Cyber Security in a Bunch of Nutshells

by Stephen Bryen

I spoke today, June 27th 2018 to the Washington Program on National Security, a program of the Alexander Hamilton Institute for the Study of Western Civilization.  The Program is led by Dr. Juliana Pilon and affords top students a chance to learn more about national security from practitioners and scholars in Washington DC.  My talk was on Cyber Security.  

Below please find the “highlights” of my talk, which (for want of anything better) I am calling Cyber Security in a Bunch of Nutshells.

Cyber Security in a Bunch of Nutshells

Key Arguments

Cyber security has been consistently approached the wrong way and the results are evident in the form of escalating attacks and a high success rate of raids on vital national security data

Cyber technology helped win the Cold War and despite a significant erosion of American leadership, the US continues to be the world leader in cyber capability

Much manufacturing technology and cyber know how has gone abroad with the greatest danger being China because it now has the technology industrial base to develop advanced weapons and to carry out tactical and strategic cyber attacks 

The US has done almost nothing to arrest the transfer of sensitive technology outside its borders

Complicating the picture is the fact that American military power is resting heavily on commercial technology including hardware, firmware and software, making the US far more vulnerable than common wisdom would find acceptable

Compromises of essential cyber technology puts heavy pressure on a less-than-efficient defense acquisition system that often wastes billions on projects that have little chance of success or that don’t fulfill vital defense needs

As a result of defense information compromises, important equipment has been reduced in effectiveness if not made obsolete –much of this because of failures in computer networks, data depositories etc.

Concomitantly there also is a deterioration in civil norms as privacy has been monetized and even biometric information has been put into hostile hands

Vulnerabilities in cyber systems have opened the door to criminal organizations, encouraged unfair competitive practices, compromised intellectual property, and interfered dramatically in democratic processes, thereby endangering the survival of the US Constitution

We are almost to the point, if we have not already crossed the Rubicon, where the Constitutional model is either already in or approaching failure mode, because it was designed before internal and external adversaries could exploit its operation and its elegant concept of “checks and balances.” In simple terms, cyber is so pervasive and so potentially exploitative in nature, that it can blast apart the system of checks and balances, forcing national security institutions to set up star chamber operations (such as the FISA court) in order to attempt to protect the existing political system. Unfortunately these measures just as well stress the republican government form of the United States and can lead to political and systemic destruction

Adversaries are carrying out different forms of cyber war ranging from harassment operations, disinformation campaigns, thefts of national security information all the way to testing more comprehensive attacks on the critical infrastructure, part of a larger war fighting or denial scenario 

Some cyberwar exercises have been carried out against other countries such as Ukraine, South Korea, Japan, Estonia, Georgia, Israel, UK etc. Many attacks are attributable to operations by Russia and China, but others have been launched by North Korea, Iran, Syria and by terrorist organizations from many locations. Typically these attacks aim against the critical infrastructure, disruption of military operations, disinformation or “fake news” targeting political or military leaders. A leading target has been financial institutions, national banks. In Ukraine and South Korea attacks have been launched and had some partial success against energy assets, particularly power plants.

Western states have also launched cyber attacks against certain adversaries, the most famous was the US-Israel attack on Iran’s centrifuges used to make weapon’s grade uranium. The mechanism known as Stuxnet was a clever and relatively effective “one time” exercise designed to placate the Israelis who were demanding military operations against Iran.

Typically the US has held off on cyber retaliation for a number of reasons including (a) legal impediments (b) difficulty in clear attribution of source (c) loss of exploitable cyber assets and (c) lack of political will to properly react to attacks

There are operational and bureaucratic reasons that US institutions are resisting any major overhaul of cyber security that include a desire to keep commercial systems exploitable, to continue to “watch and assess” the “enemy” and the ability to crack the systems not only of current-day potential adversaries but also of allies and friends. President Reagan’s idea of “trust but verify” applies to allies even more than adversaries

The US is rapidly losing all of its military secrets including weapons of mass destruction know-how. While not typically reported because of its huge sensitivity, incursions on WMD capabilities, particularly nuclear weapons is a major issue and puts the US and its influence at considerable risk

The most important short term step is to harden the domestic critical infrastructure starting with the government and military. There is no sign that anything significant is being done to accomplish this goal except the usual “chase your tail” system of too-late security measures after the fox has left the chicken coop.

The secret to being able to safeguard US military and defense systems is not to shift important data assets to the commercial cloud as a solution. This only changes the equation of a multiple point of entry paradigm to a singlepoint of destruction paradigm.

The real solution is hardware, firmware and software running in an entirely encrypted environment, isolated from the Internet and using operating systems and communications protocols that do not exist in the commercial space. The system as envisaged would be highly compartmented, operate on a need to know basis and be accessible only to cleared workers properly vetted. The cost of building such a system is trivial compared to the losses endured on a daily basis to US defense systems.

Today there is minimal political will to protect the US critical infrastructure other than the “usual measures” (sort of like the “usual suspects” in the 1942 film Casablanca).