“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”

 

-President Barack Obama

 


The False Promise of Hacking Democracy

“Probable impossibilities are to be preferred to improbable possibilities” It is immensely convenient to claim that a Federal election can be hacked; however, the reality of hacking such an election is far more difficult than one might realize. The level of complexity in the US electoral process is such that to hack the election would require a combined feat of technical and social engineering requiring tens of thousands of co-conspirators operating across hundreds of jurisdictional boundaries with divergent laws and practices. Having worked in democracy development for the better part of 10 years on elections in several dozen countries, the state of American electoral security is strong because of its immensely decentralized nature. In a case where the bewildering and often arcane complexity facilitates inefficiency, it is this inefficiency that coincidentally fosters systemic resilience. It is the organizational attributes of a national election run by state and local authorities that make the United States a poor target for any malicious actor attempting to directly affect the polling places where American’s cast their ballots. To understand why the United States is so resilient to malicious actors seeking to manipulate a national election requires understanding the nuances of federal, state and local roles in the execution of a national election. One of the best sources for understanding the complexities of the American voting process was produced by a 2014 Presidential Commission. The commission deconstructs its recommendations and thereby provides insight into the electoral procedures of states by examining issues about voter registration, access to polling locations, the management of polling places, and the technology of voting itself.[i] It should be noted... read more

Enter the Policy and Legal Void

Soldiers are down range and have suites of tools available to them that they cannot use to their full capability. They are not technically limited, but rather constrained by the authorities and pre-requisite policies established in a pre-digital age. We tell them to go and defeat ISIS, Al al’Qaeda, or pick another future adversary, but they must do so with their hands tied behind their backs. Make no mistake, as a nation we are currently involved in a global conflict. The conflict is not defined by traditional weapons, but by bits and bytes traversing fiber lines and airwaves. This global information war collides with many of the values of Western Democracies, and the societal constraints of authoritarian regimes. The robust constraints on governmental instruments serve a valuable purpose, yet at the same time our Soldiers in the field are struggling to navigate complex legal and policy waters while corporations are drowning in data that might inform or provide context for a variety of mission sets. The volume and velocity of this data is only set to grow as globally the number of Internet enabled devices increases from approximately 17 billion to 50 billion and beyond. At the beginning of the digital age it is imperative that we, as a society, begin discussing the future we are rapidly entering. Constraints are pivotal for maintaining the fundamental civil rights Americans cherish.  Civil rights, to include various liberties such as privacy, free speech, and freedom of religion among others are challenged by data repositories that eliminate anonymity and the ability to be forgotten and to forget. Yet, we as a society are... read more

Sticks and Stones – Training for Tomorrow’s War Today

and ‘I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.’ – Albert Einstein Technology is great, when it works the way we want it to. Over the last couple years it seems the ever-mounting stream of hacks could leave even the most stoic of technologists cringing. As researchers at the Army Cyber Institute at West Point, our task is to be forward thinking and anticipate the hill after next. We are one part of the Army’s robust effort to address cyberspace issues of today and tomorrow. Along with our cross-service and cross-agency partners we are making progress: we are working our way through a highly disruptive era in technology and politics to find solutions ensuring the security of the United States. At the same time, as we step forward into the complexity of a fully integrated future, we must not lose sight as a military of the fundamentals of fighting and defending the security and interests of the nation. The more the tools and gadgets of modern warfare are challenged by state and non-state actors, the more critical it becomes that our men and women in uniform maintain the fundamental skills of warriors from previous generations. Networked warfare and cyber warfare are but two of many catch phrases of the last couple of decades rising to prominence. These are concepts that we must continue build on to improve our precision, coordination and efficiency as defenders of the nation’s security and interests. Yet despite these advances, the US military must also be prepared to operate in a... read more

Cybercrime and State-sponsored Cyber Operations

Adversarial countries’ cybercrime and state sponsored cyber operations could easily be the same coin – just different views. The reason is very simple. Cyber criminals are specialists in luring people to disclose their secrets and open doors to user accounts to allow the perpetrator to use the access for their purposes. If a country adversarial to the US house cyber-criminal activity that targets the US -meanwhile the country itself pursued innovative ways to gather intelligence about the US it is likely that someone sees an opportunity. Most countries adversarial to the US, if not all, are flavors of totalitarian regimes. Rules, laws, and international agreements are all arbitrary as long it fits the ruling elite. Totalitarian states tend to see the state interest as the overruling interest. It is more logical for a totalitarian state to use cyber-criminal activity as a tool to acquire knowledge about social-engineering methods and use the aggregated knowledge from the criminal syndicates instead of suppressing their activity by law enforcement. As long as the cybercrime activity is not targeting the adversarial country’s own population, it is likely accepted as a “business endeavor” as long as they support the state with information. We tend to assume that other countries follow our code of ethics, legal reasoning, and separation of legal and illegal activity, but not every state complies with these standards. The usage of cybercriminal aggregated information gives not only knowledge about US account holders, but is also a major knowledge transfer from the criminal sector to the agencies that operate state-sponsored cyber operations. From totalitarian state perspective it makes sense – as long as... read more

No-Hack Pacts – Beijing Assumes a Global Leadership Role

While largely recognized as the most pervasive actor engaged in cyber espionage activity for both intelligence collection and commercial espionage, China has recently entered into several “no cyber-enabled commercial hacking” agreements with major governments, efforts that have culminated in the 2015 “no hack” pledge by representatives of the G20. By demonstrating its willingness to work with other governments on this issue, China is promoting itself as a global leader in cyber security while downplaying its suspected involvement in previous espionage activity. Introduction Following up on its historic “no-commercial hack pact” with the United States, China has entered into a similar agreement with the United Kingdom and is working on a similar deal with Germany. Capitalizing on these developments, in November 2015, senior level representatives of the G20 pledged not to engage in cyber-enabled economic espionage to support their respective commercial interests.[1] While it seemed highly improbable that common ground was going to be able to be reached between East and West, in a span of months the leading economic powers, as well as some of the more offensive capable cyber states, identified that cyber espionage for financial advantage was a line that all agreed not to cross in the future. Beijing’s position in each of these endeavors projects the image of a country looking to down play its previous suspected cyber espionage activities by promoting no hack agreements to demonstrate its commitment to preserving stability in cyberspace while assuming a leadership role from which it will help influence future cyber decisions of the international community. China as Global Cyber Security Leader While seemingly groundbreaking, this is not the first... read more

Putin’s Cyber Strategy in Syria: Are Electronic Attacks Next?

The past few weeks have seen a remarkable shift in Syria. Russian fighter jets are bombing opponents of Syrian President Bashar al-Assad.[1] At least a few thousand Russian soldiers are now on Syrian soil.[2] And the Obama administration is scrambling to re-calibrate its policy positions toward Syria in light of these developments. Yet there is good reason to suspect that Russian plans for Syria go beyond the mere presence of conventional military forces. For the United States to begin managing the Russian presence in Syria effectively, it will soon have to come to terms with the prospect of Russian cyber attacks in Syria, as well. Russia has refined a flexible template for its military incursions into other states in recent years. This template incorporates a prominent role for cyber attacks. The template consists of two general phases which can overlap chronologically in their execution. In the first phase, Russia launches a barrage of cyber attacks against the target nation. This is done in order to slow or disable the communications systems of the target nation, hamper coordination among the target’s defense forces, and potentially mask the movement of Russian troops and equipment. The second phase is the actual movement of Russian forces into the target nation itself. Cyber attacks may continue during this second phase, or gradually taper as Russian military forces become established inside the target nation. Moscow successfully used the first phase of this template during a wave of cyber attacks on Estonia in 2007.  In April of that year, Estonian officials angered many Russians when they moved a controversial Soviet-era war memorial from the center of... read more

The New 2015 DoD Cyber Strategy – General Alexander Was Right

The reports on the new Department of Defense (DoD) Cyber Strategy were typical; each highlighted what was put in or left out of the document in accordance to what their authors wanted to report.  On the whole they hit the mark in pointing out that this 2015 cyber strategy was more transparent, emphasized deterrence and innovation, and that DoD would partner for a “whole of government approach.”  Presumably this is what the DoD, and this Administration, wanted. Some reporters were surprised that offensive cyber operations were mentioned.  Some were disappointed that transparency did not include revealing or confessing past cyberspace operations.  And still others stayed mainstream by focusing on the themes of transparency, deterrence and work force development.  What was really interesting, however, was what was missed: that General Alexander had it right all along. DoD has a larger role defending the homeland and private companies than has previously been officially acknowledged. In the past, there has been a fierce debate in the Inter-Agency regarding the role of DoD in conducting computer network defense.  Was it better situated to defend not only DoD but the government as a whole and even the private sector against cyber-attacks ?  Adding to the debate was the fact that there are definitions galore.  Definitions not only of what is a cyber-attack, but also what constitutes cybersecurity, defense, exploitation, incident, intrusion, significant incident. The terms went on, as did the arguments over the roles of various government agencies involved in cyberspace operations. Of all the advocates in this melee, stories and “rumor intelligence” were well reported that General Alexander (then Director of the NSA... read more

Organized Cyber Crime: Comparison of Criminal Groups in Cyberspace

Abstract Technology has provided ease in accessing media, financial markets, and global communication. Society and criminals have benefited from these same developments in technology, causing an increase in cyber-criminal activity. In 2014, McAfee estimated that the cost of global cybercrime is 0.8% of global GDP;[1] making cyber crime a national and international security threat. The Russians, Nigerians, Ghanaians, and Chinese are some of the best-known cyber criminals, and while groups use similar tactics, their motivations, organizational structures, and culture differ. In analyzing why individuals and organized criminal groups participate in cyber crime, and the culture and history behind the groups policy makers and the international community can make more personalized approaches in combating transnational cyber crime. Right now there are many difficulties in combating cyber crime including attribution, lack of international cooperation, and limited resources in law enforcement. Cyber crime is becoming accepted as the ‘cost’ of doing business online, with stakeholders underestimating the impact it has on security, economy, and innovation. Unless the barriers to entry and cost for cyber criminals is raised, cyber crime will continue to threat international security, economic growth, and technological innovation. ORGANIZED CYBER CRIME: Comparison of Criminal Groups in Cyberspace Technology has allowed users worldwide an ease of access from online banking to instantaneous communication via email or phone. Criminals have also benefited from those same technological innovations, giving them a greater access to victims and targets, worldwide communication, and minimizing attribution. Cybercrime is an area that has flourished, as it requires little resources, no traveling, and a skill set that is readily available to learn. This has made cybercrime a serious threat... read more

Ambiguous Deterrence

The ratification of a pledge for joint defense in case of a major cyber-attack at the 2014 NATO Summit is a major step forward.Under this pledge a significant cyberattack on any NATO nation would be constitutive of anattack on all of them. While it is hoped that the vague framing and uncertain capabilities of each NATO member will facilitate deterrence through ambiguity, it should be noted that deterrence only works when that ambiguity is backed up by a command structure capable of a timely and organized response. As President Obama and other NATO leaders are redefining and reinvigorating strategy for the alliance it should be noted that the problem lies less in an ability to pledge for mutual defense than it does in the ability to organize and provide for that same defense. As recently as February 2013 the Government Accountability Office released a report on National Strategy, Roles, and Responsibilities and found that many of the major problems faced with regards to cybersecurity for the United States have less to do with capabilities and more to do with responsibilities. Large-scale cyberattacks such as Estonia 2007 or Georgia 2008 cross civil-military/private-public boundaries. Although policy-makers, think tanks, and academics have been working furiously to establish policy and write strategy documents, the fact remains that the United States remains woefully unable to respond to a significant cyberattack largely due to a failure to assign responsibilities and jurisdiction. The ramifications associated with failure to assign responsibilities and jurisdictions are public knowledge and have been demonstrated in a wide variety of simulations. The Bipartisan Policy Center conducted a major cyber incident simulation in... read more