Cyberwarfare Threat

October 6, 2017 – Volume 27, Issue 35
Do hackers pose a danger to national security? By Patrick Marshall

Introduction

The website of Britain's National Health Service (Cover: AFP/Getty Images/Daniel Leal-Olivas)  
The website of Britain's National Health Service notifies users of online problems caused by a global cyberattack that originated in Ukraine earlier this year. The attack hit more than 65 countries, raising new concerns about whether the United States should act more aggressively against cyberattacks that could change election tallies or disable power grids and key military infrastructure. (Cover: AFP/Getty Images/Daniel Leal-Olivas)

The next major conflict between world powers may not begin at sea or along a disputed border, but in cyberspace. In the past decade, hackers have targeted voting systems in the United States, electrical grids in Ukraine, uranium enrichment facilities in Iran and hospitals, universities and major corporations around the world. The attacks have focused new attention on whether the United States is acting quickly enough to protect computer networks serving critical infrastructure, from military bases to power plants. Cybersecurity experts say companies holding sensitive data are particularly vulnerable to digital attacks, such as the recent hack of the Equifax credit reporting agency that potentially affects 145.5 million U.S. consumers. The United Nations is working to develop international rules for cyberwarfare, but the effort faces major hurdles, including deciding how even to define a cyberweapon. Allegations that Russia used social media to disrupt last year's presidential election are another focus of concern as the United States prepares for the 2018 congressional elections.

Go to top

Overview

On June 27, technicians at the defunct Chernobyl nuclear power plant in Ukraine noticed that the computers monitoring lingering radiation at the plant, destroyed in 1986 by a massive reactor explosion, had stopped working. The same day, ATMs shut down in Ukraine's capital city, Kiev. More than 4,000 miles away in the United States, workers at pharmaceutical giant Merck and Co. found themselves unable to make important vaccines.1

The disruptions had a common source — a computer virus that began in Ukraine and spread around the world, crippling more than 12,000 networks and devices in 65 countries. The cyberattack initially appeared to be ransomware, which encrypts digital data and demands payment for decrypting it. But researchers affiliated with NATO said the attack was primarily a “declaration of power” designed to destroy information, not extract ransom.2

They also said the attack likely was launched by a government or with backing from a government, raising the possibility that it could be considered an act of war. Ukraine has blamed Russia, but the Kremlin has denied involvement.3

Cybersecurity experts point to such attacks as evidence that future wars likely won't begin on land, at sea or in the air but instead in cyberspace.4

The rise of digital weapons as a major geopolitical threat raises new concerns about whether the United States should act more aggressively to protect itself from cyberweapons that could change election tallies, shut down power grids or disable key military infrastructure. The United States has powerful digital weapons that some cybersecurity experts say will deter attacks by other countries. U.S. intelligence officials, however, say cyberattacks pose more of a threat to the country than terrorism.

President Trump has proposed several actions to bolster (Getty Images/Chip Somodevilla)  
President Trump has proposed several actions to bolster the country's cyber capabilities, including giving increased independence to the U.S. Cyber Command and ordering strengthened cybersecurity for federal networks and critical infrastructure. “The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries,” Trump said. (Getty Images/Chip Somodevilla)

“In 2013, ‘cyber’ bumped ‘terrorism’ out of the top spot on our list of national threats,” then-Director of National Intelligence James Clapper said last year. “And cyber has led our report every year since then.”5

Protecting computer networks also is important at companies that make weapons systems or other products and services important to national security. But those companies oppose proposals to make their computers more secure through government regulation. Some cite prior bad experiences working with the government on cybersecurity. Others cite a desire to avoid red tape.

Recent cyberattacks have also inspired calls for international agreements to limit the militarization of cyberspace, but critics of the idea say limiting the use of cyberweapons is virtually impossible because computer code cannot be monitored the same way conventional weapons are.

Some cyberattacks target democratic institutions, mounting “influence campaigns” that exploit social media to spread fabricated information disguised as news, says Herbert Lin, a senior research scholar for cyber policy and security at the Hoover Institution, a conservative think tank at Stanford University.

“Cyber-enabled information warfare is an existential threat to society as we know it,” says Lin. “It is people trying to advance the idea that there is no such thing as truth — that truth doesn't matter. There is no shared basis for understanding anymore. Is that a threat to society? You bet it is.”

The cyberattack that started in Ukraine in June was just one of a number of such incidents in recent years:

  • In May, a ransomware attack disabled hundreds of thousands of computers in more than 150 countries, disrupting operations at hospitals, universities, manufacturers and government agencies. The attack apparently used information stolen from the supersecret U.S. National Security Agency (NSA). FBI officials have noted that such attacks can disrupt the manufacture of electrical components, computer chips and other products important to national security.6

  • In December, a cyberattack cut about 20 percent of Kiev's electricity supply. Ukraine blamed Russia, saying the Kremlin has waged a “cyber war” against Ukraine since Russia annexed Crimea in 2014 and fighting broke out between Ukrainian forces and pro-Russian separatists in eastern Ukraine. “You can't really find a space in Ukraine where there hasn't been an attack,” said Kenneth Geers, a NATO ambassador who focuses on cybersecurity.7

  • In the United States last year, “Russian government cyber actors,” tried to hack into voting systems in 21 states ahead of the presidential election, according to Department of Homeland Security officials. Officials say Russia also used social media, including Twitter accounts and $100,000 in Facebook ads, to distribute propaganda aimed at widening political divisions in the United States as part of a larger campaign to promote Donald Trump's presidential candidacy. And intelligence officials say hackers linked to Russia stole emails from the Democratic National Committee (DNC) and others that they later released in hopes of damaging the candidacy of Trump's opponent, Hillary Clinton.8

  • In 2014, hackers broke into computers at Sony Pictures, stealing unreleased movies and making them publicly available. U.S. officials blamed North Korea, saying Pyongyang was retaliating for a Sony comedy, “The Interview,” that depicted the assassination of the country's leader, Kim Jong-un. A year earlier, South Korean media reported that Kim had called cyberattacks a “magic weapon.”9

  • In 2014, hackers broke into the computer network for South Korea's nuclear power plants, stealing what government officials said was “non-critical” data. And in April 2016, computers at a nuclear power plant in Germany were found to be infected with viruses.10

  • A 2015 report by Chatham House, a think tank in London, said cybersecurity risks at nuclear power plants are increasing as the plants “become increasingly reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software.”11

  • Western military officials said recently that Russia has been hacking into the personal smartphones used by NATO soldiers to gain operational information, assess troop strength and intimidate the soldiers. Some officials worried that compromised cellphones could be used to create confusion and slow NATO's response to Russian military action in a crisis.12

The bar graph highlights the percentage of Americans who view Russian hacking as a threat to future U.S. elections.  

Long Description

A majority of Americans believe Russian hacking in the 2016 presidential election means Russia poses a threat to future U.S. elections, though fewer than half view the threat as major.

Sources: Laura Santhanam, “New poll: 54% of Americans think Trump's dealings with Russia were unethical or illegal,” PBS News Hour, July 6, 2017, https://tinyurl.com/y9wu4vto

Data for the graphic are as follows:

Response Percentage who view Russian hacking as a threat to future U.S. elections
Major Threat 47%
Minor Threat 20%
No Threat at All 13%
Russia Was Not Involved in 2016 election 12%
Unsure 7%

Intelligence officials warn that the stakes in cyberwarfare are high.

“The breadth of cyberthreats posed to U.S. national and economic security has become increasingly diverse, sophisticated and serious, leading to physical, security, economic, and psychological consequences,” Clapper, then-Undersecretary of Defense for Intelligence Marcel Lettre and Navy Admiral Michael Rogers, director of the NSA, said in a rare joint statement to Congress in January.”13

Cyberthreats are as varied as the devices connected to computer networks, and cybersecurity experts say the most important weapons systems in the U.S. military's arsenal could be at risk. In 2010, for example, after President Barack Obama ordered his administration to find out if there were security flaws in the systems that manage U.S. nuclear missiles, investigators found deficiencies that could have allowed hackers to shut down the missiles' flight guidance systems.14

In June, captains of commercial ships in the Black Sea reported that their GPS navigation systems were incorrect by about 20 miles. Navigation experts later concluded the systems were being “spoofed,” or fed false signals, and some experts attributed the incidents to Russian hackers.15

Federal computer networks were accessed by hackers or infected with malware — software intended to damage or disable computer networks — about 30,000 times between Oct. 1, 2015 and Sept. 30, 2016, the Government Accountability Office (GAO), the investigative arm of Congress, reported in June. The agency also said the vulnerability of Defense Department computer networks “has grown significantly.”16

On Sept. 20, the Securities and Exchange Commission, an independent federal agency that regulates Wall Street, revealed that hackers exploited a software vulnerability last year to breach agency computers. And in February 2016, a hacker released online the names and contact information of 29,000 Department of Homeland Security and FBI employees.17

Computers at other federal agencies also have been targeted by cyberweapons. A 2016 GAO survey of 24 federal agencies found that 18 with “high-impact” computer systems — those containing information that, if lost, could cause “catastrophic harm” — identified cyberattacks by foreign nations “as the most serious and most frequently occurring threat to the security of their systems.”18 Such attacks may seek to gather information on weapons systems, political strategies or economic plans.

Concerns over private companies' digital security focuses on those serving critical sectors such as banking, utilities and government contracting. Potential threats include ransomware that can shut down computer networks or destroy their data, and computer viruses that can shut down power grids.

“The private sector has been really slow to adopt basic cyber hygiene practices,” says Ryan Maness, an assistant professor in the Defense Analysis Department at the Naval Postgraduate School in Monterey, Calif. Fifty-seven percent of companies surveyed by the insurance industry said they were targeted in a cyberattack in the past year, and 42 percent reported at least two attacks.19

Such findings have prompted demands for federal regulations to improve cybersecurity in the private sector. “There is clearly a bigger role for government,” says Peter W. Singer, a strategist and senior fellow at the left-of-center New America think tank in Washington. Government requirements, he says, would ensure that private companies achieve “more than just aspirational goals” in protecting their networks.

President Trump has issued a strong call for building up the country's cyber capabilities. On Aug. 18, he said he would make the U.S. Cyber Command, the Pentagon's offensive cyberwar unit, a “Unified Combatant Command,” a plan originally proposed by the Obama administration. The move will not be final until the Senate confirms someone to run the Cyber Command, which is currently headed by Rogers at the NSA.

Trump's decision will give Cyber Command the same status as organizations that oversee military operations in the Middle East, Europe and the Pacific. Cyber Command is currently under the U.S. Strategic Command, one of the military's nine unified commands.20

“The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries,” Trump said in a statement.21

Some of Trump's other actions on cybersecurity have been more ambiguous. He has, for example, repeatedly questioned reports by his own intelligence agencies that Russia used cyberweapons to influence the presidential election.22 And former FBI Director James Comey, whom Trump fired in May, testified in June that Trump showed no interest in preventing future election interference by Russia.23

As experts and policymakers consider the threat of cyberattacks, here are some of the questions they are asking:

Does cyberwarfare pose an existential threat to the United States?

Sen. John McCain, R-Ariz., chairman of the Senate Armed Services Committee, warned in May that “glaring gaps in our national cyber policy, strategy and organization undermine our ability to defend the homeland and deter those seeking to undermine our national security in cyberspace.”24

Intelligence officials have made similar comments. In their joint statement to Congress in January, Clapper, Lettre and Rogers warned that more than 30 nations are developing offensive cyberattack capabilities and that “the proliferation of cyber capabilities coupled with new warfighting technologies” will increase the incidence of cyberattacks.

What's more, they said, a cyberattack targeting the private sector or U.S. infrastructure could escalate quickly and involve not just national security and military officials but corporations, “blurring the distinction between state and nonstate action. Protecting critical infrastructure, such as crucial energy, financial, manufacturing, transportation, communication, and health systems, will become an increasingly complex national security challenge,” they said.25

Hackers linked to Russia already have created a cyberweapon that can bring down power grids. The malware, called “CrashOverride,” was used in the December cyberattack that shut down one-fifth of the electric power in Kiev.26

Kaspersky Lab, a global cybersecurity company in Moscow that makes anti-virus software and defends computers against digital attacks, said that during the first six months of 2017, it blocked attempted attacks on 37.6 percent of customers' computers operating machinery at plants providing water, power, gas and other critical services.27

The graphic shows the top 10 countries by percentage of industrial control system computers attacked.  

Long Description

Vietnam had the highest percentage of industrial control system computers hit by cyberattacks during the first half of 2017, according to a survey of the computers the cybersecurity company Kaspersky Lab has been hired to protect.

Source: “Threat Landscape for Industrial Automation Systems in H1 2017,” Kaspersky Lab, Sept. 28, 2017, https://tinyurl.com/y9hgwq83

Data for the graphic are as follows:

Country Percentage of Industrial Computers Attacked
Vietnam 71%
Algeria 67.1%
Morocco 65.4%
Indonesia 58.7%
China 57.1%
India 56%
Iran 55.3%
Saudi Arabia 51.8%
Egypt 51.6%
Peru 50.8%

Kaspersky itself is controversial. On Sept. 14, the Trump administration ordered federal agencies to remove the company's products from their networks based on concerns that the firm has close ties to the Kremlin and that using its software could jeopardize national security. The company has rejected those assertions.28

Singer says that while a cyberattack targeting infrastructure could paralyze the U.S. military and economy, “for it to be a Pearl Harbor equivalent as opposed to a 9/11 shock” would require an enemy to follow it up with an invasion using conventional arms.

Such a scenario unfolded in 2008 when computer networks in Georgia were hit with cyberattacks weeks before Russia invaded the country by land, air and sea. Cyberwarfare experts say the incident marked the first time a known cyberattack was followed by a war using conventional arms. Georgia blamed Russia for the cyberattacks, but Russian officials denied responsibility.29

Maness at the Naval Postgraduate School said it is unlikely Russia would target the U.S. power grid the same way it did in Ukraine in December. “I think they would think twice about that because of our own power,” he says. “There are these kind of red lines not to be crossed, at least among the major powers.”

However, some countries — North Korea, for example — are less likely to be intimidated by U.S. cyberweapons. “North Korea knows it can target the information architecture that developed economies rely on without fearing any direct, symmetrical response,” Brian R. Moore, then a resident fellow at the Center for Strategic and International Studies, a bipartisan Washington think tank, and Jonathan R. Corrado, an Asia analyst at McLarty Associates, an international strategic advisory firm in Washington, wrote in June. “The isolated nation already suffers regular blackouts, nearly nonexistent internet access, and a disconnected, cash-based financial system. It thus stands to lose much less in cyberwarfare, increasing the regime's appetite for online conflicts.”30

Demonstrators at the 2016 Democratic National Convention in Philadelphia (AFP/Getty Images/Patrick T. Fallon)  
Demonstrators at the 2016 Democratic National Convention in Philadelphia on July 25, 2016, protest the hacking of Democratic National Committee emails. U.S. intelligence officials say hackers linked to Russia stole the emails and later released them in hopes of damaging the election chances of Democratic presidential candidate Hillary Clinton. (AFP/Getty Images/Patrick T. Fallon)

Michael Sulmeyer, director of the Cyber Security Project at Harvard University's Belfer Center for Science and International Affairs, says U.S. policy on cyberwar should not rely on deterrence — the belief that other countries are so afraid of the United States' arsenal of cyberweapons that they would never target U.S. military or national security networks in a cyberattack. Instead, he says, “we need to focus much more on making ourselves harder to hack.”

Jason Healey, a senior research scholar at Columbia University's School of International and Public Affairs, warned Congress in March that “there is actually very little evidence of adversaries being deterred by an opponent's fearsome cyber capabilities. But there are many examples, especially between the United States and Iran, where capabilities and operations have led to escalation.”

An example of such escalation occurred in 2012, when a group backed by Iran disabled websites at U.S. financial institutions. That cyberattack was viewed as retaliation for a 2010 attack by the “Stuxnet” computer virus — thought to have been developed by the United States and Israel — that damaged Iranian centrifuges used to enrich uranium.31

Other cybersecurity experts say deterrence is still important even if it is not the sole answer to cyberthreats. “When we try to deter crime with locks on our doors or signs in the window that say, ‘Protected by alarms,’ or by police cruisers that go by, it doesn't stop all crime, but without it you would have a lot more,” says Joseph Nye, a former assistant secretary of Defense for international security affairs. “That's true with cyber actors as well.”

John Arquilla, who teaches defense analysis at the Naval Postgraduate School, said cyberattacks by themselves are not an effective strategy in war. “Think about aerial bombing,” he said. “Societies have been standing up to it for the better part of a century, and almost all such campaigns have failed … If highly destructive bombing hasn't been able to break the human will, disruptive computer pinging surely won't.”32

Should the U.S. government regulate private-sector cybersecurity?

Private companies own and operate more than 90 percent of U.S. cyberspace infrastructure and would be “the first line of defense” in a cyberwar, according to the Defense Department's 2015 cyberstrategy report.33

However, federal officials have largely avoided issuing regulations to make private-sector computer networks more secure. Exceptions include a 1996 law that imposes requirements on the handling of health care data and a 1999 law that does the same for financial data.

Instead, the government has encouraged private companies to voluntarily improve their cybersecurity practices. “The majority of intrusions can be stopped through relatively basic cybersecurity investments that companies can and must make themselves,” the Defense Department's 2015 report states.34

Since then, however, private companies and organizations have been hit with major hacking and malware attacks.

  • Equifax, the credit reporting agency, said in September that hackers had taken advantage of a flaw in its software to steal personal information on up to 145.5 million people, including names, Social Security numbers and birth dates. The source of the hack is still unknown. Equifax knew two months before its network was hacked that a patch was available to fix the software flaw, but the company did not install it, according to the industry group that discovered the flaw.35

  • Last year's hack at the SEC targeted the agency's system for storing documents filed by publicly traded companies. SEC Chairman Jay Clayton issued a statement saying the breach “may have provided the basis for illicit gain through trading.” He also said the agency acted quickly to patch the software vulnerability that the hackers exploited.36

  • In June 2016, a cybersecurity firm hired by the Democratic National Committee said DNC computers had been hacked by groups linked to Russian intelligence. A blogger called Guccifer 2.0 responded by saying he alone was behind the hack and claimed to have passed along thousands of files to WikiLeaks.37

  • On Oct. 3, Verizon Communications said a previously disclosed digital attack on Yahoo that took place in 2013 affected all 3 billion of Yahoo's user accounts, making it the biggest known breach of a company's computer network. Verizon acquired Yahoo earlier this year. In September 2016, before the acquisition, Yahoo disclosed a separate attack in 2014 in which “state-sponsored” hackers stole personal data on more than 500 million of the internet company's users.38

In March, U.S. law enforcement authorities charged two Russian intelligence officers with running the 2014 operation. Federal prosecutors said the Russian government used the stolen data to spy on White House and military officials, bank executives, Russian government officials and others. Investigators believe the attackers behind the 2013 attack were also Russian and possibly linked to the Russian government.39

Acting Assistant Attorney General for National Security Mary McCord (AFP/Getty Images/Brendan Smialowski)  
Acting Assistant Attorney General for National Security Mary McCord announces the filing on March 15, 2017, of criminal charges in the 2014 theft of personal data on more than 500 million Yahoo users. Federal prosecutors charged two Russian intelligence officers with running the operation and said the Russian government used the hacked data to spy on White House and military officials, bank executives, Russian officials and others. (AFP/Getty Images/Brendan Smialowski)

Last year, the Commission on Enhancing National Cybersecurity, created by President Obama to tighten cybersecurity in government, business and society, called for the “public and private sectors to collaborate on cybersecurity activities.”40

Singer of New America and other cybersecurity experts say that's not enough. The proposed “code of conduct” that federal officials have proposed to improve private-sector cybersecurity has “less power than a code of conduct at a country club,” Singer says. “What we have right now is a series of aspirational standards but not enough to backstop them.”

Arquilla at the Naval Postgraduate School says the government should regulate how private companies protect their computer networks the same way it regulates how they protect workers from on-the-job injuries. “The government is involved in so many areas of physical safety, it takes just a small leap to understand that the government should also have a role in cybersecurity,” he says.

Lin of the Hoover Institution, who served on Obama's cybersecurity commission, disagrees. He says the commission was “very, very wary of explicit regulation” of the private sector, although it never ruled out the possibility. “The market has failed to provide the U.S. with the cybersecurity that it needs,” says Lin. “But there are many steps to be tried before imposing regulations.” He specifically suggests voluntary programs to help companies improve cybersecurity, as well as holding companies liable for damages resulting from improper security practices.

Not surprisingly, companies generally oppose government regulation of their computer networks. Ann M. Beauchesne, vice president of national security and emergency preparedness at the U.S. Chamber of Commerce, said private companies should spend their money protecting their computer networks “instead of dedicating those resources to dealing with red tape.”41

Many companies say their experience with federal agencies has taught them to distrust government “cooperation” with the private sector. That's especially true of tech companies that have been pressured by the NSA to equip their products with “backdoors” — hidden openings in encrypted software that allow investigators to monitor data for activity that might threaten national security. Critics of the practice say it is an invasion of privacy and undermines public confidence that encrypted data is secure.42

Companies and consumer groups also have criticized the NSA's practice of collecting vulnerabilities in commercial software that the agency might someday want to use to access users' data — without telling companies about those vulnerabilities so they can be fixed. “If the government does not disclose to software companies the vulnerabilities that it obtains, then both public and private systems will be put at risk,” according to the Electronic Privacy Information Center, a public-interest research group in Washington.43

Insurance companies also play a role in cybersecurity by setting minimum standards that private companies must meet to qualify for coverage against network breaches. But half of companies in the United States are not insured against hacking, and 27 percent of executives at those companies say they have no plans to buy such insurance.44

Singer says Congress could help lessen the risk by developing standards and requiring federal agencies to share cyberattack data with insurers. “One of the challenges for the cybersecurity insurance industry is that things are defined in and interpreted in different ways in different locales,” Singer says.

He also says companies should hold software and hardware vendors accountable — through litigation — for losses stemming from vulnerabilities in their products.

Sulmeyer, at Harvard's Cyber Security Project, agrees, saying software and hardware makers have never been held accountable for data security during the 30 years they have been doing business.

Microsoft security architect Roger A. Grimes, however, says that is the wrong approach. “All software has bugs and all software has security flaws,” he wrote recently. Such potentially huge liability would scare off potential investors in software and hardware firms, he said, and “you'd end up with fewer corporations, fewer jobs, and less innovation.”45

Should the international community pursue agreements governing cyberwarfare?

In February, Microsoft President Brad Smith noted an alarming increase in cyberattacks around the world and called for a “Digital Geneva Convention” — an international treaty that would establish rules for what targets and retaliatory actions would be considered legitimate in a cyberwar. “The time has arrived,” Smith wrote, “to call on the world's governments to implement international rules to protect the civilian use of the internet.”46

Smith said such a convention should ban countries from launching cyberattacks against tech companies, the private sector or critical infrastructure. “Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith wrote. “We will assist and protect customers everywhere. We will not aid in attacking customers anywhere. We need to retain the world's trust.”47

Lin at the Hoover Institution applauds Smith's proposal. “It adds a private-sector voice to this and it's a good thing to have that in the debate,” he says. “I'm afraid that in the merits of it, I think that it's going to be really, really hard to do, and actually probably impossible. But that doesn't mean it shouldn't be discussed.”

James Carlini, a cybersecurity consultant in Illinois, agrees the chances for an effective cyberwarfare treaty are slim. “Cyber weapons are not part of the Geneva Convention, and the way they are used now, I highly doubt there will ever be a consensus to sign away their latest capabilities,” he wrote in August. “To think everyone is going to come to a consensus to limit them or restrict them to only certain areas is ludicrous.”48

Even advocates for a treaty agree that cyberwar can't be managed like conventional warfare or nuclear weapons.

“You can't outlaw a cyberweapon because you don't know what is a weapon,” says Nye, the former Defense official. “It depends on the intention of the user. So you really can't prohibit cyberweapons in a verifiable way.”

Arquilla of the Naval Postgraduate School agrees. “Information technology is all dual use, so you can't keep the ability to engage in cyber warfare out of people's hands,” he says.

Existing international laws apply to cyberspace, but it's unclear which cyber activities would qualify as military attacks or use of force. “There is a gray area since a cyberattack can cause disruption without causing destruction or casualties,” James Lewis, a senior vice president at the Center for Strategic and International Studies think tank, told Congress in 2015.49

Michael N. Schmitt, an international law professor at the Naval War College in Rhode Island, says countries “are seemingly hesitant to state where the legal lines in the sand are” regarding cyberwarfare. “It hurts deterrence,” he says. “It encourages states to exploit gray areas. We should be really nervous, because as we develop these capabilities we don't know the rules of the game.”

Congress is also apparently nervous about the legal status of cyberwarfare. It approved legislation last year that requires the Trump administration to spell out within a year which cyberspace activities would qualify as acts of war against the United States.50

Schmitt says reaching consensus won't be easy. “When does a remotely conducted cyberoperation into a country violate that country's sovereignty?” he says. “The lawyers are all over the map on that.”

His own view, he says, is that any action that damages a country's cyber infrastructure — including government computer networks and private-sector networks — is a violation of sovereignty. Schmitt says that the hackers who stole and released Democratic National Committee emails, for example, violated international law because they “manipulated our election process.” Cyber espionage cases such as the hack that stole data from the SEC, however, are not barred under international law, he said.51

Nye says the lack of legal clarity makes it harder to prevent attacks. “One of the things that I worry about is, how do you deter states from creeping up to this threshold,” he says.

Because the United States has targeted other countries with aggressive cyberattacks — the 2010 Stuxnet virus that damaged Iranian centrifuges is just one example — some cybersecurity experts say U.S. officials have little credibility to demand that other countries stop such attacks.

Kalev Leetaru, a senior fellow at George Washington University's Center for Cyber and Homeland Security, said it was “somewhat hypocritical” for U.S. officials to file criminal charges against the two Russian intelligence officers who allegedly masterminded the 2014 breach at Yahoo. The charges outline “precisely the same activities the U.S. government itself engages in every day,” Leetaru wrote in Forbes. 52

The United Nations has worked to develop cyberwarfare rules through its Group of Governmental Experts on Information Security (GGE), first convened in 2004. The group's latest round of talks stalled without producing consensus, but Nye says he expects some countries to work together on agreements like the one Obama and Chinese President Xi Jinping reached in 2015.

In that deal, China agreed not to conduct commercial cyberespionage to avoid U.S. sanctions against Chinese companies accused of stealing trade secrets.53 But Clapper noted last year that “China continues to have success in cyber espionage against the U.S. government, our allies, and U.S. companies.”54

Before the 2015 deal was signed, a spokesman for China's defense ministry accused U.S. officials of conducting their own cyber spying operations. U.S. criticism of cyber espionage by China, he said, was a case of “a thief yelling ‘Stop, thief!’”55

Paul Rosenzweig, a former Homeland Security deputy assistant secretary for policy who lectures on law at George Washington University, says international adoption of standard practices on cyberattacks is more feasible than a treaty like the one proposed by Microsoft's Smith. He notes that countries already have begun to agree not to target other countries' electricity grids. In 2015, for example, countries participating in that year's round of GGE talks pledged not to target other countries' critical infrastructure in peacetime. “It is not a mandate, but it seems moderately effective,” Rosenzweig says.

Go to top

Background

Pre-Internet Attacks

In 1986, Clifford Stoll, a computer analyst at Lawrence Berkeley National Laboratory in California, discovered while investigating a 75-cent accounting anomaly that the lab's network and other high-security government networks had been hacked. Eventually, Stoll tracked the intrusion to a group of West German spies working for the KGB, the Soviet Union's main security agency.56 The incident — known as the “The Cuckoo's Egg,” after the title of Stoll's 1989 book — was the first publicly documented cyberattack by another country on U.S. government computers.

Two years later, on Nov. 3, 1988, about 8,800 computers connected to ARPANET, the forerunner of the internet, were hit by the world's first computer worm and slowed to a crawl or crashed. Robert Morris, a Cornell University graduate student, had released the worm not to cause damage, he said, but to gauge ARPANET's reach. Still, he was convicted under the Computer Fraud and Abuse Act and sentenced to three years of probation.57

“Before Morris unleashed his worm, the internet was like a small town where people thought little of leaving their doors unlocked,” technology journalist Timothy B. Lee wrote about the incident. “Internet security was seen as a mostly theoretical problem, and software vendors treated security flaws as a low priority. The Morris Worm destroyed that complacency.”58

In response to the Morris Worm, the Defense Advanced Research Projects Agency (DARPA), a research arm of the Defense Department, contracted with Carnegie Mellon University to create the Computer Emergency Response Team (CERT), a research center focused on software flaws and internet security.59

Cyberattacks on the Rise

Increasing use of the internet by government, academia and the private sector prompted the United States and Russia to meet in secret in Moscow in 1996 to talk about a cyberspace disarmament agreement. U.S. officials were focused primarily on protecting data and infrastructure, but the Russians wanted any treaty to cover what they called ‘information terrorism,’ which referred to “any use of the internet that might threaten domestic stability,” wrote Adam Segal, director of the Program on Digital and Cyberspace Policy at the Council on Foreign Relations think tank.60

In 1997, U.S. defense officials launched an internal exercise dubbed “Eligible Receiver” in response to evidence that military networks were being probed by unknown sources. NSA hackers were assigned to break into Defense Department networks using only publicly available computer hardware and software to test the networks' security. The NSA hackers were able to take control of Pentagon computers as well as power grids and 911 systems in nine major U.S. cities.61

“What Eligible Receiver really demonstrated was the real lack of consciousness about cyber warfare,” said John Hamre, deputy secretary of Defense at the time. “The first three days of Eligible Receiver, nobody believed we were under cyberattack.”62

The March 1998 discovery of a two-year pattern of intrusions on government computer networks — later dubbed “Moonlight Maze” — confirmed the security gaps uncovered by Eligible Receiver. Intelligence officials are still investigating the intrusions, which originated in Russia and compromised tens of thousands of files — including maps of military installations and military hardware designs.63

Weaknesses in U.S. military and civilian computer networks prompted President Bill Clinton in 1998 to issue the first national cybersecurity strategy. His directive said that “non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy” and ordered federal agencies to secure their networks within five years.64

In 2001, a city network administrator in Mountain View, Calif., noticed suspicious attempts to access the city's website and called the FBI. Analysts at the bureau found that the probes — which sought information about utilities and emergency systems — had originated in the Middle East and South Asia. That information acquired new significance when U.S. intelligence officials discovered that computers seized from al Qaeda operatives after the 9/11 attacks showed evidence that the terrorist group had engaged in widespread surveillance of U.S. infrastructure.65

Two years later, the Bush administration ordered the Homeland Security Department to establish a National Cyber Security Division to develop new technologies, tools and techniques to defend against cyberattacks. Also in 2003, Homeland Security officials issued the National Strategy to Secure Cyberspace, a roadmap for federal agencies and private companies to voluntarily cooperate on cyber security.66

The 2007 “surge” in U.S. forces fighting in Iraq marked the first time that defense and intelligence agencies tested cyberwar theories on the battlefield.67 As part of those tests, U.S. agents sent fake text messages to insurgents in Iraq to entice them to specific locations, where they were then targeted by U.S. troops or drone-fired missiles.68

The first known cyberattack targeting an entire country took place in April that same year, when Russian hackers defaced Estonian government websites, posted fake documents and shut down email accounts. The attack was in retaliation for Estonia's decision to remove a statue of a Soviet soldier commemorating World War II.69

A year later, Russia launched a more serious cyberattack against Georgia in preparation for a conventional military assault, knocking out commercial banking and media outlets.70

In early 2009, almost immediately after winning election, Obama called for a thorough review of federal measures to defend U.S. cyberspace. In June, his administration announced the creation of the U.S. Cyber Command within the Defense Department to defend department networks.71

China began to attract attention from U.S. cybersecurity officials in 2010, after Google said Chinese hackers stole intellectual property from the company and broke into the email accounts of human-rights activists.72 The attack — dubbed Operation Aurora — also targeted dozens of other companies.73

As federal agencies worked to strengthen their cyberdefenses, defense officials prepared offensive cyberweapons.

In 2010, a cyberweapon called Stuxnet was accidentally discovered to have migrated from an Iranian nuclear facility to computer networks around the world. The virus, thought to have been created by the NSA and Israel, was designed to undermine Iran's nuclear weapons program by causing centrifuges that enrich uranium to spin out of control.74

One participant in the operation said the aim was not to cause immediate, extensive damage but to make the Iranians think their engineers were incompetent. “The idea was to string it out as long as possible,” the person said. “If you had wholesale destruction right away, then they generally can figure out what happened, and it doesn't look like incompetence.”75

Two years later, researchers identified “Flame,” a digital worm that had deleted information from computers in Iran, Sudan and the Middle East. The worm consisted of different modules, including one called “Shredder” that instructed breached computers to remove all traces of the infection. Other modules stole documents, recorded keystrokes and screenshots or lifted data and audio from smartphones or other Bluetooth devices near the targeted computer.76

Flame may have been first used in 2004. In 2012, it was considered possibly the most complex piece of malware ever discovered. Some analysts suspect it was created by the United States and Israel. It also was the first identified virus that used Bluetooth wireless technology to send and receive commands and data.77

Government Action

On Nov. 17, 2010, Dean Turner, director of the Global Intelligence Network at Symantec, a private security firm, called Stuxnet “a wake-up call to critical infrastructure systems around the world.”

“This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities,” Turner told a Senate committee.78

In retaliation for Stuxnet, an activist group backed by Iran launched about 200 “denial of service” attacks aimed at disabling websites at nearly 50 U.S. financial institutions.79

Iran also was reportedly behind a 2012 cyberattack on Saudi Aramco, the Saudi Arabian national oil company and the world's largest oil exporter, using a virus called Shamoon. The attack wiped data from 30,000 computers.

“The Shamoon attack in Saudi Arabia seriously spooked the U.S. government,” the Council on Foreign Relations' Segal wrote. Later that year, Defense Secretary Leon Panetta warned of a potential “cyber Pearl Harbor” in which hackers would derail passenger trains or trains loaded with lethal chemicals.80

U.S. cybersecurity officials were further shaken by the disclosure in June 2013 that hackers had stolen technical and design data for the F-35, America's next-generation fighter aircraft.81 China was eventually identified as the culprit. “The Chinese might never have to fight the jet if it didn't get off the ground,” Shane Harris wrote in his 2014 book @War: The Rise of the Military-Internet Complex. 82

U.S. officials, however, were making progress themselves on offensive cyber capabilities. By 2013, the NSA had implanted malware in an estimated 85,000 computer systems in 89 countries to allow them to access those networks should they need to in the future.83 That same year, the NSA's Remote Operations Center received authorization to spend $651.7 million breaking into computer systems around the world — twice the amount the entire intelligence community spent that year defending classified U.S. military networks from attack.84

The Obama administration also was focused on securing critical infrastructure. On Feb. 12, 2013, Obama signed an executive order telling federal agencies to start sharing more cyberthreat information with private companies and directing the Homeland Security Department to identify infrastructure elements “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.”85

The hacking attack targeting Sony Pictures took place a year later when hackers operating under the name “Guardians of Peace” made five unreleased Sony films publicly available.86

In 2015, Congress passed the Cybersecurity Information Sharing Act, which allows federal agencies and private companies to share data about cyberattacks and threats, including data on private citizens.

Civil liberties groups say the law threatens individual privacy rights. “It was billed as a cybersecurity bill but it seemed more like a surveillance bill,” says Neema Singh Giuliani, legislative counsel with the American Civil Liberties Union (ACLU).

A cyberattack this year on the defunct nuclear plant in Chernobyl, Ukraine (Getty Images/Sean Gallup)  
A cyberattack this year on the defunct nuclear plant in Chernobyl, Ukraine, disabled the computers monitoring radiation left over from a massive 1986 explosion at the plant. Ukraine has blamed Russia, but the Kremlin has denied involvement. Cybersecurity experts say such attacks suggest that future wars likely will begin in cyberspace, not at sea, on land or in the air. (Getty Images/Sean Gallup)

Cybersecurity experts also say the 2015 law is already out of date. They say computer attackers around the world have grown so sophisticated — often with state sponsorship — that the concept of allowing companies and the government to share cyber information seems antique.87

In December 2016, nearly 250,000 people in Ukraine lost electricity as the result of a suspected Russian cyberattack that came just six months before the June attack that began in Ukraine and spread around the world. The December attack was linked to the war in eastern Ukraine, where Russian-backed separatists are fighting Ukrainian government forces.88

Russia's multipronged campaign to influence the 2016 presidential election has continued to generate headlines since U.S. officials said last October they were confident the Kremlin was behind the hacking and release of Democratic National Committee emails.

“Such activity is not new to Moscow — the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there,” the Department of Homeland Security and Office of the Director of National Intelligence said in a joint statement last year.89

In September, Facebook said it would turn over more than 3,000 Russia-linked ads to congressional committees investigating the Kremlin's influence operation prior to the election. Facebook also has given information on the ads to Robert Mueller, the special counsel investigating Russia's activities linked to the election.90

Also in September, Department of Homeland Security officials contacted election officials in 21 states and told them Russia had tried to hack into their voting systems before the 2016 presidential election.91

Go to top

Current Situation

Trump Administration

On May 11, President Trump issued an executive order aimed at strengthening cybersecurity for federal networks and critical infrastructure. The order identifies three priorities: protecting federal networks, updating antiquated systems, and directing all department and agency heads to work together “so that we view our federal [internet technology] as one enterprise network,” said Tom Bossert, Trump's homeland security adviser.92

The order also specifically makes agency heads responsible for cybersecurity at their departments, a job that Lin at the Hoover Institution says typically fell to chief information officers or chief security officers. Lin also says requiring interagency cooperation is important because “what happens at the Department of Treasury matters to the Department of Agriculture.”

Trump's executive order was in addition to his decision to make U.S. Cyber Command — the Department of Defense's offensive cyber force — its own unified military command.93

New America's Singer, who supports the move, says “the battleground and the organization have become more operational since Cyber Command was formed, and this is a natural evolution.”

Even as the Cyber Command assumes a higher-profile role, Congress is looking to exercise tighter oversight over cyber operations. In July, the House approved legislation that would require Defense officials to notify Congress within 48 hours of any “sensitive military cyber operation” undertaken by the United States. The measure is part of the 2018 National Defense Authorization Act, which has passed the House and is pending before the Senate. It would apply to both offensive and defensive operations, but exempts covert actions.94

NSA Under Scrutiny

NSA officials have made it a practice to identify “zero-day” vulnerabilities in software used by private companies. The term refers to major coding flaws that hackers could exploit and that the companies do not know exist.

The NSA collects such flaws in case it might someday want to use them to launch a cyberattack or extract information from a computer network. But the agency has opted not to tell companies about those vulnerabilities, drawing criticism from companies and consumer groups.95

The risks linked to that policy came to light in August 2016, when Cisco and Fortinet, which make networking equipment, alerted their customers that a hacking group called Shadow Brokers had made certain data available for sale on the Web. The data included hacking software that could be used to target networking appliances made by Cisco, Fortinet and other companies.

Shadow Brokers said they had stolen the data from a group linked to the NSA, and analysts concluded that the data consisted of zero-day vulnerabilities the agency had collected without telling the companies.96

The incident took place two years after the Obama administration, in a break with the policy in effect during the George W. Bush administration, directed the NSA to reveal any vulnerabilities it discovered in companies' software, but made an exception for vulnerabilities that could serve “a clear national security or law enforcement need.”97 One former government official said that by 2014 the NSA had stored more than 2,000 zero-day vulnerabilities for potential use against Chinese systems alone.98

A billboard promotes the Sony Pictures comedy (Getty Images/Christopher Polk)  
A billboard promotes the Sony Pictures comedy “The Interview,” in Venice, Calif., on Dec. 19, 2014. Earlier that year, hackers broke into Sony computers, stealing unreleased movies and making them publicly available. U.S. officials said North Korea launched the attack in retaliation for the film, which depicts a plot to assassinate the country's leader, Kim Jong-un. (Getty Images/Christopher Polk)

Security flaws in software and hardware have spawned an entire industry, with private companies finding the holes and then turning them into hacking weapons — known as “zero-day exploits” — that they sell to the NSA and other agencies and companies.

“This gray market is not precisely illegal, but it operates on the fringes of the Internet,” Harris wrote in his 2014 book.99 He said zero-day exploits in software go for $50,000 to $100,000, while exploits based on flaws in computer hardware can earn their creators millions of dollars.100

Giuliani at the ACLU says the NSA's handling of zero-day vulnerabilities needs to be more transparent. “It should be written in the law instead of being subject to change every time there's a change of political leadership,” she says.

Such transparency was a top priority for Democratic and Republican lawmakers in Congress who introduced legislation on May 17 spelling out criteria for how the NSA and other agencies decide whether to tell companies about software and hardware vulnerabilities the agency has discovered.101

“Hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security,” Rep. Ted Lieu, D-Calif., said in introducing the bill.102

White House officials say the current process is transparent enough. Michael Anton, a spokesman for the National Security Council, described it as “a disciplined, high-level interagency decision-making process for disclosure of known vulnerabilities.”103

Internet of Things

Internet security has increasingly become a challenge as more and more everyday devices and machines — driverless cars, pacemakers, refrigerators, virtual personal assistants — send and collect data via computer networks, a phenomenon known as “the internet of things.” By 2020, an estimated 34 billion devices will be connected to the internet, up from 10 billion in 2015.104

“The ‘attack surface’ in which anybody — a state or a nonstate actor — can do damage will enormously increase,” says former Defense official Nye. Many of the billions of devices connected to the internet “are built not for security but for efficiency,” he says.

And while internet-connected devices may not be a security hazard in themselves, they often offer hackers an unprotected entry point. “For a cyber-defender, this means that hackers will not only have three times as many targets — they will also have three times as many vectors from which to attack any given target,” James Stavridis, a retired Navy admiral and dean of the Fletcher School of Law and Diplomacy at Tufts University, and Dave Weinstein, New Jersey's chief technology officer, wrote last year. “This creates vast new challenges for network security and complicates the already murky legal and technical landscape for attributing who is responsible for an attack.”105

In August, Sens. Mark R. Warner, D-Va., Cory Gardner, R-Col., Ron Wyden, D-Ore., and Steve Daines, R-Mont., introduced legislation that would require vendors who supply the U.S. government with internet-connected devices to ensure that their software can be patched if vulnerabilities are found, that the devices do not include passwords that can't be changed, and that they are free of security flaws. The bill was referred to the Senate Homeland Security and Governmental Affairs Committee on Aug. 1. It had not signed up additional cosponsors as of Sept. 29.106

Nicholas Weaver, a lecturer in computer science at the University of California, Berkeley, said the bill ideally will create standards that all internet-connected devices — not just those used by the government — will follow.107

Stavridis and Weinstein say much more needs to be done, such as requiring that internet-connected devices automatically update their security software. “First, we need to require higher levels of security in any device that will be connected to the Web,” they wrote. “Second, we need better technology to manage in real time the vulnerability of Internet of Things devices.”108

The two said consumers need to play a role. “[W]e all have to recognize that we have a broad responsibility to protect the internet as consumers of it. While it's easy to place blame on device manufacturers, in the end, perhaps the more appropriate culprit is the user.”109

Go to top

Outlook

Securing State Elections

Russia's meddling in last year's presidential election has focused the attention of state election officials and congressional lawmakers on making sure voting systems are secure in time for next year's elections.

Officials in many states say the federal government should provide money to help states strengthen election security or replace voting machines. “If we want to enhance people's confidence in our elections, Congress absolutely should secure funding for the modernization and securing of voting systems,” said Nicole Lagace, communications director for Rhode Island's Department of State.

But officials in other states say they don't need federal help to solve their voting problems, citing a desire to avoid government bureaucracy.110

As cyberattacks by other nations, rogue states and criminals increase, cybersecurity experts say private-sector computer networks must be protected, but many say legislation is not the answer.

“Cyber changes so quickly that if we can actually get a bill passed in Congress and signed by the president, it will be outdated by the time it goes into effect,” says Maness at the Naval Postgraduate School. “The private sector taking care of its own will probably be the faster and more efficient way.”

Some legislators have proposed allowing companies to “hack back” against attackers to deter future attacks. More than one-third of companies said in a survey that they responded in kind to hacking attacks, even though doing so is illegal in the United States.111

In 2013, Microsoft and several other major corporations joined forces, with court approval, to disable a large cluster of hijacked computers being used for online crime.112

Jeremy Rabkin, a law professor at George Mason University in Fairfax, Va., has argued for letting federal officials approve a list of cybersecurity firms that private companies could hire to retaliate for hacking attacks.113

“That's a bit too much of the Wild West for me,” says Arquilla of the Naval Postgraduate School. “We don't want to start a whole business of privateering in cyberspace. Things are already close to out of hand.”

Other cybersecurity experts say the government needs to force companies, through regulation, to secure their computer networks. “The United States should continue to improve its regulation and oversight of the development and adoption of new software and technologies,” political scientists Chad C. Serena and Colin P. Clarke at the RAND Corp. think tank wrote last year. “Networks and many of their components are inherently and increasingly insecure.”114

Arquilla disagrees with proposals to impose government regulation on private-sector cybersecurity, saying encryption is the key to security in cyberspace. “Creating Maginot Lines around the military information infrastructure is not the answer,” he says. “Expect bad guys to get into systems but make sure they can't do much damage once they are in.”

He also advocates storing critical data in the cloud, or remote computer servers that are accessed online. That way, he says, the data is scattered among different servers rather than sitting in one location that hackers can target.

“We are married to a paradigm of cybersecurity based on [antivirus software] and firewalls,” Arquilla says. “The problem, of course, is that antivirus programs only recognize what they already know, and good hackers just walk right through firewalls. I think we need a paradigm shift.”

Go to top

Pro/Con

Should the government regulate private-sector cybersecurity?

Pro

John Arquilla
Professor and Chair of Defense Analysis, U.S. Naval Postgraduate School. Written for CQ Researcher, October 2017

In 2003, President George W. Bush issued his “National Strategy to Secure Cyberspace,” an attempt to guide — but not to regulate — efforts to protect commercial, infrastructural and personal information systems. Congress soon allocated about $5 billion in support of such efforts, and the public and private resources expended trying to improve cybersecurity have dwarfed that amount since — to little effect.

The list of costly hacks and massive data breaches has only lengthened over time, as major retail firms, leading social media sites and even some of the most sensitive, classified government databases have been penetrated. Add hundreds of billions of dollars' worth of intellectual property raided by hackers each year, and the cyber-cataclysm underway can no longer be denied or ignored.

The fault lies in the choice initially made by Bush — and reaffirmed since — to make government's role informational rather than regulatory. By doing so, government has granted the commercial sector the “freedom to innovate,” as the Information Technology Association of America put it. And privacy concerns about government intrusiveness also have been kept at politically acceptable levels. The result: precious little innovation in cybersecurity has come from the business sector, and privacy has been shredded — not by Big Brother, but by a host of Little Brother hacking cliques.

Clearly, this is a case of what economists call “market failure.” Consumers continue to purchase insecure products in ever-increasing quantities, so there has been no invisible hand to drive producers toward better cybersecurity. Given that the paths to improvement have been perceptible for some time — cloud computing, block chains and the ubiquitous use of strong encryption — government is now well positioned to require producers to employ such means, and to use its bully pulpit to nudge consumers to make informed purchases.

For the past two decades, government steered by the guardrails when it came to cybersecurity. First it lurched toward reliance on market mechanisms that have failed; then it went in the other direction with the misguided effort to obtain “backdoors” into commercial products that would allow government surveillance of anyone, at any time. The more sensible path is simply to regulate the adoption of the best cybersecurity technologies and practices.

The issue is not one of Right or Left. It has always been a matter of distinguishing right from wrong. If we fail, ruin lies ahead.

Con

Herbert Lin
Senior Research Scholar for Cyber Policy and Security, Hoover Institution. Written for CQ Researcher, October 2017

Regulation should be a tool of last resort that directs private firms to take actions for enhancing the nation's cybersecurity that they would not otherwise take.

Market failure in cybersecurity is apparent in two ways. First, individual entities do not do all they should to provide for their own cybersecurity needs. Providing these entities with the information they need to take cybersecurity-enhancing actions in their own self-interest may be a partial solution to this kind of market failure, and providing information is obviously not a regulatory activity.

Second, even if these individual entities did all that could reasonably be expected, the national cybersecurity posture would still be inadequate because of the interdependencies between private and government entities. This aspect of market failure is much harder to address because it is not in any entity's self-interest to do for the nation more than it needs to do for itself. Here, regulation should be considered only when the risks to public safety and security are material and other approaches fail.

As an example of a nonregulatory approach, the NIST Cybersecurity Framework was designed to provide a systematic and voluntary way for private firms to assess their cybersecurity risks and take corrective action commensurate with them. Broader use of that framework would improve the nation's cybersecurity.

A more controversial — but still nonregulatory — approach would be to subject private vendors of IT products and services to tort liability for security lapses and inadequacies. Vendors say such liability would stifle innovation. But today's market environment has few incentives to attend to security while innovating. Tort liability — with appropriate carve-outs and limits — would help to redress that balance.

In any event, the liability question is likely to be moot with the advent of the Internet of Things (IOT). A robust liability regime already exists for “things”; the manufacturer of a faulty toaster that burns down your house is liable for damages. Adding an IOT dimension to the toaster will not change that; it is inconceivable that the manufacturer will be able to escape liability by denying the toaster's IOT parts caused the fire.

We have not yet exhausted the potential of such measures to improve the nation's cybersecurity posture. If and when we do, regulation may need to be considered as the only way to improve the nation's cybersecurity.

Go to top


Chronology

 
1980sPre-internet attacks focus on hacking into networks.
1986An analyst discovers that the computer network at Lawrence Berkeley National Laboratory in California and other high-security government networks have been hacked by West German spies who sold the information to the Soviet Union.
1988Thousands of computers in the United States are hit with the first computer worm, called the “Morris Worm,” alerting federal agencies to the dangers posed by software and network vulnerability.
1990s–2000sInternet use expands and cyberattacks increase.
1997The Defense Department's “Eligible Receiver” exercise lets the National Security Agency (NSA) hack into department networks to test for vulnerabilities. The NSA team finds it can take control of Pentagon computers and civilian power grids.
1998U.S. officials discover a pattern of computer intrusions — later dubbed “Moonlight Maze” — that had originated in Russia and had compromised maps of military installations and other sensitive files…. President Bill Clinton issues the first national cybersecurity strategy, which directs the federal government to secure its computer networks within five years.
2002Following the 9/11 terrorist attacks on the United States, Congress increases penalties for several computer crimes, requires federal agencies to better protect their networks and provides $900 million to research cybersecurity improvements.
2003George W. Bush administration releases the National Strategy to Secure Cyberspace, setting priorities for agencies with responsibility for cybersecurity…. Bush makes the Homeland Security Department responsible for protecting the country's non-military cyberspace infrastructure.
2007Estonia accuses Russia of attacking its government computers.
2008President George W. Bush calls for a Comprehensive National Cybersecurity Initiative to establish cybersecurity requirements for government agencies…. Russian agents hack into Georgian government websites before launching a conventional military attack.
2009North Korea is suspected in cyberattacks on U.S. and South Korean government, media and financial computer systems.
2010-PresentGovernments go on the cyber offensive.
2010Google says its servers were hacked, apparently from China, and Secretary of State Hillary Clinton warns the United States will retaliate after such attacks…. The Stuxnet cyberweapon, used to destroy centrifuges at an Iranian nuclear facility and attributed to the United States and Israel, is publicly identified.
2012Iran launches a cyberattack on the Saudi Arabian national oil company…. Researchers identify a digital worm called “Flame” that deleted information from computers in Iran, Sudan and the Middle East.
2013U.S. discloses that hackers, later determined to be Chinese, stole data on the F-35 fighter aircraft…. President Obama issues an executive order making it easier for companies and government agencies to share cyberthreat information.
2014The FBI says North Korea was behind a cyberattack that released confidential data from Sony Pictures. The attack followed North Korean outrage over a Sony comedy film, “The Interview,” about a plot to assassinate the country's leader, Kim Jong-un.
2015Cybersecurity Information Sharing Act allows government agencies and the private sector to share data about cyberattacks and cyberthreats, including data on private citizens.
2016Intelligence officials say Russia hacked and released Democratic National Committee emails to influence the U.S. presidential election…. In December, Russian hackers disable part of Ukraine's power grid.
2017A computer virus originating in Ukraine disrupts computer networks around the world…. Facebook says it sold $100,000 in ads to Russian operatives hoping to influence the 2016 presidential election.
  

Go to top

Short Features

Some experts want NATO to take offensive in cyberspace.

With 4.7 billion people expected to be online by 2025, cyber officials are expressing growing fears about digital security and urging countries to work together to protect cyberspace.1

The question is how best to foster such international collaboration.

The United States already participates in cyberdefense exercises with NATO, a U.S.-European military alliance that says it must defend itself in cyberspace “as effectively as it does in the air, on land and at sea.” Under Article 5 of its charter, NATO would treat a cyberattack against one of its members as an attack against all members, according to the alliance's secretary general, Jens Stoltenberg.2

NATO has not made clear, however, what type of cyberattack would trigger Article 5, or how it would decide on a proportional response.3 One challenge is that it is often difficult to say for sure whether a particular cyberattack was launched by a government agency or a private group.4

The alliance's policy on cyberwarfare — as in conventional warfare — is to act only in self-defense, which some cybersecurity experts believe is misguided. “Can any military force credibly claim to have advanced capabilities if it does not include offensive cyber operations in its arsenal?” James Lewis, a senior vice president at the Center for Strategic and International Studies, a bipartisan think tank in Washington, wrote in 2015.5

A NATO spokesperson said in July the alliance warded off 500 cyberattacks each month in 2016. “Foreign governments, criminals and terrorists can all be the source of cyberattacks, and attribution can be difficult,” Oana Lungescu said. “But of course, nations have the largest resources in the cyber field, and they are responsible for the majority of targeted attacks against NATO networks.”6

One such attack occurred in June, when computers at government offices, financial firms, utilities and industries around the world were wiped clean in a digital attack that a NATO-affiliated research firm said was likely caused by a “state actor” or by someone with state backing. Researcher Tomá? Minárik at NATO's Cooperative Cyber Defense Centre of Excellence said the attack “could count as a violation of sovereignty” that would justify countermeasures by the targeted countries. Ukraine, where the attack started, has blamed Russia. The Kremlin has denied involvement.7

Former NATO Supreme Commander Philip M. Breedlove argued in May that NATO should develop offensive cyberweapons, specifically to deter Russia from launching digital attacks. “We in NATO have incredible cyber capability,” he said. “But we in NATO do not have an incredible cyber policy. In fact, our policy is quite limiting. It really does not allow us to consider offensive operatives as an alliance in cyber.”8

The United Nations also is working to come up with international standards for responding to hostile acts in cyberspace. In June, the U.N.'s fifth Group of Governmental Experts on Information Security (GGE) disbanded, reportedly over disagreements about whether its final report should deal with the use of countermeasures after a cyberattack. (The first GGE group formed in 2004 to examine potential cyberthreats and possible cooperative measures to address them.)9

Advocates for cyberdefense cooperation viewed the disbanding as a major setback, saying it leaves the future of international cooperation on cyberspace up in the air.10 Paul Rosenzweig, a former Department of Homeland Security deputy assistant secretary and a law lecturer at George Washington University, said the GGE's deadlock shows how difficult it will be for countries to agree even on basic standards of behavior in cyberspace.

Some experts say the only way to counter cyberchallenges from Russia, China, North Korea and other authoritarian governments is to form a “cyberalliance” of democratic countries, separate from NATO.

“The alliance will need a common perception that it matters to each of us and each nation to defend the democratic civil societies against the economic losses and political intrusions” of China and other authoritarian countries, Chris C. Demchak, who teaches cybersecurity at the U.S. Naval War College, said in May. She said such an alliance would consist of up to 40 countries containing 900 million people who would have “the economic market weight and the technological talent pool to face China as a peer.”11

U.S. defense officials have not advocated for a formal cyberalliance, according to Masao Doi, acting deputy chief of public affairs at the U.S. Cyber Command. But, he added, “cooperation and partnership are vital to the success of U.S. Cyber Command's missions.”

— Patrick Marshall

[1] David Burt et al., “Cyberspace 2025: Today's Decisions, Tomorrow's Terrain,” Microsoft, June 2014, https://tinyurl.com/y9ql3vrq.

[2] Roland Oliphant and Cara McGoogan, “Nato warns cyber attacks ‘could trigger Article 5’ as world reels from Ukraine hack,” The Telegraph, June 28, 2017, https://tinyurl.com/y9qdxbaq.

[3] “NATO Cyber Defence,” NATO fact sheet, April 2017, https://tinyurl.com/y7cnlkee; Oliphant and McGoogan, ibid.

[4] “Massive cyber attack could trigger NATO response: Stoltenberg,” Reuters, June 15, 2016, https://tinyurl.com/ydaycggb.

[5] James A. Lewis, “The Role Of Offensive Cyber Operations In NATO's Collective Defence,” The Tallinn Papers, NATO Cooperative Cyber Defence Centre of Excellence Tallinn Estonia, 2015, https://tinyurl.com/y7zbby5q.

[6] Ryan Browne, “NATO: We ward off 500 cyberattacks each month,” CNN, July 18, 2017, https://tinyurl.com/y83sa5yo.

[7] Luke Graham, “NATO think-tank says a ‘state actor’ was behind the massive ransomware attack and could trigger military response,” CNBC, June 30, 2017, https://tinyurl.com/y73vhbph; Thomas Fox Brewster, “NotPetya Ransomware Hackers ‘Took Down Ukraine Power Grid,’ Forbes, July 3, 2017, https://tinyurl.com/ya4bscfv.

[8] Patrick Tucker, “Former NATO Commander: Alliance Needs to Take Cyber Fight to Russia's Door,” Defense One, July 6, 2017, https://tinyurl.com/y8bdld49.

[9] “Developments in the Field of Information and Telecommunications in the Context of International Security,” fact sheet, United Nations Office for Disarmament Affairs, April 2017, https://tinyurl.com/yaeaplo7; Elaine Korzak, “UN GGE on Cybersecurity: The End of an Era?” The Diplomat, July 31, 2017, https://tinyurl.com/ybpa5kpf.

[10] Ibid., Korzak.

[11] “Key Trends across a Maturing Cyberspace affecting U.S. and China Future Influences in a Rising deeply Cybered, Conflictual, and Post-Western World,” testimony of Chris C. Demchak before the U.S. China Economic and Security Review Commission, May 4, 2017, https://tinyurl.com/ya6hud5u.

Go to top

Bots and trolls are “an existential threat to U.S. democracy.”

Securing the nation's voting systems has taken on new urgency ahead of next year's midterm congressional elections, as evidence mounts that Russia used hacking and bogus social media accounts to interfere in last year's presidential race.

But many election officials say they still feel vulnerable to cyberthreats, and security officials are scrambling to find solutions.

In July, officials from the Homeland Security Department, FBI and the Election Assistance Commission — the only federal agency that works exclusively to make sure voting systems are secure — met with state election officials to explain the department's plan to protect voting systems. The plan focuses on sharing information with election officials regarding potential threats, analyzing risks to individual voting systems and ensuring election officials have the tools to support cybersecurity.12

On Sept. 22, the Homeland Security Department contacted election officials in 21 states and told them hackers linked to the Russian government attempted to hack their voting systems last year. State election officials and congressional lawmakers earlier had expressed frustration with the department's unwillingness to share information on which states were targeted.

“We heard feedback from the secretaries of state that this was an important piece of information,” said Bob Kolasky, acting deputy undersecretary for DHS's National Protection and Programs Directorate. “We agreed that this information would help election officials make security decisions.”

He said Homeland Security officials recognized the need for states to strengthen their voting systems now “rather than a few weeks before” the 2018 elections. Department officials left it to individual states to decide whether to publicly reveal they had been targeted.13

Even with the new information on which states were targeted, many states say they do not have enough money to secure their voting systems. Of 33 states surveyed by the news organization Politico, officials in at least 10 said they had asked state lawmakers this year for more money for election cybersecurity. But officials in only six states said they either received the money or expected to get it.14

Officials in 21 states said the federal government should provide money to help states strengthen election security or replace voting machines.

Not all states agree. “The last thing we need to do is create more government bureaucracy and throw federal money at a problem when the states can devise a solution,” Georgia Secretary of State Brian Kemp said.15

Russia's hacking attempts last year apparently did not affect voting tallies.16 “What this boils down to is that someone tried the door knob and it was locked,” said Reid Magney, a spokesman for the Wisconsin Elections Commission.

Even so, Congress has been trying to find ways to prevent election interference. In January, Rep. Eliot Engel, D-N.Y., introduced legislation that would freeze the assets of foreigners who meddle in U.S. elections and deny them entry visas. In July, six Democratic House members led by Rep. Jim Langevin of Rhode Island announced they had formed a task force that aims to give members of Congress and cybersecurity experts a forum to discuss threats to voting systems. So far, however, no Republicans have joined the group.17

Hacking of voting systems is just one source of concern. Some cybersecurity experts say “influence campaigns,” conducted through social media to disrupt democratic institutions and processes, are even more dangerous.18

Such campaigns, including the one Russia is accused of pursuing last year, may pose “an existential threat to U.S. democracy,” says Peter W. Singer, a strategist and senior fellow at New America, a left-leaning think tank in Washington.

Intelligence officials say influence campaigns played a key role in Russia's attempts to interfere in last year's election through the use of “state-funded media, third-party intermediaries, and paid social media users or ‘trolls.’”19

Special counsel Robert Mueller, the former FBI director investigating Russia's activities before the election, is looking at whether $100,000 of Facebook ads bought by a Russian “troll farm” may have influenced voters. On Sept. 21, Facebook said it would turn over more than 3,000 of the ads to congressional panels probing Russia's election meddling.20

The same Russian operatives linked to the Facebook ads also used Twitter accounts, the company told congressional investigators in September. The investigators are probing how Russia used both social media platforms as part of an effort to influence the results of the election by spreading misleading propaganda.21

Even before the ad sale, Russian agents had posed as Americans on social media to encourage people to visit sites containing false or derogatory stories about Democratic presidential nominee Hillary Clinton, according to The New York Times.22

Election-related cyberthreats tend to divide members of Congress along party lines. In early February, Republicans on the House Administration Committee voted to shut down the Election Assistance Commission (EAC). The full House has not taken up the measure.

“If we're looking at reducing the size of government, this is a perfect example of something that can be eliminated,” committee Chairman Gregg Harper, R-Miss., said after the vote. He said the EAC has outlived its usefulness and that the Federal Election Commission should take over its functions.23

Two experts on election security — Dan S. Wallach, a computer science professor at Rice University, and political consultant Justin Talbot-Zorn — disagree. They wrote in February that the vote to eliminate EAC funding reflects “a radical disconnect between a handful of influential House Republicans and nearly everyone else.”24

— Patrick Marshall

[12] Erica Orden and Byron Tau, “GOP Seeks to Close Federal Election Agency,” The Wall Street Journal, July 17, 2017, https://tinyurl.com/ya4vc3dm; Tim Starks, “DHS accelerates work to protect 2018 elections under ‘critical infrastructure’ tag,” Politico, July 11, 2017, https://tinyurl.com/y6udbaho.

[13] Sari Horwitz, Ellen Nakashima and Matea Gold, “DHS tells states about Russian hacking during 2016 election,” The Washington Post, Sept. 22, 2017, https://tinyurl.com/ycnmxy3z.

[14] Cory Bennett et al., “Cash-strapped states brace for Russian hacking fight,” Politico, Sept. 3, 2017, https://tinyurl.com/ybttxsom.

[15] Ibid.

[16] Tal Kopan, “DHS officials: 21 states potentially targeted by Russia hackers pre-election,” CNN, July 18, 2017, https://tinyurl.com/y7bfyn33.

[17] “H.R.530 — Secure Our Democracy Act,” Congress.gov, Feb. 8, 2017, https://tinyurl.com/yc7mmuzw; Rachael Kalinyak, “Task force focused on securing election systems crystallizes,” Federal Times, July 27, 2017, https://tinyurl.com/yajamdlg.

[18] Massimo Calabresi, “Inside Russia's Social Media War on America,” Time, May 18, 2017, https://tinyurl.com/lctxsar.

[19] “Assessing Russian Activities and Intentions in Recent US Elections,” Office of the Director of National Intelligence, Jan. 6, 2017, https://tinyurl.com/hye8jnl.

[20] Dylan Byers, “Facebook handed Russia-linked ads over to Mueller under search warrant,” CNN, Sept. 17, 2017, https://tinyurl.com/ydyd7zl6; Scott Shane and Mike Isaac, “Facebook to Turn Over Russian-Linked Ads to Congress,” The New York Times, Sept. 21, 2017, https://tinyurl.com/y9vjagpy.

[21] Elizabeth Dwoskin, Adam Entous and Karoun Demirjian “Twitter finds hundreds of accounts tied to Russian operatives,” The Washington Post, Sept. 28, 2017, https://tinyurl.com/y7bkjzhj.

[22] Scott Shane, “The Fake Americans Russia Created to Influence the Election,” The New York Times, Sept. 7, 2017, https://tinyurl.com/ybf6rfw5.

[23] “As Trump fears fraud, GOP eliminates election commission,” The Associated Press, Feb. 7, 2017, https://tinyurl.com/ybnzn2ek; “Harper: Time to Eliminate Obsolete Election Assistance Commission & Presidential Election Campaign Fund,” press release, Rep. Gregg Harper, Feb. 8, 2017, https://tinyurl.com/y8k47kkx.

[24] Dan S. Wallach and Justin Talbot Zorn, “Want Secure Elections? Then Maybe Don't Cut Security Funding,” Wired, Feb. 14, 2017, https://tinyurl.com/y7jc545r.

Go to top

Bibliography

Books

Harris, Shane , @War: The Rise of the Military Internet Program , Mariner Books, 2014. A senior writer at The Wall Street Journal recounts the development of America's cyber weapons and defenses, and explains the close ties between government and the private sector on cybersecurity issues.

Mazanec, Brian M. , The Evolution of Cyber War: International Norms for Emerging-Technology Weapons , University of Nebraska Press, 2015. A George Mason University adjunct professor of policy and government examines global norms for cyberwar and recommends that the United States not pursue practices that limit its development of cyberweapons.

Segal, Adam , The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age , PublicAffairs, 2016. The director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations think tank argues that because it is difficult to pinpoint where digital attacks originate and to measure their impact, international rules of engagement in cyberspace must be reworked.

Articles

Jensen, Benjamin, Brandon Valeriano and Ryan C. Maness , “Cyberwarfare has taken a new turn. Yes, it's time to worry,” The Washington Post, July 13, 2017, https://tinyurl.com/yd8247wd. Three cybersecurity professors at military universities, two of whom have previously described cyberthreats as overblown, explain why they are now worried about these threats.

Moore, Brian R., and Jonathan R. Corrado , “North Korea Proves You Barely Need Computers to Win a Cyberwar,” Foreign Policy, June 5, 2017, https://tinyurl.com/ybgzlt4c. Two Asia specialists argue that the relative ease of developing cyberweapons gives outsized power to underdeveloped, isolated nations such as North Korea that have few cybertargets to defend.

Riley, Michael, Jordan Robertson and Anita Sharpe , “The Equifax Hack Has the Hallmarks of State-Sponsored Pros,” Bloomberg, Sept. 29, 2017, https://tinyurl.com/yakbka44. The hackers who stole massive amounts of data from the Equifax credit reporting agency showed a level of sophistication that suggests they were sponsored by a foreign government, but investigators are divided on whether China is the most likely culprit.

Serena, Chad C., and Colin P. Clarke , “America's Cyber Security Dilemma — and a Way Out,” Defense One, Dec. 22, 2016, https://tinyurl.com/zdtnpsv. Two RAND Corp. analysts say the United States should lead the way in forging international cybersecurity practices and find ways to rapidly determine the source of cyberattacks.

Stavridis, James, and Dave Weinstein , “The Internet of Things Is a Cyberwar Nightmare,” Foreign Policy, Nov. 3, 2016, https://tinyurl.com/y9pvcdab. A retired admiral and dean of the Fletcher School of Law and Diplomacy at Tufts University (Stavridis) and New Jersey's chief technology officer (Weinstein) argue that the emerging network of internet-connected devices will lead to unprecedented cybersecurity challenges.

Wolff, Josephine , “When Companies Get Hacked, Should They Be Allowed to Hack Back?” The Atlantic, July 14, 2017, https://tinyurl.com/yau2ubeu. An assistant professor public policy at the Rochester Institute of Technology says that allowing companies targeted by hackers to respond in kind would make it harder to tell good actors from bad on the internet.

Reports and Studies

“Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress,” U.S. Government Accountability Office, November 2015, https://tinyurl.com/yasqdqbt. The investigative arm of Congress says it found significant cyber-related risks at 11 of 15 federal agencies it audited between June 2014 and November 2015.

“Department of Defense: Actions Needed to Address Five Key Mission Challenges,” U.S. Government Accountability Office, June 2017, https://tinyurl.com/y7jep8rb. The GAO says the vulnerability of Defense Department computer networks has grown “significantly” as the department has become more dependent on the internet.

“The Department of Defense Cyber Strategy,” U.S. Department of Defense, April 2015, https://tinyurl.com/ya42y7g7. The Defense Department's most recent explanation of its strategy for strengthening cyber defenses discusses three primary missions: defending military networks and information, defending the country against cyberattacks and developing offensive cyber capabilities.

Davis, John S. II , et al., “Stateless Attribution: Toward International Accountability in Cyberspace,” RAND Corp., 2017, https://tinyurl.com/y9axtesl. Analysts at the nonpartisan think tank evaluate options for attributing cyberattacks to specific individuals or groups in a “standardized and transparent” way that make the attribution credible to the public.

Go to top

The Next Step

Digital Security

Hay Newman, Lily , “The U.S. Give Cyber Command the Status It Deserves,” Wired, Aug. 19, 2017, https://tinyurl.com/yb3pd97b. To strengthen the nation's cybersecurity, a Trump administration directive elevated the U.S. Cyber Command, a division of the National Security Agency, to a unified military command.

Sebenius, Alyza , “Writing the Rules of Cyberwar,” The Atlantic, June 28, 2017, https://tinyurl.com/yb62jkc9. The distinction between offensive and defensive measures is hard to define when it comes to cybersecurity, says a postdoctoral Harvard fellow in his book, The Cybersecurity Dilemma.

Tucker, Patrick , “For the US Army, ‘Cyber War’ Is Quickly Becoming Just ‘War,’” Defense One, Feb. 9, 2017, https://tinyurl.com/yay4als5. By the end of the year the Army aims to have 41 cyber teams fully operational to help soldiers on the battlefield and disrupt enemy operations.

Foreign Threats

Bing, Chris , “Why the U.S. is struggling with the digital war on ISIS,” CyberScoop, June 14, 2017, https://tinyurl.com/yczwsnff. The Islamic State is proving to be an elusive cyber foe for the U.S. military because it uses computers not for weapons systems but to recruit, coordinate and raise money, experts say.

Delcker, Janosch , “A hacked-off Germany hacks back,” Politico, May 23, 2017, https://tinyurl.com/y9ze3w3w. Germany embraced an aggressive, combative approach to cyberattacks after hackers infiltrated its parliamentary computer network for several weeks in 2015.

Greenberg, Andy , “How an Entire Nation Became Russia's Test Lab for Cyberwar,” Wired, June 20, 2017, https://tinyurl.com/y9gx5thj. In 2015 Russia demonstrated it could cut off electricity for almost a quarter-million Ukrainians by hacking into their power grid.

International Cooperation

“EU Defense Ministers Hold Cyberwar Game In Tallinn,” Radio Free Europe, Radio Liberty, Sept. 7, 2017, https://tinyurl.com/y9dzosyz. European Union defense ministers participated in a simulated exercise to counter hackers who had crippled the command of a naval mission.

Cohen, Jared , “How to Prevent a Cyberwar,” The New York Times, Aug. 11, 2017, https://tinyurl.com/yd3hryyh. World leaders need to establish laws against cyberattacks, says an adjunct senior fellow at the Council on Foreign Relations.

Simonite, Tom , “Do We Need a Digital Geneva Convention?” MIT Technology Review, Feb. 15, 2017, https://tinyurl.com/zv6wg3d. Microsoft President Brad Smith argues an international digital treaty is needed to protect citizens and private companies from hacking by nation-states.

Private-Sector Security

Chertoff, Philip , “Why the U.S. Government Shouldn't Ban Kapersky Security Software,” Wired, Sept. 4, 2017, https://tinyurl.com/y7foabcx. A cybersecurity analyst says barring U.S. government agencies from using software produced by Kapersky Lab, a Russia-based security vendor, would have a chilling effect on government contractors and consumers.

Schwartz, Mattathias , “Cyberwar for Sale,” The New York Times Magazine, Jan. 4, 2017, https://tinyurl.com/yah9cuxy. Private surveillance firms face few trade controls, and their software is available not only to large governments but also to any party with the money to buy it.

Uchill, Joe , “White House advisory group raises cybersecurity concerns,” The Hill, Aug. 22, 2017, https://tinyurl.com/yatmr7gx. The National Infrastructure Advisory Council said federal agencies and private-sector firms are collectively capable of protecting government infrastructure from hacking but are hindered by bureaucratic hurdles.

Go to top

Contacts

Alliance for Securing Democracy
1744 R St., N.W., Washington, DC 20009
202-683-2650
securingdemocracy.gmfus.org
Bipartisan, transatlantic group that works to expose Russia's “ongoing efforts to subvert democracy in the United States and Europe.”

American Civil Liberties Union
125 Broad St., 18th Floor, New York, NY 10004
212-549-2500
www.aclu.org
Nonprofit organization that defends individual rights and civil liberties guaranteed by the Constitution and U.S. law.

Council on Foreign Relations
58 East 68th St., New York, NY 10065
212-434-9400
www.cfr.org
Nonpartisan think tank focused on foreign policy choices facing the United States and other countries.

Cyber Security Division (Department of Homeland Security)
3801 Nebraska Ave., N.W., Washington, DC 20016
202-282-8000
www.dhs.gov/science-and-technology/cyber-security-division
Formed in 2010 to defend U.S. computer networks against cyberattacks.

Electronic Privacy Information Center
1718 Connecticut Ave., N.W., Suite 200, Washington, DC 20009
202-483-1140
www.epic.org
Public interest research center that works to protect individuals' privacy rights and civil liberties in the internet age.

New America
740 15th St., N.W., Suite 900, Washington, DC 20005
202-986-2700
www.newamerica.org
Left-of-center think tank focused on technology and public policy.

Office of Cyber and Infrastructure Analysis (Department of Homeland Security)
300 7th St., S.W., Washington, DC 20024
202-282-8000
www.dhs.gov/office-cyber-infrastructure-analysis
Responsible for providing analysis to help U.S. officials protect critical infrastructure from cyberattacks.

U.S. Naval War College
686 Cushing Road, Newport, RI 02841-1207
401-841-1310
www.usnwc.edu
Simulates cyberwar to build analytical, strategic and decision-making skills and prepare military leaders for disaster scenarios.

Go to top

Footnotes

[1] Nicole Perlroth, Mark Scott and Sheera Frenkel, “Cyberattack Hits Ukraine Then Spreads Internationally,” The New York Times, June 27,2017, https://tinyurl.com/y7kyr2wm; M. Deleon, “NotPetya Ransomware Disrupts Merck Vaccine Production,” University of Hawai'i West O'ahu Cyber Security Coordination Center, Aug. 4, 2017, https://tinyurl.com/y8o7674n.

[2] Luke Graham, “NATO think-tank says a ‘state actor’ was behind the massive ransomware attack and could trigger military response,” CNBC, July 7, 2017, https://tinyurl.com/y73vhbph.

[3] Ibid.; Jack Stubbs, Matthias Williams, “Ukraine scrambles to contain new cyber threat after ‘NotPetya’ attack,” Reuters, July 5, 2017, https://tinyurl.com/ycbzwx8u.

[4] Andy Greenberg, “‘Crash Override’: The Malware That Took Down a Power Grid,” Wired, June 12, 2017, https://tinyurl.com/y7qdudt9; Lorenzo Franceschi-Bicchierai, “The History of Stuxnet: The World's First True Cyberweapon,” Motherboard, Aug. 9, 2016, https://tinyurl.com/y7wk224c.

[5] Aaron Boyd, “DNI Clapper: Cyber bigger threat than terrorism,” Federal Times, Feb. 4, 2016, https://tinyurl.com/ycqh5qm3.

[6] Ian Sherr, “WannaCry ransomware: Everything you need to know,” CNET, May 19, 2017, https://tinyurl.com/mmlznxl; Testimony of Gordon M. Snow before the Senate Judiciary Subcommittee on Crime and Terrorism, April 12, 2011, https://tinyurl.com/y8rky8ey.

[7] “Ukraine power cut ‘was cyber-attack,’” BBC, Jan. 11, 2017, https://tinyurl.com/ycmo9cu2; Jackie Wattles and Jill Disis, “Ransomware attack: Who's been hit,” CNN, May 15, 2017, https://tinyurl.com/y9sgabhk; Andy Greenberg, “How An Entire Nation Became Russia's Test Lab For Cyberwar,” Wired, June 20, 2017, https://tinyurl.com/y9gx5thj; Natalia Zinets, “Ukraine hit by 6,500 hack attacks, sees Russian ‘cyberwar,’” Reuters, Dec. 29, 2016, https://tinyurl.com/ya5onol4.

[8] Elizabeth Dwoskin, Adam Entous and Karoun Demirjian, “Twitter finds hundreds of accounts tied to Russian operatives,” The Washington Post, Sept. 28, 2017, https://tinyurl.com/y7bkjzhj; Adam Entous, Craig Timberg and Elizabeth Dwoskin, “Russian operatives used Facebook ads to exploit America's racial and religious divisions,” The Washington Post, Sept. 25, 2017, https://tinyurl.com/ybf22uh2; Adam Entous, Ellen Nakashima and Greg Miller, “Secret CIA assessment says Russia was trying to help Trump win White House,” The Washington Post, Dec. 9, 2016, https://tinyurl.com/yc27tzml; Scott Shane, “The Fake Americans Russia Created to Influence the Election,” The New York Times, Sept. 7, 2017, https://tinyurl.com/ybqc4ecx.

[9] Victor Luckerson, “Everything We Know About the Massive Sony Hack,” Time, Dec. 4, 2014, https://tinyurl.com/lvy3j5m.

[10] Reuters and Libby Plummer, “Nuclear power plants are at risk of Militant Attacks: UN says recent cyber hacks are the ‘tip of the iceberg,’” Daily Mail, Oct. 10, 2016, https://tinyurl.com/y9lqwsut.

[11] David Livingstone, “Cyber Security at Civil Nuclear Facilities: Understanding the Risks,” Chatham House, Oct. 5, 2015, https://tinyurl.com/pj5cds3.

[12] Thomas Grove, Julian E. Barnes and Drew Hinshaw, “Russia Targets NATO Soldier Smartphones, Western Officials Say,” The Wall Street Journal, Oct. 4, 2017, https://tinyurl.com/y82qpbcr.

[13] James R. Clapper, Marcel Lettre, Michael S. Rogers, “Joint Statement for the Record to the Senate Armed Services Committee: Foreign Cyber Threats to the United States,” Jan. 5, 2017, http://tinyurl.com/ycemrq46.

[14] Bruce G. Blair, “Why Our Nuclear Weapons Can Be Hacked,” The New York Times, March 14, 2017, https://tinyurl.com/y9n8bc6a.

[15] David Hambling, “Ships fooled in GPS spoofing attack suggest Russian cyberweapon,” New Scientist, Aug. 10, 2017, https://tinyurl.com/ycuzl3pz; Mark L. Psiaki and Todd E. Humphreys, “Protecting GPS From Spoofers Is Critical to the Future of Navigation,” IEEE Spectrum, July 29, 2016, https://tinyurl.com/y97z6vmz.

[16] “Department of Defense: Actions Needed to Address Five Key Mission Challenges,” Government Accountability Office, June 2017, p. 2, https://tinyurl.com/y7jep8rb.

[17] Renae Merle, “SEC reveals it was hacked, information may have been used for illegal stock trades,” The Washington Post, Sept. 20, 2017, https://tinyurl.com/ydarfzaz; Riley Walters, “Cyber Attacks on U.S. Companies in 2016,” The Heritage Foundation, Dec. 2, 2016, https://tinyurl.com/ybnf5kv6.

[18] “Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems,” Government Accountability Office, May 2016, https://tinyurl.com/ya5xycwj.

[19] “The Hiscox Cyber Readiness Report 2017,” Hiscox Insurance Company, undated, https://tinyurl.com/yc43xxws.

[20] Martin Matishak, “Trump elevates U.S. Cyber Command, vows ‘increased resolve’ against threats,” Politico, Aug. 18, 2017, https://tinyurl.com/y9b3ene5.

[21] Thomas Gibbons-Neff and Ellen Nakashima, “President Trump announces move to elevate Cyber Command,” The Washington Post, Aug. 18, 2017, https://tinyurl.com/y7cxtj57.

[22] Saba Hamedy, “Trump: Russian meddling story an ‘excuse’ for why Democrats lost,” CNN, May 12, 2017, https://tinyurl.com/ycyzt9ax.

[23] Ken Dilanian, Hallie Jackson, Likhitha Butchireddygari and Gabriela Martinez, “Trump White House Has Taken Little Action To Stop Next Election Hack,” NBC News, June 24, 2017, https://tinyurl.com/ybwop5fv.

[24] Sean D. Carberry, “I think we need to throw a few stones,” Federal Computer Week, May 12, 2017, https://tinyurl.com/yakjtv5t.

[25] Clapper, Lettre and Rogers, op. cit.

[26] Ellen Nakashima, “Russia has developed a cyberweapon that can disrupt power grids, according to new research,” The Washington Post, June 12, 2017, https://tinyurl.com/yb8r6ytt.

[27] “Industrial cybersecurity treat landscape in H1 2017: Every third ICS computer under attack was from manufacturing sector,” Kaspersky Lab, Sept. 28, 2017, https://tinyurl.com/y9fmc678.

[28] Dustin Volz, “Trump bars US government from using Russian cybersecurity firm Kaspersky,” Reuters, Sept. 14, 2017, https://tinyurl.com/ybegkrda.

[29] John Markoff, “Before the Gunfire, Cyberattacks,” The New York Times, Aug. 12, 2008, https://tinyurl.com/yblvebvo.

[30] Brian R. Moore and Jonathan R. Corrado, “North Korea Proves You Barely Need Computers to Win a Cyberwar,” Foreign Policy, June 5, 2017, https://tinyurl.com/ybgzlt4c.

[31] “Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities,” testimony of Jason Healey before the House Armed Services Committee, March 1, 2017, https://tinyurl.com/yamylzmh; Nicole Perlroth and Quentin Hardy, “Bank Hacking Was the Work of Iranians, Officials Say,” The New York Times, Jan. 8, 2013, https://tinyurl.com/y9z3qfx8.

[32] John Arquilla, “Cyberwar Is Already Upon Us,” Foreign Policy, Feb. 27, 2012, https://tinyurl.com/ycwlwz6m.

[33] “2015 DoD Cyber Strategy,” Defense Department, April 2015, p. 5, https://tinyurl.com/ya42y7g7.

[34] Ibid.

[35] Ron Lieber and Stacy Cowley, “Trying to Stem Fallout From Breach, Equifax Replaces C.E.O.,” The New York Times, Sept. 26, 2017, https://tinyurl.com/yck7cvtx; Elizabeth Weise and Nathan Bomey,“Equifax had patch 2 months before hack and didn't install it, security group says,” USA Today, Sept. 14, 2017, https://tinyurl.com/y7t54ywy; Elizabeth Weise and Nathan Bomey, “Equifax breach hit 2.5 million more Americans than first believed,” USA Today, Oct. 2, 2017, https://tinyurl.com/yaosx287.

[36] Brittany De Lea, “SEC breach can jeopardize trillions of dollars of wealth, cybersecurity expert warns,” Fox Business, Sept. 21, 2017, https://tinyurl.com/yckyhksd; Jay Clayton, “Statement on Cybersecurity,” Securities and Exchange Commission, Sept. 20, 2017, https://tinyurl.com/y7gtcdr7.

[37] “2016 Presidential Campaign Hacking Fast Facts,” CNN, Aug. 6, 2017, https://tinyurl.com/had4auj.

[38] Nicole Perlroth, “All 3 Billion Yahoo Accounts Were Affected by 2013 Attack,” The New York Times, Oct. 3, 2017, https://tinyurl.com/yd79ymcf; Robert McMillan, “Yahoo Says Information on at Least 500 Million User Accounts Was Stolen,” The Wall Street Journal, Sept. 22, 2016, https://tinyurl.com/y7fxhacz.

[39] Vindu Goel and Eric Lichtblau, “Russian Agents were Behind Yahoo Hack, U.S. Says,” The New York Times, March 15, 2017, https://tinyurl.com/yawv3sdq; Perlroth, op. cit.

[40] “Report on Securing and Growing the Digital Economy,” Commission on Enhancing National Cybersecurity, Dec. 1, 2016, p. 7, https://tinyurl.com/y8rl9oh5.

[41] Ann M. Beauchesne, “More Regulation Isn't the Answer,” The New York Times, Oct. 18, 2012, https://tinyurl.com/y7emxwv5.

[42] Shane Harris, @War: The Rise of the Military-Internet Complex (2014), p. xxi; Tom McCarthy, “NSA director defends plan to maintain ‘backdoors’ into technology companies,” The Guardian, Feb. 23, 2015, https://tinyurl.com/ybctd7y6.

[43] “Vulnerabilities Equities Process,” Electronic Privacy Information Center, undated, https://tinyurl.com/y8qq7b2v.

[44] “Why 27% of U.S. Firms Have No Plans to Buy Cyber Insurance,” Insurance Journal, May 31, 2017, https://tinyurl.com/y7zhzvb9.

[45] Roger A. Grimes, “Vendors should not be liable for their security flaws,” CSO, July 12, 2012, https://tinyurl.com/y8tyg9wg.

[46] Brad Smith, “The need for a Digital Geneva Convention,” Microsoft blog, Feb. 14, 2017, https://tinyurl.com/hxg3w8b.

[47] Ibid.

[48] James Carlini, “Geneva Convention in Cyberwarfare? Don't Count on It,” International Policy Digest, Aug. 6, 2017, https://tinyurl.com/yd2pqt3d.

[49] “Cyber War: Definitions, Deterrence and Foreign Policy,” testimony of James A. Lewis before the House Foreign Affairs Committee, Sept. 30, 2015, https://tinyurl.com/ycs97wpu.

[50] Morgan Chalfant, “Legislators grapple with cyber war rules,” The Hill, March 1, 2017, https://tinyurl.com/yanglsyc.

[51] Michael N. Schmitt and Liis Vihul, “Respect for Sovereignty in Cyberspace,” Texas Law Review, Aug. 12, 2017, https://tinyurl.com/y9vcrvmb.

[52] Kalev Leetaru, “Is It Hypocritical To Charge Russia For Hacking Yahoo When The US Does The Same Thing?” Forbes, March 16, 2017, https://tinyurl.com/y7y4rvpg.

[53] Everett Rosenfeld, “US-China agree to not conduct cybertheft of intellectual property,” CNBC, Sept. 25, 2015, https://tinyurl.com/y8b77n2l.

[54] Franz-Stefan Gady, “Top US Spy Chief: China Still Successful in Cyber Espionage Against US,” The Diplomat, Feb. 16, 2016, https://tinyurl.com/yctttoz2.

[55] Shannon Tiezzi, “China Decries US ‘Hypocrisy’ on Cyber-Espionage,” The Diplomat, March 28, 2014, https://tinyurl.com/yalsx9ya.

[56] Clifford Stoll, The Cuckoo's Egg (1989), p. 3.

[57] Timothy B. Lee, “How a grad student trying to build the first botnet brought the Internet to its knees,” The Washington Post, Nov. 1, 2013, https://tinyurl.com/yb24zlcb.

[58] Ibid.

[59] “30 years of risky business: A cybersecurity timeline,” Government Computer News, June 3, 2013, https://tinyurl.com/ycj2pgdo.

[60] Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (2016), p. 95.

[61] Frontline, “The Warnings?” PBS, April 24, 2003, https://tinyurl.com/2oy2g.

[62] Ibid.

[63] Ibid.

[64] “The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63,” The White House, May 22, 1998, https://tinyurl.com/ybrb9pdf.

[65] Frontline, op. cit.

[66] “The National Strategy to Secure Cyberspace,” Department of Homeland Security, February 2003, https://tinyurl.com/hzplmb3.

[67] Harris, op. cit., p. 25.

[68] Ibid., Segal, p. 18.

[69] Damien McGuinness, “How a cyber attack transformed Estonia,” BBC, April 27, 2017, https://tinyurl.com/y7fen2zx; Segal, op. cit., p. 60.

[70] Ibid., Segal, p. 67.

[71] “U.S. Cyber Command (USCYBERCOM),” U.S. Strategic Command, Sept. 30, 2016, https://tinyurl.com/ycaf244w.

[72] Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, Jan. 14, 2010, https://tinyurl.com/y7ykf4kc.

[73] Alina Selyukh, “Long Before ‘WannaCry’ Ransomware, Decades Of Cyber ‘Wake-Up Calls,’” NPR, May 16, 2017, https://tinyurl.com/ybe5lcks.

[74] Ellen Nakashima and Joby Warrick, “Stuxnet was work of U.S. and Israeli experts, officials say,” The Washington Post, June 2, 2012, https://tinyurl.com/ybnndqql.

[75] Ibid.

[76] Segal, op. cit., p. 124.

[77] Ellen Nakashima, “Newly identified computer virus, used for spying, is 20 times size of Stuxnet,” The Washington Post, May 28, 2012, https://tinyurl.com/yaf9fbpq.

[78] Testimony of Dean Turner before the Senate Committee on Homeland Security and Governmental Affairs, Symantec, Nov. 17, 2010, https://tinyurl.com/yb3k96xu.

[79] Segal, op. cit., p. 5.

[80] Ibid., p. 6.

[81] Sydney J. Freedberg Jr., “Top Official Admits F-35 Stealth Fighter Secrets Stolen,” Breaking Defense, June 20, 2013, https://tinyurl.com/m3z9opn.

[82] Harris, op. cit., p. xv.

[83] Ibid., p. 70.

[84] Ibid., p. 74.

[85] Ibid., p. 54.

[86] Segal, op. cit., p. 51.

[87] David E. Sanger and Nicole Perlroth, “Senate Approves a Cybersecurity Bill Long in the Works and Largely Dated,” The New York Times, Oct. 27, 2015, https://tinyurl.com/y83kldvf.

[88] Holly Williams, “Russian hacks into Ukraine power grids a sign of things to come for U.S.?,” CBS, Dec. 21, 2016, https://tinyurl.com/y9uhmqw7.

[89] Evan Perez and Theodore Schleifer, “US accuses Russia of trying to interfere with 2016 election,” CNN, Oct. 18, 2016, https://tinyurl.com/zlurum7.

[90] Scott Shane and Mike Isaac, “Facebook to Turn Over Russian-Linked Ads to Congress,” The New York Times, Sept. 21, 2017, https://tinyurl.com/yb8ttspd.

[91] Sari Horwitz, Ellen Nakashima and Matea Gold, “DHS tells states about Russian hacking during 2016 election,” The Washington Post, Sept. 22, 2017, https://tinyurl.com/ydx9rh3a.

[92] David Jackson and Elizabeth Weise, “President Trump signs cybersecurity executive order,” USA Today, May 11, 2017, https://tinyurl.com/y94xbe27.

[93] Gibbons-Neff and Nakashima, op. cit.

[94] Richard Lardner, “Defense Bill Calls Climate Change a National Security Threat,” US News and World Report, July 14, 2017, https://tinyurl.com/y9lc9t3s.

[95] Henry Farrell, “Hackers have just dumped a treasure trove of NSA data. Here's what it means,” The Washington Post, April 15, 2017, https://tinyurl.com/ycofutmb; Andy Greenberg, “The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days,” Wired, Aug. 17, 2016, https://tinyurl.com/gv8ebm5.

[96] Ibid.

[97] David E. Sanger, “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say,” The New York Times, April 12, 2014, https://tinyurl.com/ybuj7xeu.

[98] Harris, op. cit., p. 96.

[99] Ibid., p. 94.

[100] Ibid., p. 95.

[101] Sean D. Carberry, “What the PATCH Act doesn't do,” Federal Computer Week, May 26, 2017, https://tinyurl.com/ybhmy4ea.

[102] Chris Bing, “Lawmakers introduce bill to shine spotlight on government hacking stockpile,” Cyberscoop, May 18, 2017, https://tinyurl.com/y7dpeezk.

[103] Nicole Perlroth and David E. Sanger, “Hacks Raise Fear Over N.S.A.'s Hold on Cyberweapons,” The New York Times, June 28, 2017, https://tinyurl.com/ybkt4gwv.

[104] “Here's how the Internet of Things will explode by 2020,” Business Insider, Aug. 31, 2016, https://tinyurl.com/z3q7ow7.

[105] James Stavridis and Dave Weinstein, “The Internet of Things Is a Cyberwar Nightmare,” Foreign Policy, Nov. 3, 2016, https://tinyurl.com/y9pvcdab.

[106] Bruce Sterling, “Spime Watch: The Fact Sheet For The Internet Of Things Cybersecurity Improvement Act Of 2017,” Wired, Aug. 11, 2017, https://tinyurl.com/ycanztel; “S.1691 — Internet of Things (IoT) Cybersecurity Improvement Act of 2017,” congress.gov, undated, https://tinyurl.com/ybxxof8l.

[107] Nicholas Weaver, “The Internet of Things Cybersecurity Improvement Act: A Good Start on IoT Security,” Lawfare, Aug. 2, 2017, https://tinyurl.com/ya6exmah.

[108] Stavridis and Weinstein, op. cit.

[109] Ibid.

[110] Cory Bennett et al., “Cash-strapped states brace for Russian hacking fight,” Politico, Sept. 3, 2017, https://tinyurl.com/ybttxsom.

[111] Segal, op. cit., p. 17.

[112] Harris, op. cit., p. 118.

[113] Josephine Wolff, “When Companies Get Hacked, Should They Be Allowed to Hack Back?” The Atlantic, July 14, 2017, https://tinyurl.com/yau2ubeu.

[114] Chad C. Serena and Colin P. Clarke, “America's Cyber Security Dilemma — and a Way Out,” Defense One, Dec. 22, 2016, https://tinyurl.com/zdtnpsv.

Go to top

About the Author

Patrick Marshall, author of this week's edition of CQ Researcher  

Patrick Marshall, a freelance policy and technology writer in Seattle, is a technology columnist for The Seattle Times and Government Computer News. He has a bachelor's degree in anthropology from the University of California, Santa Cruz, and a master's degree in international studies from the Fletcher School of Law and Diplomacy at Tufts University.

Go to top



Document APA Citation
Marshall, P. (2017, October 6). Cyberwarfare threat. CQ researcher, 27, 821-844. Retrieved from http://library.cqpress.com/
Document ID: cqresrre2017100600
Document URL: http://library.cqpress.com/cqresearcher/cqresrre2017100600
ISSUE TRACKER for Related Reports
Computers
Oct. 06, 2017  Cyberwarfare Threat
Feb. 26, 2016  Virtual Reality
Feb. 12, 2016  Video Games and Learning
Jan. 15, 2016  The Dark Web
Feb. 15, 2013  Improving Cybersecurity
Apr. 13, 2012  Internet Regulation
Sep. 16, 2011  Computer Hacking
Sep. 24, 2010  Impact of the Internet on Thinking
Feb. 26, 2010  Cybersecurity
Aug. 01, 2008  Internet Accuracy
May 02, 2008  Cyberbullying
Jul. 28, 2006  Cyber Socializing
May 12, 2006  Controlling the Internet
Jun. 10, 2005  Identity Theft
Sep. 17, 2004  Cyberpolitics
Sep. 26, 2003  Cybersecurity
Apr. 12, 2002  Cyber-Crime
Oct. 27, 2000  Computers and Medicine
May 26, 2000  Future of Computers
Jan. 28, 2000  The Digital Divide
Feb. 05, 1999  Digital Commerce
Jun. 30, 1995  Regulating the Internet
May 21, 1993  Software Piracy
Sep. 30, 1988  Management's High-Tech Challenge
Jan. 09, 1987  Power Surge in Personal Computers
Feb. 13, 1981  The Computer Age
Nov. 03, 1978  America's Information Boom
Jan. 06, 1978  Computer Crime
May 12, 1971  Reappraisal of Computers
Jul. 25, 1962  Approach to Thinking Machines
BROWSE RELATED TOPICS:
Cold War
Computers and the Internet
Consumer Protection and Product Liability
Crime and Law Enforcement
General Defense and National Security
General International Relations
Internet and Social Media
Powers and History of the Presidency
Regional Political Affairs: East Asia and the Pacific
Regional Political Affairs: Russia and the Former Soviet Union
Technology
READER COMMENTS
(0)
No comments on this report yet.
Comment on this Report