers and executives are dealing with. A recent GAO report noted that maintenance and upgrades to legacy systems account for some 75% of the total budget for IT systems in the U.S. federal government, with some systems using components that are over 50 years old. By one account, spending on cybersecurity will rise to over $1 trillion USD by 2021. However, the amount of money spent may still produce dwindling returns against nation-states and their proxies. State-sponsored hackers are a truly motivated bunch, often buying zero-day exploits or deploying tools that are purpose built. So, against these foes, don’t count on any quick improvements to the situation soon. While many companies might think to shield themselves from liability by claiming that their cybersecurity breaches were actually the work of nation-states, it is worth bearing in mind some characteristics of statesponsored versus purely criminal hacks when digging into the headlines. In general, if a breach results in a rapid attempt to present data for sale on the Dark Web, or if a blackmail scheme appears to be at work, the breach is most likely the result of a criminal gang. Of course, there are always exceptions to the rule. For example, a state-sponsor might commit the breach for specific information or to target a group for political purposes and then cover their trail by selling off the data through a cutout gang. RUSSIA AND CHINA—TOGETHER, APART Attribution remains a challenge, but many companies and governments have improved their ability to find the perpetrators of hacks. Perennially, China and Russia lead the pack when it comes to nation-state sponsored cyber hacking. China’s efforts usually hew closely to economic espionage, exploiting gaps in networks and security to produce economic accelerants through the theft of intellectual property. China’s military THE FUTURE OF CYBERSECURITY | 13
hacking apparatus is so vast and successful in targeting U.S. companies that the U.S. Department of Justice has called it a national security emergency, amounting to hundreds of billions lost and over two million American jobs. It is worth remembering that the same week that President Obama was set to press China on its persistent hacking for economic gain, the former Booz Allen Hamilton contractor Edward Snowden had fled to Hong Kong to make the first of his revelations about NSA spying efforts. Given the response at the time, which undermined the U.S. moral position and was clearly exploited by the Chinese government, President Obama largely left China’s hacking out of the discussions. To date, China’s cyberattacks on U.S. companies continue essentially unabated, often barely masking the near one-to-one correspondence to economic interests. Russia, on the other hand, is widely known to use cyberspace to gain political leverage through hacking of personal and government accounts, and to unleash criminal organized gangs to do the state’s bidding. The emphasis is less on economic gain and more on attempts to alter policy, destabilize or punish countries, as was seen in the attacks against Estonia, Georgia, a particularly noteworthy attack against the Ukrainian power grid and efforts to undermine politics in Germany and the United States. Dependency on the Internet for all manner of services, including the delivery of energy, has made the work of their state-sponsored cyber gangs easier and revealed vastly richer targets. While Russia has also suffered some at the hands of cyber gangs, recently with the mail.ru hacks, and has even brought some criminals to justice, it more often will argue that the U.S. is responsible for hacks and various attacks and only seeks to blame Russia for problems of its own making. Most recently, much news has been written about the successful efforts of two Russian intelligenceaffiliated gangs—identified by the company Crowdstrike as COZY BEAR and FANCY BEAR and their intrusion into the Democratic National Committee’s network. To date, there have been only muted responses from the U.S. to these cases largely because any reaction comes with its own complications. HACK BACK VS. NAME AND SHAME Shadow wars between intelligence agencies and the proxies of nationstates are almost certainly being waged; with authorities hacking back state-sponsored gangs. Additionally, citizen warriors and other groups have taken on terrorists and others, using many of the same hackingback techniques. In the nation-to-nation cases of hacking back there remains persistent concern, however, over the potential for escalation from the cyber realm to possible kinetic warfare. That concern increases each year, as developments such as the Internet of Things blur the lines between what constitutes cyberspace and the physical world.
14 | THE WORLD IN 2050
But there is another—public—approach that many in policy are advocating and that could be successful: shaming. “Name and shame” is a tactic that seeks to censure nation-states that engage in the criminal enterprises of intellectual property theft and political manipulation. The proponents argue that by naming these entities publically—much as was done by Crowdstrike in the instance of the Russian sponsored hack of the DNC—nation-states would have a harder time hiding behind the challenges of attribution and will lose face in the court of public opinion. Considering the political sensitivities at work, private enterprise is doing some of the best work here, with many companies in Europe and the United States engaged in deciphering the locations and potential motives of state-sponsored groups. Of course, commercial entities have their own interests at heart and exposure of one gang or another is usually peacocking intended to drive new business opportunities. In the non-commercial space, many transparency groups have their unique political agendas, leaving it to academics to present the best, most neutral cases. Particularly where governments are using malware or breaches to violate civil rights, Citizen Lab at the University of Toronto regularly produces some of the very best work. But name and shame comes with its own attendant risks. First and foremost, it isn’t entirely clear when a country might consider a breach to be a matter of national interest. For example, was the Sony attack really a matter of U.S. national security, sufficient to get President Obama involved in naming the perpetrator? Were economic sanctions to be employed after a state-sponsor is named, might that not increase the risks of violence or other reprisal? While the devil is in the details, in addition to clarity on what attacks matter most, what should be considered off limits and what should be done in response, a consortium approach would help. Several countries that have suffered notable breaches and economic losses should be encouraged to come together to publically air their grievances and put forward a meaningful strategy to name and shame perpetrators. Such an effort—ideally working with a global alliance—would help improve understanding and serve as a model for international cooperation. Clearly name and shame is not a panacea, but if done well it is likely to help. Until such an agreement for cooperation can be made, countries and many of their most important resources will continue to be plundered at will in cyberspace by nation-states and their proxies. About the author: Sean S. Costigan is an independent consultant and serves as a Professor at the George C. Marshall European Center for Security Studies. His most recent work is a novel cybersecurity curriculum, to be published and made freely available by NATO in October 2016.
THE FUTURE OF CYBERSECURITY | 15
THE IMPLICATIONS OF CYBER-ATTACKS ON GOVERNMENTS BY JAMES LOVEGROVE
C
yber-attacks are bigger, bolder and more global than ever before. As the world continues to go online (Google expects everyone in the world to have internet access by 2020) the “attack surface” continues to expand:
•
The biggest bank robberies are now digital (e.g. the recent $ 81 million cyber heist in Bangladesh);
•
Potentially greater harm can be inflicted thousands of miles away to physical infrastructure (e.g. the Shamoon virus in the Oil and Gas industry);
•
State sponsored cyber-weapons are now a very real threat to our various blends of Liberal Democracy – from espionage (e.g. Russian hacks into the Democratic Party computer system) to the digital age equivalent of a missile strike (e.g. Estonia DDoS and Stuxnet).
October is the month for Cyber Security Awareness in Europe. Educating citizens to be smarter on the net (e.g. change passwords, avoid infected sites and downloads etc.) remains very important to combatting these threats. However, at many of these Cyber Security Awareness programs, experts alarmingly share their concerns – first, many citizens are not heeding simple and effective cyber-hygiene guidance. Secondly, we
THE FUTURE OF CYBERSECURITY | 17
are edging ever closer to our “September 10” moment in terms of being hours away from a devastating cyber-security event. And, thirdly, they do not want European Politicians telling them how to fight this battle. The EU thus appears to be confronted with yet another conundrum: Europe’s Digital Single Market is only going to be workable if secure. Yet, our law making process is still largely rooted in the analogue world whilst our growing need for international cybersecurity co-operation is threatened by populism at the ballot box. As part of Cyber Security Awareness month, this article provides a short overview of the trajectory for both CyberSecurity public policy perspective and quite possibly – in this BREXIT period – an indication of a longer term EU model. Europe has long supported global standardization solutions to achieve public policy goals. The GSMA standard catapulted Nokia into a global mobile phone success story. IT hardware policy solutions via so-called “New Approach” directives continue to be an effective means to provide Europeans with safe devices via a set of largely global standards. Likewise, the EU has welcomed cyber-security experts following the same example to facilitate cyber-security adoption by Europe’s 23 million small businesses (e.g. ISO/IEC 27000- series). The EU has followed up with light-touch initiatives to bake these standards into well understood and accepted requirements which fast-track adoption of digital solutions. For example, voluntary Codes of Conduct – such as m-Health and imminent (at time of printing) Cloud Code of Conduct – include these same global cyber-security standards. The EU’s Network Information Security (NIS) directive aims to further harness this community of expertise. This directive allows vastly different Member States a multi-speed implementation in keeping with their technical starting point. The directive introduces a Member State co-operation process which is expected to increasingly become a forum which plugs into existing technical expertise and relationships between, say, cybersecurity providers, critical infrastructure companies and Computer Emergency Response Teams (CERTS) around threat landscape information, access to state of the art technology and trends. The much awaited Public Private Partnerships (PPPs) complements the NIS’ focus on healthcare, energy and transport plus other areas of interest such as industrial controls, finance and e-government. Despite its goal to “better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector”, EU officials are quick to point out that it accessible for any company regardless of parentage. That said, Sir Julian King (the UK’s European Commissioner) recently hinted at an update to the EU’s 2013 Cybersecurity Strategy, in which he may seek to further clarify third country access. The importance of global partner18 | THE WORLD IN 2050
ships to tackle a global problem is key – especially with long standing allies. Regardless of what happens in November Presidential elections, a strengthening of existing EU-US cybersecurity activities around mutual recognition and access is important. Perhaps it bodes well that the United States also organizes its cyber-security awareness month in October...? In conclusion, the EU has embarked on a slightly different trajectory to address this important public policy objective for its citizens. There is still some way to go and admittedly teething issues relating to remolding long standing legal process and culture to an ever changing and complex challenge. Similar to pollution, cyber-attacks are a borderless threat which surely require the pooling of political, economic and societal resources. This reality inevitably bolsters the EU case to co-ordinate and/or lead a set of strategic imperatives to improve Europe’s cyber security. The key to success, though, is for the EU to drive the ‘END’ goal of Digitising core European Industries but leave the technical ‘MEANS’ up to existing communities of experts along with transparent NIS co-operation group and open PPPs. Indeed, if done properly, there is nothing to stop a set of early deliverables within Europe’s core industries (i.e. automotive, chemicals, pharma, industrial tools etc.) which would provide a timely and compelling reminder to those going to the polls next year in Germany, France and Netherlands. Even the UK - clamoring for “more control” – might cede the point that somethings are better done at a European level who can speak as equals with other great powers in the world. About the author: James Lovegrove is the senior director of APCO Worldwide in Brussels.
THE FUTURE OF CYBERSECURITY | 19
IMPLICATIONS OF CYBERSECURITY ON ORGANIZATIONS AND OBAMA ADMINISTRATION’S COUNTER MEASURES BY JAE-EUN KIM
L
iving in a world where everything and everybody is connected, protection and security of data has grown all the more critical. As long as one is connected to the Internet, anyone can become a viable victim to a cyber attack, thus wary and proper protection must be installed to prevent any detrimental incidents. Thus, from protecting user data against the growing number of threats to ensuring the continuity of businesses, cybersecurity, or measures taken to protect a computer system against unauthorized attacks, is an essential element for any organization. With the advance of the Internet and alike, security threats and cyber-attacks are multiplying acutely all over the globe, targeting individuals and targets alike. As these threats and attacks continue to mount, understanding and managing security risks have become critical issues for leaders in both business and government. Below are several essential facts that define the current information security landscape: The estimated annual cost for cybercrime committed globally adds up to 100 billion dollars. Currently, there are more than 1.6 billion social network users worldwide with more than 64% of internet users accessing social media services online. Social media is the most vulnerable
THE FUTURE OF CYBERSECURITY | 21
means of cyberattacks. 1 in 10 social media users are victims of cyberattacks and the numbers are on a rise. From 2016 to 2019 global cyber crime costs are expected to greatly increase, reaching US 2.1 trillion dollars. The US government spent US 14 billion dollars on cyber security in 2016 with plans to spend US 19 billion dollars in 2017. As it can be seen, the implication, both financially and internally for companies and governments alike, are tremendous. Take, for example, a few recent incidents: Sony and Target’s breaches earlier in 2014 and 2013, respectively, had the biggest impact on information technology security. It was evident that high-profile hacks against the government and companies like Sony and Target were largely met with legislative inaction and administrative uncertainty on how best to address evolving cyber threats. The breach of the Office of Personnel Management exposed the details of at least 21.5 million government employees. Additionally, repeated claims of Russian and Chinese hacking of American businesses and public agencies continued to surface as an ongoing issue within the public sphere, as well as reports indicated several thousands of FBI staffers to have their data leaked following such an attack. Accordingly, such security is important to every American who uses the Internet in order to ensure that their communications remain protected. Unfortunately, there are always going to be “bad guys,” in this case, those who try to steal people’s information for their own financial or personal gain. Thus, as these threats continue to mount, understanding and managing security risks have become critical issues for leaders in both business and government. CYBERSECURITY IN THE OBAMA ADMINISTRATION Evidently, cybersecurity and risk is now an urgent and important matter at hand. Information breaches and hacking have raised fears that such attacks and other security failures can significantly endanger the global economy. In 2015, President Obama acknowledged cyber risk as a top issue for the international agenda. Addressing political leaders, CEOS, and technical experts, the president reinforced that those specialists needed to “collaborate and explore partnerships that will help develop the best ways to bolster our cyber security.” The Obama Administration has taken various actions towards addressing cybersecurity and cyber-attacks. President Obama’s most recent initiatives have included Executive Order 13636 (The National Institute of Standards and Technology) and the Cybersecurity National 22 | THE WORLD IN 2050
Action Plan (CNAP). The first initiative was designed to transform and enhance the nation’s cybersecurity policy to effectively respond to cyberattacks and to properly prepare for any potential attacks. The latter initiative was introduced earlier this year in February with objectives that included the enhancement of cybersecurity awareness and protections, protection of privacy, maintenance of public safety, ands the empowerment of Americans to take better control of their digital security. Additionally, last year, under the directive of President Obama, the National Institute of Standards and Technology (NIST) in the United States issued a Framework for Improving Critical Infrastructure Security. The Framework introduced a set of standards and best practices designed to help organizations manage the risks of a cyber security breach. With the aid of this framework, they chart their current security profile, work out what profile they should be aiming for and create a plan for reaching it. President Obama’s concern for cybersecurity can also be seen within his fiscal 2017 budget proposal. Cyber threats are “among the most urgent dangers to America’s economic and national security,” Obama said in a Wall Street Journal op-ed published on Tuesday. In his fiscal 2017 budget proposal, President Obama asked for $19 billion for cybersecurity across the US government, an increase of $5 billion over the past year. According to Forbes, the government is planning to invest $62 million alone in Cybersecurity personnel. (The government recently just announced its first chief information security officer, Tony Scott, to lead the charge over cybersecurity policy, planning, and implementation to secure the US government.) Additionally, the Department of Homeland Security is said to increase the number of Federal civilian cyber defense teams tasked with finding vulnerabilities on government systems. As these policies are recent measures that have been taken, the effects and success of the various initiatives are still yet to be seen. Yet, what is obvious and essential are the ability and foresight to prevent cyber attacks and vulnerabilities by being prepared. COUNTERING CYBER ATTACKS Unfortunately, attacks on cyber security and cyber-crime is only likely to increase in the near future, despite the best efforts to prevent such incidents by government agencies and cyber security experts. Technical innovation and the centralization of data create opportunities for cyber criminals to misappropriate critical information from a single target attack. With the online systems allowing its services to become more available, this further multiplies significantly the opportunities to penetrate security measures. The increase in numbers will be due to the THE FUTURE OF CYBERSECURITY | 23
expanding availability of services online and the growing sophistication of cyber criminals engaged in such operations. The question then shifts in how to counter these cyber risks. There is no shortage of advice available to organizations to help them assess risks and develop suitable plans to counter them. Governments around the world are developing cyber security guidelines. For one, under guidance from the US Securities and Exchange Commission, public companies are required to disclose what can be seen as “risk assessments�- information providing the material risks they face from cyber attacks and include specific detail to enable an investor to assess the magnitude of those risks. US companies are also required to consider disclosure about the potential costs associated with preventing cyber attacks and any contingent liabilities or asserted claims related to prior breaches. In sum, a failure to make adequate disclosures can lead to additional liability in the event of a cyber attack. Furthermore, governments are tightening laws and regulations to ensure organizations will take greater responsibility for cybersecurity. An essential step to allow for this is the reporting of breaches as it enables government agencies to take action to strengthen security, mitigating harm and encouraging organizations to adopt effective security measures. Additionally, other critical steps are essential to establish protective measurements against cyber threats. These include taking actions to identify the security risks organizations and governments face the policy for dealing with them. Standard security measures and configurations should be adopted while malware protection should be highly considered. Furthermore, because networks are often weak points in cyber defense, it is critical for any organization to follow recognized network design principles and to ensure that all information and communications technology are configured to security standards. Of course, reality will be more complicated then the aforementioned measures. Nonetheless, secure precautions must be taken. Evident as it is, cybersecurity is one of the most urgent issues of the day. Computer networks have always been the target of criminals, and it is likely that the danger of cybersecurity breaches will only continue to increase in the future as these networks expand, but there are sensible precautions that organizations and governments can take to minimize losses from those who seek to do harm. With the right level of preparation and specialist external assistance, it is possible to control damages, and recover from a cyber breach and 24 | THE WORLD IN 2050
its consequences. There is clearly still much work and precautious measures to be enforced, and the people behind the attacks have a significant head start. For those merely catching up now, cyber security has become a matter of urgency. About the author: Jae-Eun Kim is a recent graduate from Carnegie Mellon University where she received a B.S. degree in International Relations and Politics and a M.S. degree in Public Policy and Management. Her current position deals with information security risk management in corporate organizational settings.
THE FUTURE OF CYBERSECURITY | 25
BETTER LATE THAN NEVER: DEALING WITH THE DANGERS OF ECONOMIC ESPIONAGE BY MIKE BAKER
I
t seems like I’ve spent the majority of my adult life either protecting secrets or trying to acquire them. After over a decade and a half in the service of the CIA’s Directorate of Operations, and then a dozen more years building a private sector global intelligence and risk management firm, I feel somewhat qualified talking about secrets. Taking them or keeping them is how I’ve made my living. So when the Diplomatic Courier asked if I would write an opinion piece about risks to U.S. national security interests, it didn’t take long to settle on a specific topic. While many experts—and I don’t claim to be one-would point to Iran, the unwinding of our involvement in Afghanistan, the U.S.-Pakistan relationship or that old chestnut North Korea as our most serious issue, I believe the top threat to our national security is more widespread and far less discussed. This threat exists in the shadows and typically well off the radar screen of public or media awareness. It’s insidious, pervasive and enormously costly to U.S. national interests. The threat is economic espionage: the theft of our research and development, intellectual property, trade secrets, negotiating positions and other data critical to the private and public sectors. It happens in seemingly harmless ways: through information gathered at trade shows, corporate events and during official foreign delegation visits and exchanges. It happens in old school espionage ways: through the recruitment or placement of sources inside companies. And increasingly over the past couple of decades, it happens in cyberspace. The internet THE FUTURE OF CYBERSECURITY | 27
has made life easier and more accessible for people in all walks of life, including those involved in the gathering of sensitive economic intelligence. Acquiring information in order to gain an economic or strategic advantage is a pasttime as old as mankind. I suspect, all those years ago before the invention of sliced bread and Facebook, some Neanderthal in the cave next door stayed up late at night plotting to steal his neighbor’s blueprints for the wheel. Why spend months or years chipping away at stone, hoping to get just the right shape, when your neighbor has already figured it out. Better to take his research, jumpstart your own effort and be the first to roll out the wheel to the community. To be fair, and diplomatic of course, no nation is free from this threat, just as no nation is innocent of practicing economic espionage to one degree or another. Nations act in their own best interests, but some more aggressively than others. My experience over the years, both with the U.S. government and in the private sector working on behalf of U.S. companies, informs my opinion that, when it comes to understanding and dealing with the dangers of economic espionage, we are very late to the party. Successive administrations, Congress and the intelligence community have been slow in linking the protection of our economic intelligence to U.S. national security. And the U.S. private sector has been even more delinquent in understanding the degree to which foreign states and corporations are pilfering critical information from U.S. businesses. How bad is it? In the opinion of James Woolsey, former Director of the Central Intelligence Agency, “They’re stealing us blind.” In a recent conversation, Director Woolsey cited technology and the internet as a key factor in the increase in economic espionage. “Now it’s a matter of a keystroke between looking at information and stealing that information, or putting malware on the target’s system.” While cybersecurity, primarily as it relates to the protection of critical infrastructure and the public sector, is gaining attention, government resources and public awareness, effective efforts to curtail economic espionage, increasingly conducted in cyberspace, have been limited and, for the most part, uncoordinated between the private and public sectors. In a demonstration of trying to close the barn doors after the horse has left the building, the U.S. Congress and White House have been dickering over several versions of a possible cybersecurity bill during much of 2012. One stated goal has been to improve the cooperation and coordination between the government and private sector. However, given the lack of cooperation and coordination between the House and Senate, there’s little optimism that meaningful legislation is likely anytime soon. 28 | THE WORLD IN 2050
There have been some efforts within the federal government to address the problem, again most are in their early stages and do little to stem the outflow of information from U.S. shores. In 2011, 16 federal agencies and members of the intelligence community (IC) formed the National Cyber Counterintelligence Working Group to develop a coordinated response to the theft of intelligence, including private sector economic intel. While better late than never, creating a coordinated response decades after the first instances of cyber theft is an indication of how slow America has been to respond. The damage to the U.S. is felt in a variety of ways: economic losses, lost opportunities for business expansion and revenue, stolen classified information related to private sector support of critical government and military operations and a less competitive America in a global economy. Brian Finch, a Washington, D.C.-based partner in the law firm of Dickstein Shapiro LLP and head of the firm’s Homeland Security practice group, deals regularly with issues related to economic espionage and cybersecurity. “The pace of the attacks (against U.S. businesses) is growing and the net result is that American companies can be at a strategic disadvantage in international investments as well as see significantly less value in their research and development investments.” Recent federal efforts to quantify the losses have conservatively estimated that economic espionage has cost American companies a minimum of $13 billion dollars in just the past few years. If that sounds low, and rather vague, it’s because it is on both counts. Ask 10 officials in Washington for their estimates on damage to the American economy from theft of economic intelligence and you’ll get 10 different answers. In part the lack of clarity is because the U.S. government still hasn’t devised an accurate way to track such losses, and in part it’s because U.S. companies are reluctant to report intrusions, loss of proprietary information or instances of hacking into their internal systems. Oftentimes, a company’s systems are attacked, information obtained or malware installed and many months, or years, pass before the victimized company becomes aware of the problem. One recent study noted that the average time from cyberattack to the target becoming aware of the intrusion was 416 days. Randy Phillips, a former senior member of the U.S. intelligence community, believes the threat can’t be overstated. “This is one of the most significant and persistent threats to the well-being of the United States.” He notes that the scope of the threat, and pervasiveness of the attacks, “undermines U.S. interests in ways that are very difficult to calculate. The sheer amount of theft of intellectual property and research and developTHE FUTURE OF CYBERSECURITY | 29
ment material over the years both through cyber theft and via targeted employee theft is stunning.” Having watched and worked this problem from both the public and private sector sides of the fence, I feel strongly that the U.S. has been disadvantaged significantly over the decades because of our failure to properly view our private sector economic information as critical to our national security interests. As opposed to practically every other nation, the U.S. has always viewed it as somehow improper for our intelligence community to include as an objective or task, the protection and support of the private sector. Yet our allies, and those nations not traditionally aligned with our own interests, see no such separation between government and private sector. Over the past decade I’ve seen countless examples where foreign companies have been advised, assisted and protected by their governments and intelligence services. Outside the U.S., most intel services work closely with their private sector because they fully understand that their economic interests, including protection of proprietary information, is directly linked to their national security. In a clear statement of this link between a nation’s private sector and intelligence service, Vladimir Putin in late 2007 said that “the SVR (Russia’s intelligence agency) must be able to swiftly and adequately evaluate changes in the international economic situation, understand the consequences for the domestic economy and more actively protect the economic interests of our companies abroad.” In the United States we’ve maintained a Church-State type separation over the years between the intelligence community and our private sector. The IC’s concern over possibly giving an advantage to one U.S. company over another in trying to protect their interests has ultimately disadvantaged all American companies as the global economy and technological advances speed access to information and time to market. While there has been some recent discussion within the IC and in Congress about the possibility of improving public – private sector coordination, the likelihood is that privacy concerns, corporate suspicion over excessive government intrusion and budget cuts to defense, homeland security and intelligence spending will limit any real progress. For now, it remains mostly up to the private sector in the U.S. to combat this threat. “It’s really up to American companies to own this problem,” noted Dickstein Shapiro’s Brian Finch. “They have to understand the risk and the need for senior management involvement in ensuring adequate security and cyber security programs.” 30 | THE WORLD IN 2050
The danger in relying solely on the private sector to manage this risk is that corporations often only act when or if they realize they’ve been the victim of economic espionage. Proactively enhancing internal security practices is regularly viewed as an added cost to the bottom-line as opposed to an investment in the future growth and revenues of the company. If nothing else, the government should be playing a larger role in educating American companies as to the nature of the threat, potential for damage and methodologies of key players. It’s an increasingly small world, and for U.S. companies operating without an appreciation that their secrets are being pilfered and without the involvement and adequate protection of the American government, it’s an increasingly dangerous one. In a global economy, information is our most valuable commodity. It’s time we act like it. About the author: During a career spanning over fifteen years as a covert field operations officer for the Central Intelligence Agency (CIA), Mike specialized in counterterrorism, counternarcotics and counterinsurgency operations. He engaged in, organized and supervised operations around the globe, working in Asia, the Middle East, Africa, Europe, the former Soviet Union and elsewhere. He was recognized professionally for outstanding performance and for operational achievements in hostile environments. In December 2000, after leaving government service, Mike co-founded Diligence with the goal of building the premier intelligence and risk management firm. As a principal partner over the years he has worked to grow the company as it expanded around the globe, opening offices in London, New York, Washington, Moscow, Sao Paulo, Brussels and Geneva. He also worked to establish the company’s security operations in Iraq in 2003, as Diligence built a team of over 300 expat and local personnel involved in security and information collection. Mike is a regular contributor in the national and international media on intelligence, security and counterterrorism issues. He appears regularly on Fox News, as well as other major media outlets.
THE FUTURE OF CYBERSECURITY | 31
SNOWDEN AND NSA SURVEILLANCE: RISKS VS. REWARDS BY MIKE BAKER “As for our common defense, we reject as false the choice between our safety and our ideals.” -President Obama, 2009 “I think it’s important to recognize that you can’t have 100 percent security, and also then have 100 percent privacy and zero inconvenience. We’re going to have to make some choices as a society.” -President Obama, 2013
S
ince the start of this millennium, we have witnessed many success stories in global health. Death from infectious diseases like malaria and tuberculosis have been cut in half. A child is twice as likely to survive past their fifth birthday than he or she was fifteen year ago. Hunger and malnutrition remain, but affect a smaller percentage of the world’s population than ever before. Attitudes towards Snowden and his actions tend to fall into three camps. There are those that believe he is a hero for starting a national dialogue on the role of government in monitoring and collecting information on its citizens and noncitizens abroad. A second group does not think of him as a hero, but consider him simply a whistleblower for revealing secrets that he believed to be egregious. Finally, there are those who believe he has done grave harm to U.S. national security interests and should be punished.
THE FUTURE OF CYBERSECURITY | 33
Given that I spent over a decade and a half in the CIA’s operations directorate and went on to co-found a leading company in the private intelligence and security space, you can likely imagine in which camp I pitch my tent. I believe Edward Snowden a dysfunctional young man who did not get the respect he believed he deserved from his various supervisors and, under the self-righteous guise of following his conscience, chose to betray U.S. national security interests. In a classic case of failing upwards, once he obtained his security clearances to work as a guard for the National Security Agency (NSA), he found that those clearances made him an attractive candidate for other positions as he moved from job to job. That is one of the problems with the world of government contracting—the clearance process can be lengthy and costly, and any individual already holding clearances automatically is more attractive as a hire by the ecosystem of companies that feed off the government. That ecosystem is massive. Snowden’s story has, of course, focused the spotlight not only on the NSA’s authorized and legally-papered surveillance programs, but also in a broader context on the issues of government data collection, the tradeoffs between security and privacy, and the ability of the public to guard against an overreaching government. This does not make him a hero; it simply makes him a law-breaking traitor whose actions were the catalyst for another discussion on privacy versus security. However, I will be the first to argue that we should welcome and constantly encourage public evaluation and discussion of privacy versus security concerns. Having peeked behind the curtain for years, I believe I have a very good sense of the U.S. intelligence community and its relationship with the executive branch, the public, and our elected officials. I have great confidence in the government’s ability, or at least intent, to do the right thing while still being wary of giving any administration too much leeway. Can the government abuse its authority? Can efforts to provide national security overreach and intrude unnecessarily into our private lives? Can information be misused? Without a doubt. That is why an engaged public and a vigilant and inquisitive Congress are necessary to guard against abuses of authority and access. Unfortunately, the U.S. public tends to lurch distractedly from one event to another, like a kitten focusing on whatever shiny object happens to be in front of them. As a nation, we suffer from collective Attention Deficit Disorder, rarely staying on topic long enough to understand the complexity of the issue and almost never following through with meaningful actions. 34 | THE WORLD IN 2050
I blame technology for the general inability of the public to stay focused on key issues and concerns. Thanks to cell phones, 24-hour news feeds, Twitter, reddit, Facebook, we have an expectation and appetite for immediate information gratification. But we take smaller bites and get filled up quicker than ever before—and then we are off devouring the next hot topic or scandal. More than likely, the current public “outrage” over learning that the NSA is able to collect citizens phone records will dissipate as soon as the next Congressman or Senator is caught texting pictures of his legislative package. Outrage burns hot and bright in America, but lasts only moments in real terms. Luckily for character-challenged politicians, redemption is cheap and requires only the requisite time off camera and appropriate public mea culpas, preferably while standing next to your loving, albeit long-suffering, spouse. When discussing the role of government and, in particular, the NSA revelations, I should note that I am by belief and desire a small government person. It would seem counterintuitive: believing in small government and at the same time being supportive of the NSA’s surveillance programs and the general need for law enforcement and the intelligence community to have access to metadata on citizens and non-citizens alike. Andrew C. McCarthy, a best selling author and former Deputy Assistant U.S. Southern District Attorney well known in counter terrorism circles for having led the 1995 trial of Sheik Abdul Rahman and numerous co-conspirators, recently wrote in the National Review Online that small government principles and support of the NSA programs can go hand in hand: “Those of us who have argued in favor of the NSA programs stress the following points: (1) Unlike the other things Leviathan does (but should not do), national security is the federal government’s ne plus ultra. (2) Americans do not have a Fourth Amendment privacy right to shield phone usage records that belong to a third-party, and non-Americans outside the U.S. do not have constitutional rights, period—not against data-collection or eavesdropping. (3) The absence of constitutional protections is not dispositive of any privacy question; it simply means that any additional privacy safeguards must be enacted by Congress, not by warping the Fourth Amendment.
THE FUTURE OF CYBERSECURITY | 35
(4) The NSA programs operate under such a regimen of significant Congressionally-mandated safeguards: e.g., government may only collect data, it may not be inspected without court oversight, data must be purged every five years, etc. (5) The most important components of these safeguards are the principles of separation-of-powers and non-politicization of national security— i.e., there is extensive judicial and congressional oversight over the NSA’s data-collection; and even on the executive branch side, the data must be handled by specially trained intelligence agents, not political appointees.” The era of big data really started with 9/11. In the aftermath of that horrific event, the intelligence community, in conjunction with law enforcement at the local, state, and federal levels, moved from a traditional “Need to Know” mindset to the new mantra of “Need to Share.” Or, in different terms, “Play Well With Others.” Information collection efforts were ramped up domestically and abroad, while dependence on outside contractors and technology companies increased exponentially. The Holy Grail for intelligence and law enforcement officers looking to prevent the next 9/11, and for private sector companies looking to capitalize on this seismic shift in combating terror became how to store, analyze, and find the key operational leads and actionable intelligence hiding in an ever-increasing mountain of data. Incredulous members of the public ask how an Edward Snowden, or a Bradley Manning, type of situation could develop. I am not a mathematician, but I believe the answer is something like this; Amount of Data Collected × Number of Contractors Cleared to Access Data XYZ √Government Desire to Easily Share Data = Leaks. We essentially walked into a perfect storm that allowed for Snowden, and Bradley Manning, to access vast amounts of information. Improvements in technology allowed for new and more efficient ways to collect data; 9/11 demanded that the U.S. government not only authorize, but also improve its collection efforts and the way in which that information is shared; and the increasing amount of data requires an ever-increasing number of people are given clearances to do something with that information. The concern is not whether the government needs the ability to collect information. As Mr. McCarthy eloquently points out, what the NSA is collecting is different from what the government is “investigating”. Investigations require authorities, approvals and oversight. The collection of information is critical to efforts to prevent, minimize, or disrupt potential attacks. What worries me is if the government can efficiently—and securely— 36 | THE WORLD IN 2050
collect and use that data to enhance our homeland defense efforts. I have confidence in the intent of our government, and in the checks and balances in place to guard against abuse. The caveat is that, as with many things, you should trust but verify on a regular basis. I view this from an operational rather than a civil liberties or ethical perspective. I want to know that what we are doing is indeed geared towards making us safer. If the government is simply collecting information because we have the technical ability to do so, coupled with necessary legal authorities, only to let it sit in some dank virtual basement waiting for analysis someday, then we need to scale back our efforts. It is difficult enough to search through limited amounts of information looking for actionable leads and key linkages between suspects or events. When you get to the level of metadata, it is vastly more complicated. And the risks, as Edward Snowden has made clear, are far greater. About the author: During a career spanning over fifteen years as a covert field operations officer for the Central Intelligence Agency (CIA), Mike specialized in counterterrorism, counternarcotics and counterinsurgency operations. He engaged in, organized and supervised operations around the globe, working in Asia, the Middle East, Africa, Europe, the former Soviet Union and elsewhere. He was recognized professionally for outstanding performance and for operational achievements in hostile environments. In December 2000, after leaving government service, Mike co-founded Diligence with the goal of building the premier intelligence and risk management firm. As a principal partner over the years he has worked to grow the company as it expanded around the globe, opening offices in London, New York, Washington, Moscow, Sao Paulo, Brussels and Geneva. He also worked to establish the company’s security operations in Iraq in 2003, as Diligence built a team of over 300 expat and local personnel involved in security and information collection. Mike is a regular contributor in the national and international media on intelligence, security and counterterrorism issues. He appears regularly on Fox News, as well as other major media outlets.
THE FUTURE OF CYBERSECURITY | 37
CYBERDEFENSE: AN INCREASING PRIORITY BY AMBASSADOR SORIN DUCARU
C
yber space is without limits. Open to everyone, connecting people around the globe, it has offered unprecedented opportunities for our economies and has transformed the fabric of our societies. But it has also made our open societies extremely vulnerable. Spectacular intrusions into the world wide web, often called “cyber attacks”, have made for headlines in media across the world. Cyber crime is a booming business, making about half a trillion US-Dollars every year. Cybersecurity has become a major concern, not only for business, but for governments as well, which have to provide security for their countries and defend the civil liberties of their citizens. The significant increase in intensity and sophistication of cyber attacks and their use in military operations have raised serious concerns at Nato and among the 28 Allies. At its most recent Summit in Wales in September 2014, the Alliance adopted an “Enhanced NATO Policy On Cyber Defense”. This document marks the key elements in Nato’s approach to cyber defense: First, it affirms that cyber defense is part of Nato’s core task of collective defense. Secondly, it confirms that International Law, including International Humanitarian Law and the UN Charter, apply in cyber space. It makes clear that cyber space should be governed internationally by the rule of law. NATO’s mandate in the cyber domain is one of defense. It is about defense
THE FUTURE OF CYBERSECURITY | 39
based on protection and resilience. It is not about the militarization of cyber space or about promoting cyber warfare. But Nato needs to adapt and respond to threats as they arose from the use of sophisticated cyber capabilities during the military operations in Georgia in 2008 and in the crisis in Ukraine in 2014. Also, the increasing use of cyber attack by terrorist groups like ISIL and the growing dimension of cyber threats in the context of Hybrid Warfare generate growing concern. Cyber defense was first put on the Alliance’s political agenda at the Prague Summit in 2002. The first result of this effort was the establishment, in 2004, of the NATO Computer Incident Response Capability (NCIRC). This is the Alliance’s primary tool for the prevention, detection, and mitigation of cyber attacks on NATO networks. After the cyber attacks in Estonia in 2007 and the use of cyber components in the short conventional war between Russia and Georgia in 2008, cyber security was included into the Strategic Concept of 2010, still valid today. Here, NATO defines a “New Security Environment”. Consequently, a new Cyber Defense Policy was developed in 2011, extending, among other things, the NCIRC by two small Rapid Reaction Teams which are ready to deploy rapidly to any NATO installation, where a cyber attack is serious enough to necessitate human involvement, where an intrusion cannot be repaired from a distance or by technical means only. However, since 2011 other important steps have been taken as well. Beginning in 2013, Allies have begun including elements of cyber defense into their defense planning. As the new 4-year-planning cycle has just started, cyber defense has become an integral part of that planning process. Finally, cyber defense considerations are also being integrated into NATO operations and operational planning, including contingency planning. In this way, cyber defense has become an integral part of all military planning in the Alliance. This includes, of course, all training and education activities, where NATO aims at supporting Allies in providing the right people for this important task. Cyber defense is as much about people and processes than it is about technology. And therefore, well trained and educated personnel also engages in regular exercises to make sure that they push the right buttons and call the right people in order to prevent serious attacks from happening and/or to provide the best possible resilience and repair damage as quickly as possible. Finally, cyberdefense offers NATO a whole new focus on cooperation, not only among each other, but with all kinds of partners. Nato and its 28 member states are part of a network connecting 69 countries, linked to Nato in different formats of official partnerships. They all are interested in cooperating with Nato in one way or the other, as, regarding the chal40 | THE WORLD IN 2050
lenges from cyber space, they all face the same problems. Equally, international organizations like the European Union (EU), the Organization for Security and Cooperation in Europe (OSCE), the Council of Europe, and the United Nations (UN) engage in constant dialogue with Nato on the issue of cyber security. Most interesting, NATO also has made cooperation with industry a priority objective. After all, industry is a key player in cyber space. It owns the majority of the world’s information systems, develops and provides the technical solutions for cyber defense. Most of the technological innovation lies with industry. This makes for a whole new kind of cooperation, for which Nato has offered a “NATO-Industry Cyber Partnership” (NICP). Cyber space once was identified as a “space of unimaginable complexity”. It proves also to be a very fast changing landscape, fuelled by positive input such as technological evolution and innovation, but also by tendencies aimed at exploiting it for negative, illegal or harmful purposes. Cyber defense will require constant adaptation and agility and a true spirit of cooperation and team work between all those stakeholders who are interested in the preservation of the cyber domain as a space of freedom, growth, and security. About the author: Ambassador Sorin Ducaru is the Assistant Secretary General of NATO for Emerging Security Challenges.
THE FUTURE OF CYBERSECURITY | 41
THE FUTURE OF INNOVATION IN RUSSIA BY JOSHUA NOONAN
I
n March, I met Ilya V. Ponomarev at a Starbucks near Federal Triangle metro station for coffee. It was a gloomy day but thankfully neither of us was caught in the rain. Ponomarev, just coming from a slew of meetings, did not order anything. He came in alone and looked like his picture, tall, blue eyes, and bearded. This is true save for the weariness from days meeting with business people and entrepreneurs. Ponomarev is an outspoken member of the Duma of the Russian Federation, an accomplished entrepreneur, and a proponent for reform in Russia. He has been active in politics for more than 20 years. He is a graduate of Moscow State University, holding a Masters of Public Administration from Russian State Social University. Ponomarev started working when he was just 14 years old at the Institute for Nuclear Safety at the Russian Academy of Sciences. He then launched several start-ups and later went on to work for the oil services company Schlumberger and the nowdefunct Yukos Oil. Ponomarev is a serial entrepreneur, having launched his first company, RussProfi when he was still in high school. In 2007, he was elected to represent Novosibirsk in the State Duma where to this day he chairs the Innovation and Venture capital subcommittee of Committee for Economic Development and Entrepreneurship. This dovetailed with his work from 2010 to 2012 heading the International Business Development, Com-
THE FUTURE OF CYBERSECURITY | 43
mercialization and Technology Transfer for Skolkovo Foundation. Due to his sole vote against the annexation of Crimea, Ponomarev faces strong headwinds in Russia. What is the meaning of the September 15 Data Storage Law? On the surface, the government of Russia wants to claim independence of the Russian internet. In their minds, this would prevent the possibility of politically blackmailing Kremlin. Localization of internet services would also allow data to be easily collected by the security services. As a member of the Duma, I was an advocate in 2009-2011 to create a national financial payment system on top of our e-government solution, allowing for a modernization of credit cards systems and the building of a platform for new and innovative Russian business to flourish. Unfortunately, this proposal was tabled at that time. Now sanction concerns have dawned on President Putin, and he reacted to them without injecting the modernization or the e-government aspects. Now we cannot match even Chinese development of their local payment system Union Pay. The bad news is that major international players like Visa and MasterCard in the payment systems and Facebook in social media are at best silent or actually cooperating in closing down the Russian internet. I feel betrayed by them, frankly speaking. What is the ideal of the internet for the current government of the Russian Federation? There are two points of view held within the government. One held by Minister Nikolai Nikiforov is that is a platform. This is a reasonable perspective, which might allow the economy to grow and innovate. The second group sees it as mass media, and thus it should be controlled as it commands the heights of the economy in Russia. Disappointingly, security concerns have squelched the development in all but the clearly non-media related companies in Russia. Whereas in 2013, the Russian Federation was the second largest destination for venture capital funding after London and Berlin, this year venture capital inflows have plummeted as uncertainty continues. Moreover, the Bolotnaya Protests were seen by President Putin as a reason to start a class war with the entrepreneurial “creative classes�. With the spike and drop of the core rates of the Central Bank of Russia, is Central Bank Governor Nabiullina acting rationally? Speculators had a real role in stoking volatility in the Russian markets. Thus, the rise in the rates was intended to tame the speculators, and it worked. With them tamed, it is rational to lower the rates again to make a slightly more accommodative environment for businesses in Russia. Cur44 | THE WORLD IN 2050
rently the economy–especially smaller and medium businesses–is in serious trouble and many of them are shutting down. Last year, the country lost several hundred thousand of SMBs, which I also interpret as a part of this “class war”. What does the future of innovation look like in Russia? Russian firms have had been highly innovative in telecom and financial services, in mobile commerce platforms and social apps. We have great technology intensive companies in OCR and cybersecurity. Nonetheless, many Russian firms have gone abroad within the post-Soviet space or to the West. Those firms such as Yandex have been, one by one, shutting down various services to prevent clashing with the government. Despite that, there are many strong core fundamentals of the Russian economy that will prosper again in a post Putin world. The diaspora of Russian technology entrepreneurs is strong and many remain tied to the homeland. With a change in the atmosphere in Russia, world-class innovation can be revived in Russia.
THE FUTURE OF CYBERSECURITY | 45
PARTNERING FOR CYBER RESILIENCE: TOWARDS THE QUANTIFICATION OF CYBER THREATS BY ANA C. ROLD AND JACK LESTER
A
s technology increases in a 21st century marketplace, the ability to share products, ideas, and services increases. But so to do the threats and risk involved with utilizing a digital medium. Identifying and managing these cyber risks therefore, becomes imperative in ensuring the security of global business. With such an interconnected, 24/7 world, security cannot override the existing platforms of enterprise. Cyber security must be organic to the growth of business and international trade. According to the joint study by the World Economic Forum and Deloitte, a shared response is the ultimate solution in providing resilience against possible attacks. These responses are created through the frameworks and models of different organizations in order to determine the cyber value-at-risk of assets. In building such models, the goal is to gather intelligence to determine from whom and from where an attack can occur. As each firm creates individualized risk assessment models, the methodology can vary in collecting resilience data. This modeling can rely on statistical simulations, human behavior, parameters and future prediction, as well as other techniques. What each model attempts to combine however, is significant scope with applicable precision into the accuracy of subsequent decision-making processes. Despite the limitations of various approaches, such modeling is imperative in providing some idea of future risk, as well as areas more prone to attack within a given industry. THE FUTURE OF CYBERSECURITY | 47
As any ecosystem carries with it an inherent risk, so too does the digital world. Looking towards the financial sector, this risk can be determined using an instrument known as value-at-risk. From a cyber standpoint, using a value-at-risk model can help determine the value of a companies assets from a digital perspective, as well as the potential losses, both tangible and intangible, that a firm could face in the result of a cyber attack. As digital threats exist across multiple global industries, finding a significant value-at-risk figure is determined through individual analysis of three aspects: Vulnerability, Assets, and Attacker Profiles. First, a firm’s possible vulnerabilities and openness to the market place must be taken into account as avenues of possible attack. Once such openings are recognized, determining the value of a company’s digital assets help to further examine the potential risk of an attack. Lastly, from that possibility of attack, who or what groups would be interested in those pieces of information or assets. It’s difficult to say which types of model are more accurate at this point. Through a combination of monitoring, detecting, and responding to possible cyber threats, systems can be effectively installed in order to both mitigate damage and quantify value-at-risk. While there is no singular answer to the question of cyber security, the presence of modeling and predictive statistics helps to bolster marketplace vulnerabilities. As increasing numbers of firms adopt preemptive security measures, the amount of variable input for models subsequently increases, thereby keeping pace with ever-growing industry. If such industries are willing to cooperate in threat assessment and action, effective cyber threat management can be achieved with mutually bolstered resilience. While in Davos, Switzerland, during the annual meeting of the World Economic Forum, Editor-in-Chief Ana Rold sat down with two of the architects behind the report: Jacques J. Buith and Dana Spataru to discuss the future of cybersecurity. Tell me about the significance of this newly released report on cybersecurity. The report is about cyber threats, and the interesting component we added in this year’s project is to quantify both the cyber threats levels, as well as measure the benefits and opportunities a digital world gives us, and match that with the threats and levels of risk we see in cyber, and build that into a model. It is a simplification of the truth obviously, but at least start modeling it, in a similar fashion to what the financial services industry has done for 30 years, and apply the value-at-risk principles into a model for cyber threats.
So one thing I took away after reading the report is that, increasing expansions in technology, web, cloud, social media, etc., is inherently about sharing, not security. So we can’t be completely secure, clearly. What is your answer to this through your report? The answer is, and always has been, that the word resilience is the most important thing. So 100% security is not an option. We always say, assume you will be hacked, prepare for the worst, and respond proactively with care. Have your plans for resilience at the right levels, and be ready for if it happens. So if complete security is not an option, what is the next best thing? What does that resilience really mean? Resilience starts with intelligence, to know what’s out there. Know what the vulnerabilities are; know when your data is more vulnerable than others. If you have your intelligence at the right level, then the next step is monitoring it. Monitor your own systems, networks, countries, if those vulnerabilities that exist really occur. And if they happen, then within the monitoring system the alarm system and the incident response need to kick in. But it’s also about reputation and risk. It’s about communication, legal, higher management. Don’t keep it at a technical level, scale up to management and the board and you will see at the end of the day it is they that will be affected by the reputational risk. This makes total sense to me when I think about a big company. But when I think about a small company, what we’re talking about is less capacity. How does this scale for them? Do they need the same kind of resilience to build on? They do. It all matters, and that’s also the quantification model, it all models how vulnerable the data is—in other words, how interested is their data, and their Intellectual Property, and their customer data, for things to happen. And if that’s at the same level, then a smaller company needs to have their act together. I think the smaller companies; also with cloud and the internet transformation, a lot of those have outsourced some of the components to technology providers. So they can also outsource pieces, from secure operating centers, monitoring centers, to outside parties to do that for them. In the project, you talk about a shared effort among world participants, and how that’s required, and how business must understand counter-measures in order to feel secure. What does this effort look like, and what does it mean? Who is involved?
Deloitte has been involved in this project for the last two years. We’ve been working with the World Economic Forum and a lot of the parties the last couple of years. The first years is when we focused on awareness, principles, signatures, and training. We felt we made, as a partnership, a huge headway in this. So this phase is done I think—not done in that we should not spend time on it—but we are at the next step now. And the next step is, “what are we investing in the digital world?” And how valuable is the digital world for us, from a stakeholder’s value, from shareholder perspective, and match that with the risks and the threats. The partnership is comprised of a lot of technology companies who are an instrumental part in securing the internet. One of the sessions we organized was with Singularity University in Silicon Valley, with Peter Diamandis and Mark Goodman. So that was the tech side. We had a session in London that focused more on insurance and financial services, and we looked at it from, how can we productize the cyber threats, and make cyber resilience insurance policies, and if a company makes an insurance policy, what’s the margin on it? You were talking about making this more an effort where you monetize, where you’re creating products, and then companies can buy these products or use these products, and then they’re sort of checking the list of the things they’re supposed to be doing in order to build resilience. But a lot of these threats, if we’ve learned anything from Sony and other recent hacks, there are a lot of things that are unprecedented. So a lot of the experts out there say the worst hasn’t come yet. How do we simulate these issues? That’s a good point. And that’s also the reason we picked up the challenge, and we call this VAR, Value-At-Risk, or Cyber VAR. In the financial services industry, for insurance products, it’s known for 25-30 years, it’s all worked out with regards to derivatives, insurance, because there is history, as you said. But in cyber, we are lacking that. We are lacking, “have we seen everything yet?” The answer is no, have we seen the worst? The answer is probably also no. But we believe that with this model, and continuously working and enhancing the model, we at least will start seeing the value of it. So we believe this is a starting point with the cyber VAR model, to collectively start working on it and enhance the insights that it will give us. If a company starts implementing it today, it will not give you all the insights, but it will at least be a pattern towards other insights for what you invest in cyber, versus what your threats are. Twenty years ago you would buy your typical personal computer and you had to buy anti-virus products, and then you felt safe. Every now and then you clicked on something silly and then
50 | THE WORLD IN 2050
you got in trouble. We’re not talking about that, but can we get to that point, where you can go to your local computer store and get something off the shelf, and say, “now I’m protected”? That’s a good question, and we have had debates on it. I think this will take some time, and the reason I’m saying that is because we are implementing cyber-security measures on top of legacy. In the banking and insurance world for example, a lot of systems and the software and the technical devices are 20 to 30 years old. That’s the real situation, and we first need to find solutions in the Internet of Things, in the appliances, in the semi-con [conductors], in the hardware, then into the software, which ultimately need to be implemented by the company. So it will take a long time to pass the situation we are currently in, which is not a very negative situation, by the way. I still think that the whole digital transformation, and what digital cyber brings us is creating lots of value. The growth we are experiencing because of it is still greater than risks that we are facing. Tell me about the model in this report. We started the model with the idea that the first step you need to take if you want to implement the model is to understand the different data points and components that you need for a start. Our model is based on the fact that you understand some of the variables, and start working on getting those data points for the variables. And to give you some examples, things like, “What is the security profile of your enterprise or organization?” We want to know, first of all, what’s your security infrastructure? Things like anti-virus, firewalls, all these pieces, do you have everything in place or not? That’s one of the components. Another important piece, which is also linking to the Value-At-Risk from financial services, is the criticality of your assets. So you need to understand what your critical assets are, what do I have, what’s the value for my company? And then the important part: who would attack it? Then you get more into the threat and the possible actors. These are things that are inputs into the model. First you need to do your homework and get your information for each one of these variables together, in order to model. So you have all these pieces together, and in the end you would use probabilistic modeling and model the different elements. And what we learned is that there are many organizations using different models. So in layman terms, if a target has 20 million credit card numbers, they’re not worried if it’s all stored somewhere where there’s only one door? Exactly.
THE FUTURE OF CYBERSECURITY | 51
What about reputational damage? You need to model that as well. What about barriers to entry that could result in smaller companies maybe not adopting this model right away? Clearly bigger companies with more to lose will start the model, getting wiser. Smaller companies might take awhile. What kind of ripple effect does that have in the marketplace? I’m not sure I completely agree with smaller and difficult. If you are a startup, then you have some advantages over the larger companies with legacy and systems from 30 years ago. So that is much more challenging and difficult than an internet startup that starts from Greenfield and can adopt modern technology. Because with modern technology, modern software it’s much easier to do. Is there anything else out there right now—that deals with this cyber security issue, at this depth and formula—that you know of? No, we have incorporated very sophisticated models, and with the partnership with the World Economic Forum we have been working with multiple other technology and consultancy firms to add their components as well. Insurance companies also have models, technology providers have models, and so they are also part of the panel for this report. We have tried to have an open source community around this. And is this mandatory reading for everyone right now? Absolutely.
52 | THE WORLD IN 2050
CYBERSECURITY, THE INTERNET OF THINGS, AND THE ROLE OF GOVERNMENT BY SEAN S. COSTIGAN
W
ith each advancing year, more novel information technology is brought online, simultaneously advancing societal capabilities and dependence on new and legacy systems in areas as diverse as healthcare, finance, entertainment, defense, and critical infrastructure. Despite unceasing news of cyber attacks and various exploits that appear to strike into the nervous system of modern society, many information technology companies continue their long pattern of outsourcing risk, since—it is thought—building technology with security first in mind may make it harder to bring to market or less profitable. Yet it is not only new information technology that is laden with obscure troubles. By now it should be apparent to anyone reading the news that legacy computer systems on which we all depend have fundamental weaknesses. Consider, for example, the “Heartbleed” and “Shellshock” vulnerabilities that just recently came to light, both of which exposed decades old problems that could still have very serious results on critical networks. Today there is a constant dynamic at play of researchers finding holes and acting to plug them or criminals exploiting them first in so-called zero-day attacks. To put this in cybersecurity terms, the attack surface of our information-technology dominated society is vastly expanding and the gains in security are too few to cover us.
THE FUTURE OF CYBERSECURITY | 53
At the legal level, laws across the globe simply are not set to deal with today’s rapid technological change. Law is often reactive. At the commercial level there are clear reasons for not wanting to publicly discuss risk: admitting to risk may be akin to accepting legal responsibility and shareholders and customers may not be keen on your wares. At the national level, even for those countries that are updating their laws, the best that could be said is that they are in a state of flux and playing catch-up. In the U.S. we are using laws written in the 1980s to deal with novel and massive crimes, throwing the book at hacktivists and cybercriminals alike in one broad stroke. Internationally, it is worse, as countries hide behind difficulties in attribution, or do not have the capacity or desire to police their own people. So criminality continues essentially unabated and security flaws continue to crop up, while many outdated or inadequate laws are applied. In terms of the rapid technological shifts all of us have seen, one might reasonably wonder how so many new security risks could be allowed to proliferate. The unsatisfying answer is that in many cases the original design was never built with security in mind. Consider that the internet, as Alexander Green put it “was originally intended for a few thousand researchers, not billions of users who don’t know or trust each other. So, the designers placed a higher premium on ease of use and decentralization over privacy and security.” The designers simply did not foresee that the internet would ultimately be used for commercial and military purposes, or become a haven for criminality. Even though security concerns are a higher priority for companies now, there is a perpetual tradeoff between gaining users, dollars, and data, and locking down the technology and user data. Unsettling news such as celebrity or corporate hacks may temporarily increase vigilance in some cases, but there also appears to be a sense that security is becoming a hopeless cause. Even Bruce Schneier, among the most noted computer security experts, has said “Security is out of your control.” For certain, private corporations and the public continue to regularly compound problems by allowing and making considerable security tradeoffs for convenience. At a macro-perspective, what we are currently seeing amassed against modern, IT-dependent society is an admixture of hacking, terrorism, espionage, and cyberwar. Consider these data points: In 2011, the Kroll annual Global Fraud reported that the preceding year marked a milestone as it was the first time ever that the cost of electronic theft topped that of physical theft. In Snowden’s wake, there has been a renewed focus on the efforts of intelligence agencies in cyberspace. Under that cover, many countries are thought to be exploiting loopholes and taking advantage of grey areas for industrial espionage while claiming that the U.S. does the same. 54 | THE WORLD IN 2050
North Korea, Iran, China, and Russia are among countries that have cyber military units that many experts suspect are moving offensive disruption and destruction. Politically oriented hacking groups like Lulzsec and Anonymous continue to operate, despite significant law enforcement activities against them. Criminals are more prolific than ever, getting away with bigger heists, some of long duration—as in the Target and JPMorgan cases. With cybersecurity measures being essentially tacked onto now critical infrastructure, it is no wonder that the idea of a new, more secure, attribution-enabled internet keeps cropping up. In February 2010, former NSA Director Mike McConnell wrote, “we need to reengineer the internet to make attribution, geolocation, intelligence analysis, and impact assessment—who did it, from where, why, and what was the result—more manageable.” A National Academy of Sciences report concluded that the attribution challenges are not primarily technical or engineering concerns: “[T]he most important barrier to deterrence today is not poor technical tools for attribution but issues that arise due to cross-jurisdictional attacks, especially multi-stage attacks. In other words, deterrence must be achieved through the governmental tools of state, and not by engineering design.” Marching Ahead to the Internet of Things Into this unstable and dynamic mix comes the Internet of Things (or IoT for short). The IoT refers to uniquely identifiable physical objects and virtual representations in a network. Sometimes the IoT is described as a “thingaverse.” Importantly it is not people talking to people or people talking to things, but things communicating with things. (Some argue that people—through their always-on and ubiquitous smart devices—are among the first real mobile nodes for the IoT, as their devices constantly update other devices about location, speed, etc.) At a conceptual level, the IoT is networked, automated, machine-tomachine awareness for processes such as data collection, remote monitoring, decision-making and taking. The IoT is not a new concept, but rather one with a relatively long history in information technology circles that is now being enabled by numerous advances. As with many technological and scientific innovations, there are several people who can rightly claim to have a stake in its creation. Individually in 1999 Bill Joy of Sun and Kevin Ashton of the Auto-ID Center at MIT proposed ideas that would become the Internet of Things, though the phrase itself is attributed to the Kevin Ashton. At the domestic end of the spectrum the IoT initially was a solution looking for a problem–people had been looking to figure out how best to THE FUTURE OF CYBERSECURITY | 55
run their households with computers since the advent of the home computer industry. Today the Internet of Things is a term that encompasses many new internet-connected everyday objects in daily life, including household objects, even our cars, and many more industrial-scale processes. Another, more generic term of art Machine-to-Machine (M2M) is sometimes also used interchangeably. HOW WILL THE IOT WORK? Broadly, it is thought that the Internet of Things will make things smarter by connecting devices and improving processes. This will be brought about through a variation on Metcalf’s Law that states that the “value of a telecommunications network is proportional to the square of the number of connected users of the system.” Likewise with the IoT the idea is that increased connectedness will also result in increased value and usefulness. WHAT FACTORS ARE ENABLING THE IOT? Technological convergence and force multipliers are all coming into play: short-range communications technologies such as RFID, NFC, Bluetooth, and WiFi, plus recording devices, awareness algorithms, cloud storage and computing, big data, and analytics all are being brought to bear to create the IoT. Additionally, according to a recent McKinsey study there has been 80 to 90 percent reduction in prices for microelectromechanical systems (MEMS) and sensors over the past five years. MEMS are crucial for the IoT to have the ability to collect and act on data. The IoT also depends on unique object IDs and so would be dashed without a new Internet Protocol (IP) to deal with the problem of internet address exhaustion. Internet Protocol version 6 (IPv6)—the latest revision of the communications protocol that provides an address system for computers on networks and routes traffic across the Internet—was developed by the Internet Engineering Task Force (IETF). Given IPv6s address space size it will be effectively impossible for it to ever reach its limitations. So, the IoT has unique addresses covered. Big Data and Cloud Computing is a significant enabling factor. The 2014 EMC/IDC Digital Universe Report estimated that 40 percent of all data will be machine generated by 2020; it was 11 percent in 2005. Most of that data is in private hands and the drive to allow machines to make decisions is well along. As Nick Jones, research vice president and analyst at Gartner once said: “Computers can make sophisticated decisions based on data and knowledge, and they can communicate those decisions in our native language. To succeed at the pace of a digital world, you’ll have to allow them to do so.”
56 | THE WORLD IN 2050
BIG NUMBERS The time-honored investigative route of following the money indicates that some of this change is due to a push for new revenue streams. The desktop computing market is not as lucrative as it once was and mobile computing may become saturated; so M2M appears to be the next logical step for chip and device manufacturers and communication companies. Furthermore the potential money to be made from IoT awareness is apt to make today’s advertising dollars look small. When machines will be able to tell what is being used or when something is low on supplies, they will also be reporting data on human activities, the lifeblood of marketing firms. In less than a decade estimates of the economic value of M2M and the IoT have moved from billion to trillions of dollars. In 2004, BusinessWeek predicted that M2M would be a $180 billion market by 2008. Two recent estimates may help induce perspective: General Electric estimates that the IoT will add $15 trillion to global GDP over next 20 years. McKinsey’s Global Institute May 2013 report suggests an economic impact of $2.7 trillion to $6.2 trillion annually by 2025—mainly in health care, infrastructure, and public sector services. Intel plans to increase its research and development budget in the Internet of Things by 20 percent this year. It is clear that Intel’s efforts are already paying off as it is breaking out its Internet of Things group into a separate operating segment. For Intel, the Internet of Things generated $482 million in revenue in the last quarter, which represented 32 percent growth year over year. Already McKinsey is reporting an increase of 300 percent over the past five years in machine-to-machine devices. Likewise, CISCO recently estimated that 50 billion to 1 trillion things will be connected to the IoT across industries such as manufacturing, healthcare, and mining in ten years. SECURITY CONCERNS PROLIFERATE So, the current Internet of People is massively troubled by security concerns. We know that objects under computer control or accessible via the internet can be hacked, and that those hacks expose new risks. Hackers, whatever their motivation, can get into corporations and governments, households, cars, and small businesses, in effect anything “smart” and connected is a target. On the IoT’s home front, we have already seen hackers accessing poorly secured baby cameras, refrigerators, and thermostats. Given these realities, targeted digital hijacking is apt to be a growth business for criminals.
THE FUTURE OF CYBERSECURITY | 57
Greater risks will be seen in some areas as more devices are connected to the internet, especially critical infrastructures and services. With some 90 percent of critical infrastructure in the United States under private control, there are already serious vulnerabilities to contend with. Hacking will increase, as there will be more interesting targets everywhere and the ability to monetize hacks is apt to remain the same. The more things we see connected in this space, the more likely the sheer concentration of value will attract cyberterrorists, too. Whether or not terrorists strike out in cyberspace, the IoT will have ugly failures that play out in the real world. To make matters worse, when real things go bad, retry and restart functions may be difficult or perhaps even impossible to implement. By comparison, the Flash Crash of 2010 that affected stock markets could be corrected, but how about when the impact is on actual things in the physical universe? And what would a “reset” button actually do? In 2007 I noted that while cyber-terrorism of the sort that causes major damage or death through computer attacks has apparently not yet materialized, terrorists had clearly taken advantage of the strengths of the internet and web to gather intelligence, communicate, plan, recruit, fundraise, and—as in the case of beheading videos—frighten. And whereas just a few short years ago it seemed that terrorists would remain unlikely to engage in cyber attacks—due in part to the complexity involved in creating software—times have changed. The IoT touches real objects in the physical world, and as such will proliferate attractive targets for cyberterrorism. The IoT will have to contend with these problems. SEVEN UNINTENDED CONSEQUENCES OF THE IOT 1. Loss of privacy: Already to some this is a lost cause. However, the IoT is apt to be a force multiplier as connected devices can transmit data back to companies. What does that mean for privacy? How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision-making or to promote energy efficiency? 2. Unforeseen and unequal distribution: Amplifying the digital divide. As William Gibson once said, “The future is here, it’s just unevenly distributed.” So too with the IoT, as developed nations and well-off locales are apt to first experience the benefits (and potential downsides). Will the IoT really benefit all or just increase disparities? 3. Pre-crime forecasting: Something that Philip K. Dick dreamt up may become real as machines report on the digital exhaust of devices that humans use or that their devices come into contact with. 58 | THE WORLD IN 2050
4. Unforeseen spill-over effects: An accident or attack may now result in a wide-ranging power blackout, for example. This is likely to happen with greater frequency as more devices are brought online. 5. Economics disrupted as certain skills become less important, we “teach the machine”: Jobs are apt to be lost. For example, with automated transport, truck and bus drivers and other paid drivers may be among the first to lose their jobs. Already, the mining company Rio Tinto is employing driverless trucks for transporting ore. 6. Loss of ability to maintain understanding and control: the systems we make may become more complex together than we can imagine and control. Increased complexity is apt to come with unforeseen costs. 7. Merging the virtual with the physical, making for many new, attractive targets: From targeted cyber hacks to cyberterrorism, the IoT’s proliferation of new devices is apt to be awfully tempting to national, amateur, and for-hire hackers. THE ROLE OF GOVERNMENT Clearly, the modern IT-dependent society needs a massive thinking upgrade to help understand risk, plan for the future, and keep harm to a minimum while continuing to enjoy the remarkable benefits of information technologies. When corporations are reckless with security, it is often not till much later that society finds out about the risks that were run. As William Jackson of Government Computer News noted “industry and private sector companies have a vested interest in maintaining adequate security and that regulation should be kept at a minimum. But companies have always had that interest, and to date it has not translated into adequate security.” Government is not blameless either, as the tasks of keeping up with technological change and risk are squarely on thinly stretched forces; however, too often there has been a willingness to accept corporate decisions and leadership in lieu of government oversight. What we are left with is the knowledge that government and industry must redouble their efforts to understand risks, improve services, and monitor technologies, and that in particular with the IoT, standards and controls must be well understood to limit unintended consequences. Pursuing such an agenda would best be achieved by working internationally with other governments and with multinational corporations and NGOs, as each have a stake. Dealing with these persistent, international threats and novel risks means having to cooperatively create and enforce standards, advance new laws, and pursue negligence and criminality. Our current computing technology predicament is a far cry from Mark Weiser and John Seely Brown’s concept of “Calm Technology” that they penned in 1995: “that which informs but doesn’t demand our focus THE FUTURE OF CYBERSECURITY | 59
or attention.� However, the concept may be an excellent way to plan for the IoT world with these principles in mind: The purpose of a computer is to help you do something else. The best computer is a quiet, invisible servant. The more you can do by intuition the smarter you are; the computer should extend your unconscious. Technology should create calm. Executing on such a plan would require government leadership and willingness to change and compromise across the board. While this might seem a tall order for government, the alternative appears to be tacitly accepting worsening security for all. Enlightened government has a responsibility to help create calm. About the author: Sean S. Costigan is an independent consultant and serves as a Professor at the George C. Marshall European Center for Security Studies. His most recent work is a novel cybersecurity curriculum, to be published and made freely available by NATO in October 2016.
60 | THE WORLD IN 2050
CHINA: THE INTERNET AND THE BIRTH OF CYBER DIPLOMACY BY RICHARD ROUSSEAU
I
n the 2000s, “public diplomacy” became a central part of the function of diplomacy. As a result of the communications and transportation revolutions, diplomats, national leaders, and more can now be seen and heard by more people in more places than at any previous time in history. Skillful public diplomacy can influence public opinion beyond one’s own country to support policies and positions, and can influence foreign peoples to have a favorable view of one’s country. Conversely, blundering public diplomacy can undermine even well-conceived policies and positions, and can project an extremely negative image of a country. Public diplomacy is important at other levels as well. Diplomats often seek and accept speaking engagements and media interviews, and work with other outlets in which they can obtain the opportunity to influence others to view their country and its policies favorably. At times, such public diplomacy may be considered by host countries as meddling in their internal affairs. At other times, such it may be virtually identical to a diplomat’s representation function. However, recently a new type of diplomacy, more malign, came into being. On January 7, 2010, Google announced that it had been victim of a major hacker attack that began in mid-2009 and continued through December 2009. The attack, known as “Operation Aurora” and described by the largest search engine in the world as “sophisticated” and “high-level,” was aimed at more than 30 other organizations, including Adobe SysTHE FUTURE OF CYBERSECURITY | 61
tems, Rackspace, Yahoo, Symantec, Juniper Networks, Morgan Stanley, Northrop Grumman, and Dow Chemical. In 2011, Google also said that the hackers, who were based in China’s Jinan province, had compromised personal email accounts of hundreds of top U.S. officials, military personnel, and journalists. Nobody has yet produced conclusive proof that such attacks were state-sponsored, but Google’s Press Office stressed that the primary goal of the hackers was to penetrate Google’s computers and access the Gmail accounts of Chinese human rights activists. Google also said that, apparently, the attack failed, as users’ data was not compromised. More specifically, it appeared that the cyberattack was also conducted by advanced persistent threats carried out by the Elderwood Group—an organization based in Beijing, China, with ties to China’s Politburo, at least according to a U.S. State Department cables that WikiLeaks released in November 2010. Security experts have linked the attacks to servers at a university used by the Chinese military. Also, according to many computer specialists, the December 2009 attack, in terms of the style and instruments used, was very similar to the one perpetrated in July of the same year. The difference was that the second cyberattack targeted specific individuals. These attacks took advantage of some of the Google software’s vulnerabilities, which were still “unknown.” Within hours of Google’s acknowledgment of the Aurora attacks, the U.S. State Department issued a statement asking the Chinese government for an explanation. Official Chinese media responded stating that the incident is part of a U.S. government conspiracy. For its part, Google decided to pull out of China and defied Chinese censorship regulations. It also moved further Chinese operations to Hong Kong, as it would have otherwise remained a constant target for Chinese cyberattacks. These incidents led to diplomatic confrontations and raised profound questions about the future of online freedom and cybersecurity. Google, through former U.S Secretary of State Hilary Clinton, requested an official explanation from the Chinese government. In a speech on Internet freedom, delivered on January 21, 2010 at the Newseum in Washington, DC and coming on the heels of the cyberattack, Clinton stressed the importance of freedom of information. In her own words, “as in the dictatorships of the past, governments are targeting independent thinkers who use these [internet, social networks] tools… As I speak to you today, government censors somewhere are working furiously to erase my words from the records of history. But history itself has already condemned these tactics.” Clinton’s remarks made it clear to online operators that the U.S. Government stands prepared to support 62 | THE WORLD IN 2050
them when they are willing to challenge the censorial policies of repressive foreign regimes. China was cited numerous times in Clinton’s speech, especially with regards to its government’s policy on information. She concluded by saying that “historically, asymmetrical access is one of the leading causes of interstate conflict” and that “both the American people and nations that censor the internet should understand that our government is committed to helping promote internet freedom.” Cyber security also dominated the first summit between Chinese President Xi Jinping and U.S. President Obama in June 7-8, 2013, Palm Springs, California. Obama confronted the Chinese president on the cyberattacks carried out from within Chinese borders throughout 2012 against nearly 40 Pentagon weapons programs. The Washington Post reported in May 2013 that compromised programs included missile defense systems, aircraft, and ships. Although the extent of official Chinese involvement cannot be clearly determined, U.S. officials have called upon the Chinese leadership to take a more active role in countering violations of cyberspace. If the use of new technologies by governments is nothing new, especially in matters of espionage and control of public opinion, the scars wrought by the hacker attack can be considered the starting point of a new type of diplomacy—Cyber Diplomacy. Such technologies will continue to impact the geopolitical balance of power. One novelty in terms of the Google and Pentagon weapons programs attacks is the high level of sophistication of these cyberattacks, which affected global leading companies in computer and information industries as well as the private lives of many powerful individuals around the world. Another feature is the immediate reaction coming from those placed in high level positions in the U.S. government, including the direct intervention of the Secretary of State. In her speech, she officially sanctioned the birth of Cyber Diplomacy, and highlighted computer security and freedom of the web as now crucial diplomatic issues. The economic, financial, industrial, and military sectors’ development and prosperity are increasingly linked to the free flow of information. Moreover, electronic networks are now irreplaceable instruments for international politics. In addition to the traditional contentious issues between the United States and China—freedom of information, human rights, commercial rivalries, and the most recent agreement between Washington and Taiwan for continued military procurements—the Google episode is the prelude to further diplomatic confrontations. It places the two superpowers increasingly on an antithetical plane, even after the thaw initiated in 2008 with the election of Barack Obama. THE FUTURE OF CYBERSECURITY | 63
DUCK AND COVER: CYBER INSTABILITY BY CHRISELLA HERZOG
A
nyone familiar with the post-World War II security environment will remember grainy movies with a friendly but stern voice instructing children on how to survive a nuclear blast. “Duck and cover,” they said; curl up at the base of a nearby wall and cover yourself with a jacket or your hands. When the United States lost its monopoly on nuclear weaponry in 1949, the U.S. government sought to prepare the population for nuclear war. Even if the benefits of “duck and cover” in the event of a nuclear strike were negligible, the sense of agency in a truly unstable security environment was invaluable. This winter, the world celebrates 21 years since the end of the Cold War and fears over inter-superpower nuclear war, but a Millennial generation that remembers nothing of “duck and cover” lessons is facing a new threat no less terrifying than thermonuclear war. “Stuxnet was Hiroshima,” said James Mulvenon, Vice-President of Defense Group, Inc.’s Intelligence Division and Director of DGI’s Center for Intelligence Research and Analysis, on an Atlantic Council panel in July. In much the same way the A-bomb showed the world the destructive potential of nuclear power, so too did Stuxnet prove what malware capabilities combined with destructive intent could do. And much like the era of duck and cover, policymakers have failed to come up with solutions that will adequately protect the population in the event of cyberwar. For the moment, solutions are utterly out of their reach, and anything they try could potentially make the situation worse.
THE FUTURE OF CYBERSECURITY | 65
Unlike in nuclear war, where the precedent was “use as a last resort,” the creators of Stuxnet have set the precedent of striking through cyber attacks as a prelude to physical hostilities. After news about Stuxnet broke, the world’s governments were strangely quiet—most likely because they immediately devoted resources to repurposing it. However, the beauty—and terror—of the Internet Age is how it has democratized access to knowledge, allowing actors to take advantage the immense power of crowd-sourced information, both in public forums and in a significant information underground. Just like policy-makers fear nuclear weapons falling into the hands of rogue non-state actors, they should fear these same actors getting their hands on a zero-day vulnerability in any of our critical infrastructure. Should someone choose to attack, they would have a good chance of affecting a system that was never built to withstand malicious attacks in the first place. The democratization of cyber weaponry has raised the question: what meaning does sovereignty have in cyberspace? More than any virus or environmental pollutant, internet denizens care little for Westphalian borders. Traditional cybersecurity policy has been approached from a nationalist point of view, with regulations focusing inside national or regional borders, but they are largely ineffective against attacks originating from outside the country’s borders. There is nothing a law passed by the U.S. Congress is going to do stop a Chinese or Russian backer from depositing a piece of malware or spyware in a critical banking or secret government program. Government officials cannot evolve on what protective defensive measures to implement fast enough to keep up with the advancements in technology, let alone with a hacker’s tactics. U.S. officials are just beginning to consider how to implement a strategy to deal with both the kind of attacks perpetrated by bored young adults, like Lulzsec, and intelligence espionage, and have not even begun considering how to address issues brought about by mobile technology and increasingly “frictionless” sharing of data. In response, private companies are taking matters into their own hands, going on the offensive against perceived threats by striking back at their attackers. After Chinese attackers hacked Gmail accounts and stole some Google source code in January 2010, Google responded by hacking their attackers right back. A July survey of 181 attendees at the Black Hat USA conference in Las Vegas showed that 36 percent of respondents had engaged in retaliatory hacking in the past; in reality, the numbers are likely much higher. Despite government exhortations to focus on proactive defense rather than an “eye for an eye” sense of cyber justice, the private sector is rapidly hurtling down a path where one wrong accusation or action could escalate to an all-out war. 66 | THE WORLD IN 2050
The low barrier to entry in this battle has led to the development of a sort of Wild West environment, where digital hit men openly advertise their hacking services in taking down whatever target a buyer desires, and though prices vary, a hit man can be bought for less than an average apartment’s monthly rent payment. Just like during the Cold War, it will not be uncommon for peripheral actors to be caught up in attacks on other actors. One tactic of espionage hackers is to target “watering hole” sites—meaning to hack websites that an organization’s employees are likely to visit (local government sites, a community bank, or a trusted news source) and install a Trojan when visitors arrive on the page. Symantec has warned that, “Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013.” Even worse than one company’s employees being hacked, is the silence coming from those companies after. Without knowledge sharing between companies, one PR department’s embarrassment could lead to one company after another falling victim to the same attack, and hackers gathering more and more intelligence. Most notable about all these threats is how few of the problems fall under the jurisdiction of state actors. The Internet Age has diffused power from major centers of hierarchical power to ever-smaller, autonomous non-state actors. It is theoretically possible for dedicated individual to change the entire global balance of power, and it is impossible for any one government to stop it. It is clear that there must be a substantial, comprehensive approach to cybersecurity. The first step to creating a better security environment is acceptance. In the stages of grief, the U.S. is currently in denial. We cannot continue to act as if every attack will be “Pearl Harbor” as Secretary Panetta tries to warn, because that will leave us vulnerable to a number of smaller problems. However, we also cannot continue to act as if a cyberattack will never happen to us personally. We must accept that the new world we live in will always carry a risk of cyber insecurity. Once we stop worrying about that, we can move on to the next step: building a defensive mindset. Defending against a cyber intrusion is not only about creating new technologies; technology, after all, is only as smart as the person using it. It is more important to create to educate on best practices for safety, and in the process create a set of norms for cybersecurity. Is it necessary to attach all your personal information to your Facebook account? Or to then use that Facebook account to comment on multiple forums or sign up for apps? THE FUTURE OF CYBERSECURITY | 67
Finally, the world’s nations need to cooperate to create a system of global deterrence, similar to the network created to deter the production of more nuclear weapons. At the moment, there is not deterrent incentive; rather, there is a high incentive to preempt another nation or group attaining the means to attack, making the current environment highly unstable. Deterrence will mean, initially, establishing an image of being able to respond to any attacks with disproportionate force, then creating a set of norms, with rewards and punishments, to discourage cyber attacks. Any plan must encompass three levels: 1) the individual (for example, if you decide to participate in mobile banking, what precautions should you take?); 2) private enterprise (choosing proactive defensive measures over dangerous reactive retaliatory measures, and share knowledge of threats with each other); and 3) nation states (find a balance between security and citizens’ desire for transparency, and cooperate with each other to find global solutions to global problems). To reach this point quickly, the United States, as the world’s leader in cyber industry, much draw upon the resources of allied governments and work to create strong defenses, appropriate and balanced punishments, and a system of norms that will raise the entry point for cyber crimes to discouraging levels.
68 | THE WORLD IN 2050
THE FUTURE OF CYBERSECURITY LEGISLATION: WILL CONGRESS ACT? BY PIERCE BLUE
A
s most members of Congress busied themselves with the election, the debate around the future of cybersecurity legislation in the United States continues to rage in Washington.
The current session has been a bumpy one for advocates of increased government oversight in the cybersecurity field. A highly anticipated bipartisan bill developed over the past three years by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), and Jay Rockefeller (D-WV) stumbled over concerns about excessive regulation. The House of Representatives alternative, less prescriptive and more acceptable to the business community, was labeled as a non-starter by the Obama Administration and leading privacy groups. All sides agree that a problem exists; there is simply no agreement on how to move forward to solve it and frustrations are building in both parties. In September, after the Senate failed to move a revised LiebermanCollins-Rockefeller draft, Sen. Rockefeller fired off a letter to the CEOs of THE FUTURE OF CYBERSECURITY | 69
every Fortune 500 corporation asking directly for their views on the programs proposed by the legislation. The move was widely interpreted as an attempt to separate the individual business leaders from the negative stance the U.S. Chamber of Commerce, the voice of business in Washington, D.C., took on the bill. The Chamber has shown no sign of softening its position on the bill in response. Also in September, the Administration, which supports the LiebermanCollins-Rockefeller proposal, leaked a draft executive order that would unilaterally establish certain elements of the Lieberman-Collins-Rockefeller bill. Like Sen. Rockefeller’s letter, this was viewed as a negotiating tactic designed to force opponents to strike a deal. The response so far has been negative. Representative Mike Rogers (R-MI), Chairman of the House Intelligence Committee and lead sponsor of the House bill, called the order “irresponsible.” Even Sen. Collins labeled it a “big mistake.” Chairman Rogers recently tried to create some pressure of his own by hinting at emerging cyber threats that were revealed in recent classified briefings to members of Congress. He is quoted as saying “It appears to be a new level of threat. I want to be careful about what I say here, but it would target our networks from an unusual source.” He went on to state that “I think that particular briefing rekindled people’s interest in trying to get something done during the lame duck.” Of course, Chairman Rogers believes that the bill in which interest should be “rekindled” is the one passed by the House. It is unclear whether any of these maneuvers will impact the stalemate currently surrounding cybersecurity. The primary sticking points continue to be privacy concerns related to information-sharing and worries about excessive authority for federal agencies. The House bill, officially titled the Cyber Intelligence Sharing and Protection Act (CISPA), would enable companies to share cyber threat information with each other and the government. The hope is that information sharing will lead to cooperative efforts to identify and combat cyber threats. The Senate bill, titled the Cybersecurity Act (CSA), empowers companies to share cyber threat information with each other and government agencies as well. However, CSA also grants the Department of Homeland Security (DHS) authority to set minimum security standards for certain critical infrastructure systems. As originally drafted, the standards put forward by DHS would be mandatory for certain industries. After it became clear that this approach would not win sufficient support, however, the lead sponsors made the standards voluntary and added liability incentives to coax companies to comply. 70 | THE WORLD IN 2050
Privacy advocates, such as the American Civil Liberties Union (ACLU), prefer the protections offered by the CSA to those in the CISPA. These include provisions that require companies to report information directly to civilian customers, as opposed to military; limitations on the use of cyber threat data; and provisions that ensure personally identifying information is stripped from submissions to federal agencies. The business community is completely in favor of information sharing and liability protection but dislikes the promulgation of minimum standards, voluntary or otherwise, by the federal government. The Administration and supporters of the CSA feel that minimum standards are essential in order to ensure adequate protection of vital networks. Chairman Rogers believes that a bill along the lines of CISPA is the only plausible option at this point. He says that CISPA, and the information sharing approach it embodies, is “[t]he only bill that is bipartisan, that’s passed a committee…that has had hours and hours and hours of input from end users.” He believes that lawmakers should pass something on information sharing in the lame duck and leave any discussions about mandatory or voluntary minimum standards to the next Congress. If the Obama Administration is serious about its executive order, there is a chance that Chairman Rogers could get his wish. Supporters of minimum standards, if assured of a second Obama term and a serious effort to construct a voluntary minimum standards program through executive order, could coalesce around an information sharing-only bill in the lame duck session that follows the election as a backdoor way to get most of what they wanted in CSA. Then again, they might not and the stalemate could continue into the 113th Congress. About the author: Pierce Blue graduated from the Georgetown University Law School and served as a Teaching Fellow and Supervising Attorney at the law school’s Federal Legislation Clinic, where he represented nonprofit clients in their dealings with Congress and the federal agencies.
THE FUTURE OF CYBERSECURITY | 71
MAKING THE GRADE: INTERNATIONAL REGULATORY FRAMEWORK FOR CYBERSECURITY BY EMILY PEHRSSON
I
ncreasing government, military, and industry reliance on the cyber domain has incentivized cyber crime and heightened the cost of internet disruptions. Many vulnerable states—such as Romania and Bulgaria—want to reduce cyber crime within their borders but lack the political will necessary to allocate sufficient funds. Current U.S. policy emphasizes unconditional assistance for vulnerable U.S. allies. This approach, however, discourages these states from prioritizing cybersecurity in their budgets and ultimately increases Washington’s fiscal burden for fighting cyber crime. To encourage vulnerable states to prioritize cybersecurity, NATO should create and administer an international Cyber Grade Framework (CGF). The primary purpose of this program is to help establish and implement rigorous international cybersecurity standards to hinder the operation of cyber crime and hacktivist groups, while more efficiently using current U.S. aid to produce greater cyber resiliency amongst its allies. The CGF would not require an increase of funding, but simply a more efficient reallocation of existing cybersecurity funds.
THE FUTURE OF CYBERSECURITY | 73
The CGF is based on the Thornberry Cybersecurity Task Force privatesector incentive model that seeks to encourage industry to adopt greater cybersecurity standards absent the existence of government mandates. At the international level, this model is the best approach for generating better cybersecurity standards given the political obstacles confronting compulsory international regulations. Participating states would be awarded grades based on the quality of their cybersecurity infrastructure. States that adopt a grade’s requirements would receive a set of associated incentives increasing incrementally with each security grade attained. They include access to: (1) law enforcement cyber training programs; (2) NATO cyber rapid reaction teams; (3) limited technology transfer; and (4) intelligence sharing. In addition to encouraging participating states to make cybersecurity a priority, this policy would strengthen their ties with the international community, creating a more secure global network. All states, even those not participating in the CGF, would receive baseline assistance from NATO. A team of independent cyber analysts would complete a complementary assessment of the state’s network vulnerability and the cost of intellectual property theft to the national economy. Additionally, those states would be permitted limited access to CGF cybersecurity conferences. States participating in the CGF would be granted Grade One status, the lowest of three possible grades, if they increase their cybersecurity R&D budget by 10 percent for five years. The corresponding incentives would include unlimited admittance to CGF cybersecurity conferences and access to law enforcement training programs. The aim of Grade One is to promote global innovation and rapidly enhance states’ network capabilities. Grade Two is intended to facilitate intelligence sharing and install basic law enforcement/extradition standards to allow international cybersecurity cooperation. To achieve Grade 2, states must comply with the CGF’s security breach notification regulations and minimum extradition guidelines for cyber criminals. For states that achieve Grade Two, NATO would provide rapid reaction cyber teams following cyber incidents involving critical infrastructure, intelligence sharing, and limited technology transfer. The purpose of Grade Three is to promote cooperation between cyber law enforcement teams and military units to increase network resiliency and reduce incident response time. Grade Three states must create a cybersecurity branch of law enforcement, including a Computer Emergency Readiness Team and engage in joint personnel training with other Grade Three states. As an incentive, states would be given the option to participate in joint military exercises with other Grade Three states and would have expanded access to NATO rapid reaction cyber teams.
74 | THE WORLD IN 2050
NATO would administer and enforce the cybersecurity private-sector framework through a compliance organization modeled after the IAEA. This model was selected because of its applicability to a sensitive industry critical to national security. States intending to join the oversight organization must achieve one of the three cybersecurity grades and obtain a two-thirds vote from the General Conference and the North Atlantic Council. The CGF has a number of advantages over the United States’ current cyber security policies, including: Cost Effectiveness: Rather than simply providing free technology transfers to help states update their cybersecurity systems, this policy requires states to make cybersecurity a domestic budget priority. Many of the costs of research and installation would be borne by participating states, while NATO would provide the expertise necessary to ensure the most effective practices and infrastructure are used. Promotes International Innovation: All member states would invest in R&D, ensuring the United States and other key cyber powers will not be the only states developing new methods and technologies. Enhances International Cybersecurity Norms: Currently international cybersecurity norms regarding cyber criminals and hacktivists are absent or vague. Implementing this framework would clarify and bolster these norms, allowing NATO to hold states to an international standard and encourage international cooperation on cyber crime issues. Increases Network Communication Speed: In order to reach the highest cybersecurity grade, states must participate in joint training to facilitate intelligence sharing, early warning systems, and joint cyber operations. Joint personnel training would decrease response time and increase resilience of member states’ networks. Cybersecurity is vital to preserving stability in the financial sector, military readiness, and critical infrastructure. States must rapidly advance their cybersecurity capabilities to keep pace with growing challenges. Most states are currently at dramatically different levels of cyber capability, impeding their ability to communicate and participate in joint operations. The CGF would encourage states to prioritize cybersecurity in their budgets and meet voluntary regulations to receive security incentives. This proposal fosters innovation and facilitates the transition to a higher level of cybersecurity, cooperation, and law enforcement capability. The advancements from the CGF will create more secure global networks, capable of confronting a critical 21st century threat.
THE FUTURE OF CYBERSECURITY | 75
INFORMATION SUPERIORITY: TURNING “BIG DATA” INTO ACTIONABLE INTELLIGENCE BY ANDREW SERWIN
I
nformation imbalances can result in events that cost people significant resources or, in extreme cases, their lives. In the public sector, threats presented by information imbalances—known as “asymmetric” threats—can have a dramatic impact on a country, as the events of 9/11 illustrate. In the private sector, information imbalances do not typically bring consequences on that scale, but they can be devastating in other ways. The military has addressed the problems of information imbalances by formulating a doctrine of Information Superiority. The challenge is that the private sector has not followed suit. The Department of Defense (DoD) defines Information Superiority as “a relative state achieved when a competitive advantage is derived from the ability to exploit an ‘Information Advantage’,” and as “the ability to develop and use information while denying an adversary the same capability.” In other words, an Information Advantage is achieved when one competitor outperforms its competitors in the information domain. The United States Navy has been at the forefront of defining the role of information and its importance to warfighting capabilities. It compares THE FUTURE OF CYBERSECURITY | 77
information’s importance to the introduction of dreadnoughts, aircraft carriers, and nuclear power. The Chief of Naval Operations has elevated information to the Navy’s “Main Battery.” Part of that elevation includes the removal of sub-optimal stovepipes in exchange for “Warfighting Wholeness” involving information, as well as an increased concern with cybersecurity issues in order to protect information gathered by human and electronic means. These changes, according to the DoD, require technical and behavioral modifications to how data is collected and processed. The public sector can create similar value by gathering intelligence that can be appropriately and quickly utilized—i.e. that can be transformed into actionable intelligence. An important element in data use and protection is the classification system. The intelligence community utilizes a system that, at its core, protects the most sensitive information by dividing it into four categories: unclassified, confidential, secret, and top secret. These categories restrict who has access to the information, and they define how it is protected. While the information’s value does not necessarily determine its classification, higher value data usually receives a higher classification, which supports Information Superiority. The most infamous asymmetric threat experienced by the United States in recent times was 9/11. The 9/11 Commission Report makes clear that enough intelligence was gathered by the United States government that could have revealed Al-Qaeda’s plot. However, existing structures did not allow information to be shared horizontally in a superior way. The dots were not connected, allowing one of the most heinous acts of terrorism to be perpetrated on American soil. These findings prompted the public sector to rethink and revamp how it collects, processes and analyzes information. The results can be seen by recent successes in preventing other acts of terrorism. Credit for the daring raid that killed Bin Laden clearly belongs to the Navy SEAL team that executed the mission, but that mission could not have happened without actionable intelligence pinpointing Bin Laden’s location. The intelligence community was able to connect the dots, locate Bin Laden, and provide the SEALs with the information they needed. Had reforms to information sharing structures not occurred, the intelligence that made this raid possible might never have emerged. And these reforms have likely helped the United States to avoid other attacks. The government’s new approach to Information Superiority is transferable to the private sector. But while many CEOs say that they aim to achieve an “information advantage” over their competitors, few look to the DoD’s doctrine for guidance. 78 | THE WORLD IN 2050
As the private sector focuses more on information, it talks about cybersecurity issues, privacy, and behavioral advertising. Most companies, however, fail to recognize that the public sector has valuable research and ready-made tools that it too can use to manage information in an advantageous way. Simply put, the private sector needs to embrace the public sector’s approach to Information Superiority. By borrowing the DoD’s concept of Information Superiority, private companies can make actionable use of “Big Data.” They can learn news methods of gathering the right information and sharing it with the right people at the right time. This creates value for the organization as an Information Advantage. It achieves five important goals: it increases profit; it reduces costs; it optimizes risk; it reduces the impact of cyber-threats, such as industrial espionage; and it mitigates potential brand damage caused by information-related crises. The challenge to implementing such as system is that the private sector typically thinks of information in a narrower way. However, by broadening its view, the private sector can achieve an Information Advantage through improved analytics and risk optimization. INCREASING PROFIT THROUGH BUSINESS INTELLIGENCE AND ANALYTICS Concerns about information typically focus on subjects like privacy— the private sector’s attempt to limit its legal exposure in the use of consumer data. While privacy is an important issue, an exclusive focus on privacy is too narrow if one is attempting to achieve Information Superiority. Achieving Information Superiority in private business has a broader sweep. It is concerned with any information that would aid executives in making decisions that drive revenue or reduce costs, which includes, in many cases, consumer data. It also includes other forms of intellectual property and proprietary data that is not associated with consumer behavior. For example, the customer service group in a mobile device manufacturer might have information on patterns of dropped calls resulting from a software or hardware flaw that was impossible to see until the product was deployed. Unless that information is effectively shared with the groups responsible for software patching and hardware design, a solution will not be incorporated into future updates, to the company’s detriment. The same is true for non-technology companies. For example, a hospital might be facing rising post-operative infection rates due to a faulty process. Unless that information is transformed into actionable intelligence, patient care will suffer and mortality rates increase. An obvious example of profitability achieved through Information Superiority is presented by the dramatic shifts in the video rental industry. Established “big box” video rental businesses thrived for a long period, THE FUTURE OF CYBERSECURITY | 79
but consumers clearly wanted different options than offline stores. Those companies that quickly gathered information on what consumers wanted and acted on that intelligence by building new technological platforms to deliver movies online were the ones that prospered rather than perished. There are any number of examples to illustrate the importance of Information Superiority in the private sector. In the end, however, companies that proactively gather and use information, and that do so in a superior way, will necessarily perform better than their competitors. This is also true in risk management. OPTIMIZING RISK AND REDUCING CYBER THREATS Using information in a superior way helps companies to optimize their risk and reduce cyber threats. By following the doctrine of Information Superiority, companies can understand where their most sensitive data resides and design better protections for those systems. In the case of company-centric information, such as formulas, IP, pricing, and similar data, implementing Information Superiority concentrates protection efforts on sensitive areas susceptible to cyber-attack. In the case of protecting personally identifiable information, a consumer-centric issue, the Privacy 3.0 framework developed by The Lares Institute can be used to aid companies in assessing the sensitivity of information, and how best to protect it. Similar to the intelligence community’s data classification system, Privacy 3.0 utilizes consumer survey data to create four tiers—highly sensitive, sensitive, slightly sensitive, and nonsensitive—and these tiers permit companies to assess their collection, use, and protection of sensitive data. For example, companies could place increased protections on systems that contain highly sensitive forms of data under the Privacy 3.0 model, such as Social Security numbers, passwords, financial account information, and other similar forms of information. This allows companies to focus proportionally less resources on less sensitive forms of information such as online purchase history, search history, and certain forms of social media data. While the threats are different, the solution for the public and private sector is the same—to reduce information imbalances that can lead to disruptive or asymmetric threats through the superior use of information, including data classification. The key question is how to implement Information Superiority in the private sector. BUILDING A BRIDGE BETWEEN THE PUBLIC AND PRIVATE SECTOR In order to achieve Information Superiority, to paraphrase the DoD, the private sector must engage in technical and behavioral modifications in how information is collected and processed in order to add value. The first 80 | THE WORLD IN 2050
step private companies should take is to create a governance structure, or committee, that includes key senior stakeholders from departments such as IT, privacy, human resources, audit, legal, treasure, security, and others with the goal of increasing the horizontal sharing of information and making information the “Main Battery of Business.� Regular meetings of the Information Governance Committee will further reinforce the need to horizontally share information and implement Information Superiority in order to drive increases in revenue and to optimize risk. More importantly, the Governance Committee should have the company engage in an information inventory so that it understands what information it has, and where it resides, with the goal of informing the key stakeholders and aiding executive decision-making. Once the information inventory is complete, the Information Governance structure can help the company engage in an information classification exercise that will help identify what information is most important to the company and to create better strategies for protecting it. The Information Governance structure should also be charged with creating new ways of horizontally sharing information within the company. It should also report back to senior leadership on its progress and what new activities have been undertaken as a result of the information sharing initiative. Ultimately, by using these tools, the private sector can increasingly recognize the value of information and turn it into an Information Advantage in the increasingly competitive global economy. While these seem like simple steps to take, the stark reality is that most companies have not taken them. Once these baseline steps are taken, however, there remains much more work to be done. About the author: Andrew Serwin is CEO and Executive Director of The Lares Institute. He is also is the the founding chair of the Privacy, Security, and Information Management Practice and is a partner in the San Diego/ Del Mar and Washington, DC offices of Foley & Lardner LLP.
THE FUTURE OF CYBERSECURITY | 81
ASIA’S CYBER SECURITY BATTLEGROUND BY RYAN BURKHART
T
he Obama Administration has had a rough time dealing with cyber security issues. On one hand, leakers such as Bradley Manning and Edward Snowden have put classified U.S. information in the public spotlight. One the other, foreign countries have stolen billions of dollars’ worth of technical information, and have likely developed the ability to digitally and physically threaten U.S. national security. On July 23rd, the House Subcommittee on Asia and the Pacific held a hearing titled, “Asia: The Cyber Security Battleground.” Chairman of the Subcommittee, Rep. Steve Chabot (R-OH), noted China’s cyber prowess, North Korean cyber-attacks, and Indian-Pakistan cyber competition. Further, he highlighted the highlevel of dependence that the U.S., Japan, South Korea, and private enterprises have on cyber technology. Witnesses at the hearing included McAfee VP and Chief Technology Officer, Dr. Phyliss Schneck; CSIS Director of Technology and Public Policy Dr. James Lewis; and Mr. Karl Rauscher, the Chief Technology Officer at the EastWest Institute. Dr. Schneck’s opening remarks included details form the recent cyberattack on South Korea dubbed “Dark Seoul.” McAfee lead the investigation, named Operation Troy, on these attacks, finding them to be a part of a four year long process, with the latest iteration the seventh variation of the first attack in 2009. It is part of McAfee company policy not to find the perpetrator, but to solely focus on defense. She advocated for a con82 | THE WORLD IN 2050
nected cyber defense that would be “similar to the human body.” Every computer in a network, she said, should be a consumer and producer of security information. Dr. Lewis immediately criticized China’s cyber espionage activities. “While North Korean cyber activities are worrisome, China’s actions have a regional and global destabilizing effect,” he stated. He called on the American legislators to not only further engage with China on cyber issues, but for the U.S. and its Asian allies to work cooperatively on cyber defense. “The most important thing the U.S. can do increase stability is to reach an agreement on norms for responsible state behavior,” he said. “In June 2013, a 15 nation group of experts agreed on rules for cyber security. They agreed that the UN charter applies; international law applies; state responsibility applies; and that national sovereignty is applicable in cyber space.” He concluded with a call to both China and the U.S. to work toward resolving their cyber issues. Mr. Rauscher stated in his opening remarks that he was focused on real tangible steps to improve cyber security. However, instead of actually presenting these recommendations, he highlighted how many governments and companies used EastWest recommendations and how many those have actually institutionalized the practices. Unlike his colleagues, much of Mr. Rauscher’s statements sounded more like an advertisement for his organization’s work. Many of the questions presented by the representatives focused on how much influence the U.S. has in developing multilateral cyber initiatives. Dr. Lewis had the most pragmatic response and recognized that treaties were probably out of reach, but agreements to norms are very possible. The panelists were in agreement that U.S. has the preeminent offensive cyber capabilities in the world. Interestingly, they also stated that the Russians were more sophisticated that the Chinese in this aspect. Dr. Lewis stated, “The reason the Russians are not in the news as much as China is because the Russians are better at it.” The panelists were confident that future, effective domestic policy measures and multilateral cooperation could create a more stable cybersecurity environment, in the near term.
THE FUTURE OF CYBERSECURITY | 83
THE TERRIFYING
PROGENY OF STUXNET BY CHRISELLA HERZOG
S
tuxnet. Few know positively where it came from. It was clever enough to take down a country’s nuclear program; hidden enough to slip into Windows computers around the world before reaching its intended target; covert enough to cause massive damage before being detected; and versatile enough to be repurposed to attack again. The average malware program that causes obnoxious pop-ups runs 10 to 15 kilobytes. Stuxnet was 500 kilobytes, with lean and efficient coding. The malware created ghost files to hide itself while it was programmed to search for opportunities to spread from computer to computer until it found its intended target, Iran’s Natanz nuclear reactor. The code has been posted on forums around the world, available to all, and policymakers worldwide are fearful that a similar attack will be levied against their infrastructure. Imagine a virus programmed to be triggered remotely, designed to covertly shut down systems while displaying business-as-normal data, planted in the United States’ electrical grid. Or flight traffic control systems. Or Wall Street. If such an attack were to occur, how should we respond? When is the threshold for the right of self-defense met? If it is met, how and against whom do we retaliate? If an underground terrorist organization, or even a rogue government organization, were to sponsor such an attack, do we declare war against the entire country? With advances in technolTHE FUTURE OF CYBERSECURITY | 85
ogy to reroute and hide tracking information far outstripping attribution technology, can we even be sure that the groups we point fingers at are the actual perpetrators? Then there is the problem of the “air gap.” Due to the drop in prices and increase of space on memory sticks, it is possible to transfer malicious programs by simply smuggling a flash drive into an otherwise secure facility and plugging it into a computer. It would be impossible to tell who was in control of the originating computer, because the first traceable computer would be the first one to be infected. The air gap, or the space between computers where data has to be transferred by humans carrying it across, effectively shields a competent hacker from identification. Hacker 101 teaches that the weakest point in a network is the point at which human error and technology interact. Stuxnet was developed by someone with intimate insider knowledge of Windows and Seimens technology, and was introduced to the five gateway victim companies, from which they spread to the rest of the world, by exploiting a zero-day vulnerability that allowed viruses to sneak past Windows OS firewalls by transferring from a host memory stick to the victim’s computer. One company, although it was only attacked once, had three computers infected by the same memory stick, by users inserting it into one computer, then another, then another, oblivious to the payload it carried. The U.S. Department of Homeland Security conducted a study in which they dropped memory sticks in the parking lots of randomly targeted businesses. The numbers were astounding: 60 percent of those who picked up one of the random memory sticks responded by putting it into a company computer; if the company logo was printed on the memory stick’s casing, the number jumped to 90 percent. CYBERWAR VS. CYBERCRIME Just as physical violence occurs in a range of severities, from a slap on the wrist to genocide, so does cyberviolence. A malicious program can cause annoying pop-ups; or track your keyboard strokes; or scan your device for personal information; or can hack into secure financial sites. Hackers can cause easily repairable damage, such as the wild-romping Lulz Security that brought down the CIA’s public page and Anonymous’ DoS (Denial of Service) attacks; or their attacks can be more sinister, such as the unknown government that broke into the International Monetary Fund’s system to conduct surveillance on world financial markets. But this is not cyberwarfare – it is cybercrime, something financially motivated and that 75 to 80 percent of viruses are guilty of. Cyberwarfare has only been truly seen in a few instances. Stuxnet was clearly an instance of cyberwarfare, but because of a chance detection 86 | THE WORLD IN 2050
before the final update, it was not completely successful. A more successful example, although perhaps one that has grown to exaggerated proportions, would be the 1982 CIA sabotage of a Siberian pipeline. According to a never-substantiated story, the CIA planted a logic bomb into software the Russians were purchasing from Canada for the pipeline, and at a preprogrammed point, valves in the pipeline began to malfunction, creating a pressure buildup that led to an explosion a fifth the size of the atomic blast over Hiroshima. In our human experience, we have little to compare in our history with cyberwarfare on Stuxnet’s scale, except perhaps Grecian and modern-day Trojan horses. Therefore, we have no norms, no venerated volume of legal decisions, upon which to base our response, and the point at which cybercrime crosses into cyberwarfare is far from clear. In the year since the purpose of Stuxnet was decoded, there has been some attention paid to creating a standard of norms, and national governments and international organizations have called for a Declaration of Cyberconduct to delegitimize attacks on civilian targets, like hospital records; however, on most legal issues swarming around this, there is still almost a complete lack of clarity. DECOUPLING IS FUTILE The United States, as well as most of the rest of the world, is currently in the mindset of responding to attacks as they come. And it does not take an expert in cybersecurity to tell you that this mindset is all wrong. “We’re on a path that is too predictable, way too predictable,” Gen. James Cartwright, vice chairman of the Joint Chiefs of staff, told reporters at a Pentagon press conference. The networks of cables and fiber-optic wires that connect the world are highly fragile, far more than most people want to admit. In April 2011, an old woman in a rural area of the country of Georgia was digging for copper to sell as scrap. Her shovel sliced through a bundle of fiber-optic cabling that had become exposed by heavy rains. The entire country of Armenia, and large portions of Georgia and Azerbaijan were without internet or television for five hours. Merely a month later, a wooden bridge in Germany was the target of an arson attack, and all the completely unprotected fiber-optic cables that ran under the bridge were destroyed. We can perhaps dream about the day when internet and television die and we emerge into the unfamiliar sunlight, but for the companies that relied entirely on internet and telecommunications for business transaction, it was a disaster. In a large scale internet outage, hospitals would not be able to access patient files, emergency first responder systems would collapse, and business would grind to a halt. THE FUTURE OF CYBERSECURITY | 87
In a recent poll conducted of electricity firm executives in fourteen countries, 40 percent said they believe there will be a major attack on the power industry in the next 12 months; 30 percent believe their company is not prepared for a cyberattack. In the United States, it is quickly assumed that the Department of Homeland Security will have a plan for what the government’s response will be in case of a widespread attack and what is critical in case triage is required. They don’t. “We don’t know what we want to be when we grow up,” says Seán McGurk, Director for the National Cybersecurity and Communications Integration Center at DHS. Congress has not decided what they think is “critical infrastructure,” let alone passed along a comprehensive preparedness plan, and it is very likely they will leave it up to bureaucrats to decide. At this junction, something ingenious is happening in policy-making: the US government is sponsoring relationships and dialogues between the public and private sectors. Government has the broad view of policy, but private industry has the intimate knowledge of their field, and in the dialogue between the two sectors, the hope is that somewhere in the dialogue, some kind of defense strategy will emerge. It is an idea that has had great success in the United Kingdom. Director of the Cyber Security Program at QinetiQ Anthony Dyhouse stated that companies were previously hesitant to report a cyberattack because they did not want to “air their dirty laundry in front of their competitors,” but the public-private dialogues has opened that up. Now, once one company comes under attack, with public reporting, the hope is that others will be able to lock down their systems enough to prevent a virus from spreading. No one knows for sure if decoupling in that manner will be actually be possible in all sectors. A representative from Morgan Stanley related her fears to Warren Getler of the Bertelsmann Foundation, that the banking system was so closely bound together, banks would not be able to decouple from each other in an attack on their systems. The global network is terrifyingly vulnerable to a shovel spade in the wrong place and the Son of Stuxnet alike. The U.S. Department of Defense is developing defensive strategies and standard operating procedures for a cyberwar attack, and public dialogue is finally awakening to the need for comprehensive cyberdefense plans. The real question? Who wins this race: cyberdefense policy, or the Eastern European hacker with Stuxnet’s code illuminated by computer screens before her?
88 | THE WORLD IN 2050
DIPLOMATIC COURIER MAGAZINE PRESENTS
THE WORLD IN 2050 A forum about our future. WWW.COCREATE.WORLD
THE WORLD IN 2050 is a series of Global Summits hosted by Diplomatic Courier, in collaboration with private and public sector partners. The series was conceived in 2012 when the world reached 7 billion people, with the purpose of convening multi-stakeholders and stimulate discussion and solutions about the future. How will these megatrends, i.e. major global forces such as demographic changes, resource stress, technology, and economic power shifts change our future? Join global publics and thought leaders from 180 countries on a journey of strategic forecasting for a better future.
GALLUP ANALYTICS: ANALYZE THE WORLD IN ONE CLICK.
GET MORE INFORMATION ABOUT GALLUP ANALYTICS TODAY – EMAIL GALLUPANALYTICS@GALLUP.COM OR CALL +1-202-715-3131
Analytics
Targeted strategies, precision and intelligence to resolve any international dispute.
A FO R B ES L EGA L B L AC K B O O K 2 0 1 5 E L I T E U S L AW F I R M
L AW O F F I C ES O F
Charles H. Camp pc C H A R L E S C A M P L AW. C O M • 2 0 2 - 4 5 7-7 7 8 6 • WA S H I N G T O N , D C I N T E R N AT I O N A L A R B I T R AT I O N , L I T I G AT I O N A N D D E B T R E C O V E R Y
ISN
ETH Zurich
International Relations and Security Network
Information Just a click away
www.isn.ethz.ch
Where nations connect Effective diplomacy requires influence and in DC’s international circles no place says influence like the Ronald Reagan Building and International Trade Center. Whether an economic summit, trade negotiation or a private diplomatic affair, our international trade experts and expansive network of leaders enable embassies and governments to amplify their message and strengthen their impact, locally and globally. Expand your reach. Grow your influence with us.