Last week, I attended the International Conference on Cyber Security (ICCS 2012) at the Fordham University campus in New York. This is the third iteration, which is a joint venture by the US Federal Bureau of Investigation (FBI) and Fordham. The three-day event brought together hundreds of experts from law enforcement, military intelligence, academia, and the private sector for more than 50 presentations covering a wide array of topics. I attended as part of IPI’s expanded focus on cyber security, part of IPI’s ongoing work on transnational organized crime through our Coping With Crisis program.
Topics ranged from practical applications of network security to field experience in prosecuting international cybercrime to emerging threats and techniques of malicious actors. In the interest of brevity, I’ve teased out a few broad themes, though interested readers can find the full list of speakers, biographies and abstracts here.
• Cyber Realpolitik: The virtual world is becoming more of a highly-contested space. The US Department of Defense followed along this reasoning when they declared cyber the fifth domain of warfare in 2011 while initiating US Cyber Command as a sub-unified command under US Strategic Command. Cyber security shares the characteristics of other global threats such as transnational organized crime and nuclear proliferation: they have a transnational and overlapping nature; involve a myriad of technical issues; and require international cooperation to create a framework of norms and institutions to deal with the threat.
Unfortunately, this last need seems to be unrealized at the moment. At this juncture, nation-states are more apt to talk in terms of realist competition as opposed to multilateral cooperation. This will need to change if we are to keep conflicts and actions from moving from the virtual to the kinetic. There are lessons to be learned from similar processes, both as formal diplomacy as well as Track II methods.
• Movement From Defensive to Offensive Posture: Somewhat related was talk of the need for firms to move from a defensive posture of maintaining the security perimeter towards a more offensive posture. At the most fundamental level, this runs headlong up against the problem of attribution. High-value targets such as the Pentagon and multinational corporations can face millions of unique attacks per day. Many of these attacks utilize anonymizing software such as TOR or botnets to covertly infect hundreds to hundreds of thousands of computers owned by unknowing users. If an offensive posture means remotely disabling or destroying computers and webservers, the possibility of collateral damage looms large. This is especially problematic as offensive hacks against misattributed networks are not likely to have much long-term positive effect.
Regardless of offensive posture, the capabilities of governments to detect intrusion needs to be improved. Because a fruitful attack is much more useful if it remains undetected, malicious actors tend not to advertise success. Many attacks go months without attention, giving hackers a back door for information extraction and surveillance. As an alternative, one speaker proposed the need to move away from the protection of networks towards protecting data. This kind of thinking seems to be behind the efforts of Singapore to position itself as a trusted data hub.
• Internationalization and Criminalization: While many of the early hackers were essentially hobbyists, malicious activity in the virtual world is increasingly becoming the domain of organized crime and nation-state actors. Early hackers were essentially motivated by bragging rights. But, as more and more economic activity has moved to the networks and the Web, it was only a matter of time before criminals found a way to monetize these skill sets. Much of the commentary about the dismal state of web security tends to leave out its cat-and-mouse nature. Hacker innovation is, to a large degree, a response to security innovation. Since there are a multitude of networks that are insecure, securing a network even minimally is usually enough to discourage hacktivists and weekend warriors who would then just move on to a more insecure target. Unfortunately, organized criminal networks do have the resources to sink into “owning” a system. For these groups, the financial pay-off can be more than enough to make sense from a cost-benefit standpoint. Likewise, nation-states are willing to undertake the effort necessary to breach security. Successful attacks can yield intelligence, industrial espionage, and, more recently, bring down physical infrastructure, such as Stuxnet. And once these hacks are out there, there is little limit to distribution and proliferation to both state and non-state actors.
• Next Wave: The conference was full of descriptions of future challenges in the virtual world, one being with mobile technology. As with the move from desktops to web servers that created vulnerabilities, mobile technology offers a relatively insecure platform for invasive attacks. Innovations such as mobile banking have not been matched by a robust security framework and offer fertile ground for stealth theft.
Another concern is the proliferations of embedded web servers in household and office appliances–think VoIP phones and photocopiers; both are relatively insecure out of the box, and system administrators often do not do much to increase security. Another area is the state of security for systems that are newly web facing. This is most troubling with supervisory control and data acquisition (SCADA) systems. These are the command systems for many industrial processes and physical infrastructure. Unfortunately, these systems have not traditionally had to deal with the same network intrusion threats that other systems deal with on a daily basis and are thus relatively easy to hack. As these vulnerabilities become known, exploitation by organized criminal networks, terrorists and even nation-states will become a very real possibility. This would be…very, very bad.
However, one should not slip into hopelessness. The current state of things is not all bad. Smart people are trying to solve these problems, and that is a promising state of affairs. The private and public sectors are beginning to communicate better, and law enforcement has become much more cognizant of the threat in recent years. There is also space–a lot of space–for international cooperation. The topic of harmonization of legal frameworks came up again and again during the discussions. This seems well suited to UNODC, though there was little indication that US law enforcement recognized UNODC’s interest.
The issue of cyber security is not going away. It definitely is a complicated and technical problem, but one that seems ripe for international cooperation. As one defense analyst said to me, “Hey, it can’t be much harder than nuclear weapons.”
Chris Perry is a Senior Policy Analyst at the International Peace Institute.