This is already a banner year for hacks, breaches and cyberwarfare, but the past week was exceptional.
South Carolina reported hackers attempted to access the state’s voter-registration system 150,000 times on Election Day last November—part of what former Homeland Security Secretary Jeh Johnson alleges is a 21-state attack perpetrated by Russia. And U.S. intelligence officials alleged that agents working for the United Arab Emirates planted false information in Qatari news outlets and social media, leading to sanctions and a rift with Qatar’s allies. Meanwhile, Lloyd’s of London declared that the takedown of a significant cloud service could lead to monetary damages on par with those of Hurricane Katrina.
Threats to the real world from the cyberworld are worse than ever, and the situation continues to deteriorate. A new kind of war is upon us, one characterized by coercion rather than the use of force, says former State Department official James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies.
Businesses and individuals now are directly affected in ways that were impossible in the first Cold War. In another age, the threat of nuclear annihilation loomed over everyone’s heads, but the cloak-and-dagger doings of global powers remained distinct from the day-to-day operations of businesses. Now, they are hopelessly entangled. The often unfathomable priorities of terrorists, cybercriminals and state-affiliated hackers only make things worse.
The current climate of cyberattacks is “crazy,” says Christopher Ahlberg of Recorded Future, a private intelligence firm that specializes in cyberthreats. “It’s like a science-fiction book. If you told anybody 10 years ago about what’s going on now, they wouldn’t believe it.”
In the first Cold War, the U.S., China and the Soviet Union fought proxy wars rather than confront one another directly. In Cold War 2.0, we still have those—Syria and whatever is brewing in North Korea come to mind—but much of the proxy fighting now happens online.
The result is significant collateral damage for businesses that aren’t even a party to the conflicts, says Corey Thomas, chief executive of cybersecurity firm Rapid 7. Recent ransomware attacks that some analysts attribute to Russia might have been aimed at Ukraine but resulted in the shutdown of computer systems at businesses and governments around the world. Russia has denied involvement in these attacks. Botnets made of internet-connected devices, stitched together by an unknown hacker for unknown reasons, caused countless internet services and websites to become unavailable in October 2016.
The U.S. has, notably, contributed to the situation. The Stuxnet computer worm, in development by what analysts believe was a joint U.S. and Israeli team since at least 2005, physically damaged Iran’s nuclear-enrichment plant in 2009. Stuxnet was discovered a year later. In 2012, U.S. Air Force General Michael Hayden lamented that its use had legitimized sophisticated cyberattacks that do physical damage. Its source code can now be downloaded, studied—and reused.
You can think of cyberweapons as akin to biological weapons. They often spread beyond their original targets, and once they are stolen or used, their DNA—the underlying code—can be endlessly repurposed. Exploits stolen from the U.S. National Security Agency have subsequently been used in attacks such as WannaCry, which hit businesses in the U.S. and around the world. Microsoft has made this point and called for a “digital Geneva Convention.”
Attacks on businesses and individuals are often quite deliberate, says Milena Rodban, a geopolitical risk consultant who helps companies practice for cyberattacks and other crises. That’s because, more than ever, companies hold information that could be leveraged in a cyberwar.
President Donald Trump spoke with Russian President Vladimir Putin at the G-20 summit in Hamburg, Germany, on July 7. Mr. Trump said they discussed cooperation on a cybersecurity unit.Photo: Evan Vucci/Associated Press
“The information that Amazon is holding”—for example, data from financial institutions and government agencies stored on Amazon’s cloud—“could give someone a clear path into something really terrible that could upset national security,” Ms. Rodban says.
As a result, she adds, anyone who thinks about how to protect national security in the cyber arena must expand their definition of a national-security asset. While U.S. Cyber Command might be tasked with defending government assets, it must also consider how it will cope with the takedown of a major cloud-service provider, which in some ways is no less important than, say, the power grid.
Fixing this vulnerability could mean a great many things, from increased cooperation between government and private enterprise, to a broader role for U.S. Cyber Command in protecting U.S. businesses. The head of Cyber Command has said that government will need access to private firms’ networks if it is to help them defend against threats. The Trump administration is considering an Obama-era proposal to split Cyber Command from the NSA, so its offensive capability can be kept apart from the NSA’s mandate to gather intelligence.
In the first Cold War, the doctrine of mutually assured destruction kept nuclear-armed states from using their weapons. In the same way, China, the U.S. and Russia are held back from taking out critical infrastructure in each others’ countries, a capability experts widely believe all three have. (Look at attempts by Russian hackers to do just that in Ukraine.)
A recent ransomware attack that some analysts attribute to Russia and that may have been aimed at Ukraine resulted in computer-system shutdowns at businesses around the world. Russia has denied involvement in the attack.Photo: rob engelaar/European Pressphoto Agency
“What’s happened over the past year or two is nation-state capabilities have gotten into the hands of criminals,” says Mr. Ahlberg. “The bad guys picking up on these tool sets are not holding back.”
At their most dire, experts claim it is only a matter of time before America is hit by a “Cyber 9/11.” Terrorists haven’t yet shut down our power grid, but how long until that capability leaks into the hands of actors who aren’t restrained by the threat of retaliation? “It’s like a suicide bomber,” says Ms. Rodban. “It’s not hard to believe this could happen on the cyber level.”
Write to Christopher Mims at firstname.lastname@example.org