Waiting Until the Cyber Damage Is Done
The cyber intrusions we face are serious. Civilian cyber-criminals inflict problems ranging from nuisances to theft, as happened at Target and Adobe. Now the curious Heartbleed vulnerability inconveniences consumers, requiring extensive password replacements. Less known but more serious are cyber-attacks by nation states, which threaten our economic vigor and the functioning of our infrastructure.
China's military-sponsored hackers appear to focus on harvesting U.S. corporate data, especially technical designs and secrets. It is hinted that computers in China attempted to take advantage of Heartbleed as well, but, while knowledge of such a flaw would be of value to a nation-state seeking to undermine foreign business and military competition, using that vulnerability to collect a few hundred consumers' identities and personal data is an act more typical of run-of-the-mill thieves.
Iranian hackers appear to focus on reconnaissance of government and infrastructure networks. The Syrian Electronic Army (SEA), meanwhile, seems to launch public attacks in retaliation for attacks against President Assad. We can expect aggressive use of Iranian hackers' intrusions to coincide with increased financial sanctions or military actions related to Iran's nuclear weapon development.
Ouroboros ("Snake") is a Russian cyber-weapon that monitors communications networks and can destroy connected computer systems. Snake was deployed into Ukraine's government networks at the beginning of 2013. It is unlikely that Ukraine can plan or coordinate military activities without Russia hearing of those plans and moves. If NATO tries to reinforce Ukraine's sovereignty, it will be important to withhold collaborative plans from compromised Ukrainian networks.
Unfortunately, nation-state attacks are both persistent and increasing in sophistication. Stern verbal warnings from our diplomats are nothing but press-release fodder. Calls for other nations to respect civil rights (as we frame them) are a pointless exercise. Foreign leaders are quick to remind us that due to NSA behaviors and Snowden's treachery, the public knows that we have lost the moral high ground.
Law enforcement seems baffled by how to stop cyber-criminals. Juniper Networks has suggested that corporations need to aggressively fight back against criminal hackers, removing the profit from attacking corporate networks. Solutions as simple as chip and PIN credit-card security will certainly help here in the U.S., as it has dramatically reduced credit-card fraud in parts of Europe.
In the end, taking the profit out of attacking corporate networks will reduce the incidence of attacks, but it will not address nation-state attacks. For these types of attacks, there is no cheap fix, and our political willingness to pay the price will develop only in the wake of painful cyber warfare.
Longer-term, preventing nation-state attacks and restoring security to our communications networks and computer systems may mean altering the Internet as we know it. It may take networks and associated hardware that are far less open, as well as limiting access and geographic coverage, using multi-layered authentication and encryption techniques, and making networks require some minimal clearance. Whatever the solution, it will probably cost a lot more.
Alan Daley writes for the American Consumer Institute Center for Citizen Research, a nonprofit educational and research organization.