‘Tis the season for cybersecurity lists! Attending Mass in the run-up to Christmas, I was struck as I always am this time of year by the emphasis in the Christmas Story on the overlooked, marginalized, and victimized in society… and the impact those supposed nobodies can have on the world.
Reflecting on that Christmas spirit I put together a list to share with you of the most overlooked, but impactful, risks to cybersecurity in the U.S.:
Small businesses – As we learned from the FBI this year, foreign militaries are already targeting hundreds of thousands of routers used in home offices — compromises that create the infrastructure for future hard-to-stop disruptive, distributed attacks on critical networks and that afford foreign rivals the opportunity to spy on and destroy selected private companies. Neither the United States Government with its focus on its own networks nor the private sector with many of the technology solutions that could stop nation-state hackers priced beyond what small businesses can afford have addressed these threats adequately. Imagine what the impact on U.S. security would be of widespread cyber attacks on mom-and-pop trucking companies on which Transportation Command relies to move military equipment within the United States for global deployment. A commercial problem for the average citizen, easily multiplied in cyber operations, can quickly become a nationwide security problem.
AI as an Offensive Weapon – Many electrons have been ‘spilt’ on stories about the impact artificial intelligence could have on employment, manners, and nuclear warfare. Few have realized that artificial intelligence, or at least the machine learning algorithms undergirding that research field, are likely already being deployed by cyber threat groups. As with the business model of many Silicon Valley giants, the more data they aggregate the more connections and hence, more value, each additional stolen record will provide when correlated with all the others. No wonder China has turned to large-scale theft of healthcare records, telecommunications backbone compromises, and cloud hosting hacks.
Public transportation – Ever a target for political protest, public transit (like advanced railway systems in Asia and Europe) are likely to see increased attention from nation-state hackers hungry to embarrass a hated rival or gain military advantage. The techniques to go after these systems, from disabling ticketing to affecting track control, are well known to researchers. As with cyber attacks on the electric grid, the big hurdle to get over is willpower, not technical know-how.
Coordination – As I highlighted in my September testimony to the House Homeland Security Committee, coordination during emergencies caused by a cyber attack is one of the weak points in current resiliency planning. If a cyber attack takes out a commercial system that does not affect passenger safety, for example, but does prevent planes from taking off — pilot flight planning software, or baggage handling — who is in charge of getting the bad guys out of the system and planes back in the air? What if the attacker is a foreign military? Across many industries these assumptions are still not tested until a real-life event occurs.
Software supply chain – FireEye has seen more instances where a cyber threat group gained access to a target network by compromising the integrity of a software supplier over the last year than we did in the entire previous decade. By changing source code at a trusted company, or using their update process to forcibly download malware onto targets, cyber threat groups have hit upon a successful and very hard to stop model: If you can’t get past the defenses of your target, try getting past the defenses of one of their suppliers. The U.S. Department of Defense has rightly made supply chain risk analysis an increasing focus for their contractors, and the same lesson applies broadly for corporate customers.
Mobile – A colleague recently joked that everyone predicts more mobile targeting every year, and he’s right! But I’m still concerned. In the United States, as important as mobile devices are, we still have a wide variety of ways of accessing digital content: smart speakers, tablets, even old fashioned laptops and desktop computers. For much of the developing world, cell phones might be the only way of getting online. Cyber threat groups working for law enforcement and security services in southeast Asia, subsaharan Africa, and Latin America are no doubt focused on developing exploits for mobile devices. As their cyber programs mature, expect threats that today are being deployed elsewhere to come home to roost in Europe and the United States.
Threats to foreigners in the U.S. – Governments want to keep tabs on potential troublemakers and future leaders, or sometimes to outright silence critics living with protection in the United States. It’s important that permanent residents have protections under the U.S. Constitution and should not have to surrender them in cyberspace. We should also realize that even when more temporary visitors are targeted the erosion of their rights is a concern for all Americans who might find themselves targeted in a similar way down the road.
Religious institutions – For many in the security industry, the public attention to seemingly novel cyber risks often occurs years after we start seeing it happen. Often it is only when there is a large political impact that those concerns become widespread outside industry. Targeting of churches, synagogues, and other houses of worship and affiliated charities in the U.S. feels that way to me: something everyone knows is going on, for profit or political gain, but that has not received much attention from the U.S. Government as a priority to defend against. Hopefully it will not take a high profile incident to make defending these First Amendment rights as much a priority in cyberspace as they are in other aspects of our civic life.
Data manipulation – Most cyber attacks injure either the confidentiality or availability of data. That is to say, they are either spying on or disabling some system. But there is of course another option: attacks on integrity. If you found out your bank records were, even in some small way, remotely altered say… 18 months ago? How would that change your perception of the safety of keeping your money in the bank? What if 1 percent of the bottles of some over the counter medication had the formula altered to change efficacy, how would that affect your trust in the medical system? Subtle, these operations are hard to detect, harder to prove, and leave a lasting stigma of distrust and conspiracy even if caught. Already we see some criminal groups engaging in this sort of activity to modify gift cards and other forms of petty cyber larceny, which means that more sophisticated operations and nation-state challenges won’t be far behind.
And just to end on a positive note, since it is Christmastime after all, I will offer one overlooked reason for optimism:
Cyber diplomacy – The Trump Administration has called out Chinese theft of intellectual property in ways that make a lot of sense with what we are seeing in the private sector. But while Chinese operations to steal military technology are an age-old problem, and a reckoning with their system of inducing transfers of intellectual property was probably overdue, it is also worth remembering that the bilateral agreement Presidents Xi and Obama reached in September 2015 to curtail theft of intellectual property accomplished its goal well: a greater than 90 percent reduction in theft of purely commercial technology directly by cyber means. While very narrow in aim and still leaving much malicious activity unaccounted for, the agreement was effective in changing China’s behavior for the better, and policymakers have been well informed of potential new threats under its framework. I am therefore optimistic that continued emphasis on cyber diplomacy, both to support and act alongside allies in confronting shared dangers and reaching peaceful, cooperative agreements with rivals like the one reached with China could provide lasting cybersecurity for Americans as conventional and nuclear arms treaties have before.
Christopher Porter is the Chief Intelligence Strategist of cybersecurity company FireEye and a Nonresident Senior Fellow at the Atlantic Council.