The Council on Foreign Relations recently released a document that calls into question the “utopian vision” of an open, reliable and secure global network.
According to the Independent Task Force Report No. 80, such a goal “has not been achieved and is unlikely ever to be realized. Today, the internet is less free, more fragmented and less secure.”
Among its numerous claims, the document from the right-leaning think tank asserts that “[c]ybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such.”
The report presents a series of findings and recommendations on how to mitigate or prevent those incursions. But like similar documents floating around in cyberspace, it has one serious flaw: It’s false that the assumption that cyberattacks on critical government structures — administration, military installations, research and infrastructure — can somehow be accurately attributed, mitigated to a meaningful degree and altogether prevented.
That’s because the three pillars of cyber defense — attribution, mitigation and prevention — are misinterpreted, and the entire structure built upon them is inadequate.
Let’s start with attribution. To successfully prevent, mitigate and retaliate against an attack, one must first ascertain its origins.
Although government agencies and security firms do their utmost to convince you otherwise, it’s actually not easy — and sometimes impossible — to accurately attribute an attack to an individual or a country.
Hackers use sophisticated methods to obfuscate their identities, often piggybacking on other hackers’ work, creating or activating botnets and abusing exploits in target systems.
Fingerprinting — that is, identifying tactics, techniques and procedures (TTPs) used by attackers — is one of the most often used methods to indirectly determine and identify the origin of attack. That approach, however, relies on the assumption that hackers rarely change their MO or tools of their trade as they probe for vulnerabilities and execute attacks. This may be the case with newbies, but not so much with professional malicious actors.
In one of the most recent attacks, allegedly Russian hackers used Iranian infrastructure, tools and methods to launch attacks, sidetrack defenses and obscure their identities. As hackers adapt and upgrade their procedures, fingerprinting becomes less and less reliable.
Furthermore, even though governments yield considerable resources to track down the attackers, they fight an uphill battle against numerous, vague adversaries. It takes considerable effort — both financial and time-wise — to identify the source of an attack.
On the other hand, it doesn’t take too much of an effort for an individual hacker — or more often a group — to launch an attack. Any infrastructure they require in their work is minimal, and there are plenty of tools, exploits, connections to expedite their efforts and cover their tracks while doing so.
Furthermore, the most successful attacks on government infrastructure aren’t single-pronged. They rely on multiple vectors of attack — from brute DDoS (distributed denial-of-service) to exploits, social engineering and botnets.
As Internet-of-Things (IoT) infrastructure proliferates, hackers gain even more entry points from which they can infiltrate networks and plant digital listeners and malicious code to execute complex attack patterns.
So it’s not only extremely hard to accurately attribute an attack, but also impossible to register and react to a parabolic growth of attacks, as attack surface increases exponentially due to hyper-digitalization trends of the modern world.
What about mitigation or, even better, prevention?
Attribution and defense usually come as a response to an already executed attack. At that point, substantial damage has already been inflicted, and the focus is on cutting off the attacker from the infrastructure, determining the level of damage inflicted and hardening security for the future. As such, mitigation is negligible.
Prevention is (almost) impossible in this time and age due to the trend of enhancing every piece of analog equipment with an automated, digital, hooked-to-the-internet listener device, which creates wonderful opportunities for hackers.
It empowers them to exert their influence over an item that was inert and impervious in the past. Once they’ve gained access to the device, hackers can eavesdrop on conversations, log activity, launch attacks, relay communication … the possibilities are endless.
While useful, patching devices to prevent exploitation is never a cure. After all, who can guarantee that the patch itself doesn’t contain a hidden backdoor for hackers, if software distribution center gets hacked? Preventing such attacks in a digitally dominated environment is like trying to plug all holes in Swiss cheese; the more devices we hook up globally, the more holes are added to the proverbial cheese.
One final remark needs to be added here: We’re not talking about hacking, phishing and spying on citizens and privately owned companies. We’re talking about governments and government-related infrastructure of the highest importance: nuclear command, control and communications (NC3 system), expensive energy infrastructure, research facilities with valuable data and intelligence data repositories.
Infrastructure that is so important that we must speak in absolutes — full prevention and mitigation, complete and correct attribution. Unfortunately, these absolutes are unattainable in this modern day and age.
The ideas — especially those mentioned in the CFR document — I see floating around do not solve the problem. Instead, they have the potential to lead to cyberterrorism as an excuse to instill even more control and censorship.
If we truly want to address the issue of cybersecurity, we need to return to the infrastructure that is impervious to digital manipulation: analog. Even air gapping can be circumvented, but a lever can only be pulled by a human. Meaning: All key points in crucial parts of risk-critical infrastructure need to be analog.
There are risk factors here as well, as humans can be malicious, bribed or manipulated, but they’re outside the digital domain and fall into another category of national security.
What about systems that absolutely need to remain digital? Their importance should be assessed against their level of vulnerability.
All commonly used preventive measures need to be taken, but it should be clear that these systems will remain vulnerable. And it bears repeating: These measures should have nothing to do with “fragmentation of the internet” or forcing internet service providers to oust malicious actors based on faulty and unreliable data.
Instead, two-factor authentication, encryption, cybersecurity hygiene and education, and more should provide a reasonable level of security.
Everything else is misdirection.