Every year, the US Director of National Intelligence submits to the Senate Select Committee on Intelligence a lengthy brief on the intel community’s calculus of the dangers confronting the United States. It’s called the Worldwide Threat Assessment, and it’s the go-to source for security experts. Five years ago, in 2012, then-DNI James Clapper reported:
“Although I believe that counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns, it is virtually impossible to rank — in terms of long-term importance — the numerous, potential threats to US national security.”
The following year, 2013, is thus a marker, because that’s when the Director of National Intelligence elevated cybersecurity to the undisputed top threat America faces, a standing it has retained in each assessment since, including the one submitted in May by Dan Coats, DNI in the Trump administration.
In Coats’ estimation, cyber criminals and cyber warriors are this generation’s public enemy number one.
“Our adversaries,” Coats testified before the Intelligence Committee, “are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.”
According to Cybersecurity Ventures, a cyber research and market intelligence company, cybercrime costs, which totaled $3 trillion in 2015, will reach $6 trillion by 2021.
“We’ve reached the point where companies need to have their own defense budgets,” says Justin Smith, chief security officer for San Francisco-based Pivotal Software.
“Companies are going to have to balance cost versus risk, but in the end, not spending enough on security is always going to end up costing you.”
The explosion of ransomware, as illustrated by the WannaCry contagion that infected hundreds of thousands of computers across the globe in May, is but one alarming trend; the FBI is warning of the increasing availability of malware delivery systems, and those systems’ ability to cause widespread havoc.
“It is getting easier for the bad guys,” says FBI Supervisory Special Agent Jay Patel. “The reason why it’s getting easier,” Patel told Site Selection in a late June interview, “is because you don’t have to create your own botnet anymore. You can just rent one. So, you can use the botnet to deliver the malware on a massive scale. Once you have the botnet and you have the malware, you can get very creative with what you want to do, and that’s what we’re seeing right now.”
Worst Case Scenarios
Geopolitical considerations emerge. In his 2016 book The Industries of the Future, Alec Ross a technology policy expert and former State Department official, writes that the advancement and weaponization of technology has changed the rules of how nation-states and individuals interact.
“Cyber combat is a distinctly 21st century form of conflict, and the norms and laws that were developed in prior centuries simply do not apply. The weaponization of code is the most significant development in warfare since the development of nuclear weapons.”
Ross recalls the landmark 2010 cyberattack that originated in China, in which hackers stole information from 34 U.S. companies, including Google, Yahoo, Symantec and Northrop Grumman.
“It is only a matter of time,” writes Ross, “before some hotshot group of engineers recognizes and stalls a cyberattack and, instead of calling law enforcement or some other part of the government, launches a counterattack against the aggressor. Would China have considered this an attack or some other form of invasion? It might have.”
Pivotal’s Smith agrees that danger exists, and cites attempts by congress to pass “hackback” legislation that would allow individuals and companies to strike back at their attackers.
“So you actually have a company that, maybe with congressional backing, has the right to start a war. That is unprecedented.
“I worry about mob mentality,” Smith tells Site Selection. “I worry about sort of a strange amplification and witches’ brew of what is real news, what is fake news, what is a cyberattack, and who’s actually pulling the strings. Attribution,” says Smith, “is extremely difficult to do in a cyberattack. So, when we say it’s ‘actor X, or actor Y or actor Z’, we can very easily start a conflict without a whole lot of proof. It’s very dangerous.”
This is not to mention that the Senate Select Committee on Intelligence Committee, and now a Special Prosecutor, are investigating claims of alleged hacking by Russia to influence the US presidential election, a charge former Vice President Dick Cheney has called an “act of war.” In testimony before the Intelligence Committee June 8, James Comey, the former head of the FBI fired by President Trump in May, said that Russia had not only intervened in last year’s election, but would try to do it again.
“They’re going to come for whatever party they choose to try and work on behalf of. And they’re not devoted to either, in my experience. They’re just about their own advantage. And they will be back.”
“… despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.”
Acknowledging for the first time June 1 that “private” Russian hackers may have inserted themselves into the 2016 presidential race, Russian President Vladimir Putin nonetheless denied any involvement of his government, and mused that hackers “are like artists who choose their targets depending how they feel when they wake up in the morning.”
In his Senate testimony, former FBI director Comey starkly disputed Putin’s denial.
“They [Russia] did it with overwhelming technical efforts, and it was an active-measures campaign driven from the top of the government,” Comey stated. “That’s about as un-fake news as you can possibly get.”
Time to Re-think Cyber Security
In a study released in May, ISACA, a global non-profit network that advises companies on cyber-related issues, found that actually fewer companies increased cyber-security budgets in 2017 than in 2016. According to the Cybersecurity Market Report, published by Cybersecurity Ventures, global spending on cybersecurity products and services defending against cybercrime is projected to exceed $1 trillion between 2017 and 2021.
“My personal feeling,” says Rob Clyde, a long-time cybersecurity executive and vice chair of ISACA, “is most organizations are not yet spending enough, or if they are they might be spending it in the wrong places.
“Companies are going to have to balance cost versus risk,” says Clyde, “but in the end, not spending enough on security is always going to end up costing you. Not to meet that balancing point would be a mistake. Large organizations should look at cyber insurance as well.”
The FBI’s Patel agrees that companies will need to think deeper and smarter in the new age of cyber warfare.
“I’ve done multiple cyber intrusion investigations, some criminal and some national security,” says Patel. “The common theme that I saw was organizations do a very good job at investing money in the basics, the firewall, an intrusion detection system. Most organizations have a cyber employee training program where they train their employees on basic cyber security. But then, sometimes they tend to throw money at the problem. They say ‘Here’s the trending problem, we’re just gonna throw money at that problem hoping it’s fixed.’ But we can no longer do that. It’s no longer IT security or the CIO’s problem — now it’s an enterprise-wide problem.”
Pivotal’s Justin Smith is more urgent on the state of threat and the measures needed to combat it.
“People don’t change because it’s convenient. They change because they got hit in the ass with a lightning bolt. So, I think there’s going to be an event that’s going to lurch things forward quite a bit. I can’t see how more WannaCrys are going to create much change. My fear is we don’t get in gear until something hurts the economy. I think,” says Smith, “we’re going to have to take a pretty serious bullet.”