On May 6, the media was full of warnings about an immediately pending cyberattack called “OpUSA.” Homeland Security said “The attacks will likely result in limited disruptions and mostly consistent of nuisance-level attacks against publicly accessible web pages and possibly data exploitation.” This seems a bit late in coming, as the OpUSA threat was made on the Web weeks ago. The threat statement online listed 140 banks as targets and rambled on about U.S. war crimes in Iraq, Afghanistan, and Pakistan. The government said that the attack would come from “Anonymous-linked hactivists in the Middle East and North Africa.”
This government action should strike one as comical. What kind of cyber defense is the announcement that there is going to be an attack that no one can keep from happening? Unless we had a mole among the attackers, we wouldn’t know what the technical means the attackers were using until after they attack. If we did have a mole, what would be the point of announcing the information publicly? The hackers would just change their modus operandi. I guess DHS has to show that it’s doing something.
The OpUSA warning is an excellent example of where we stand vis-à-vis cybersecurity. There is no technical defense prior to cyber attack unless the attacker uses the same means twice. No serious (or even casual) attacker would do that. The great bulk of the public discussion of cybersecurity remains in the realm of defense, nonetheless.
All sorts of commentators have moved on to the theoretical notion of cyber offense as the only cyber defense. Cyber offense means finding out who attacked one and neutralizing the attacker, either electronically or by other means. However, no one in the U.S. is committing cyber offense. The private sector is barred by law from going after attackers. It has the motivation and means to do it, but those things can’t be utilized. The private sector would like the government to commit cyber offense on its behalf. The government, for its part, may have the expertise, but it’s stuck in the rut of only gathering and aggregating information on private sector cyber attacks.
Remember that the government wishes to rely on private sector for reporting if it’s been attacked, after which the government will (a) tell you and others that you were attacked and (b) perhaps what to do if the exact same attack occurs again, which it never will.
If the government is still at step one of cybersecurity--information sharing about attack--it appears that it cannot even manage that. On April 18, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). It was dead on arrival in the Democratic Senate, due to White House opposition.
You’ll hear various explanations for this. CBS News says “because language in its current draft suggests that companies like Facebook, Google and Twitter, share information with the federal government without a warrant.” Huffington Post says that the House bill doesn’t “sufficiently protect privacy and civil liberties, ensure that a civilian department--not an intelligence agency--is the primary point of entry for cybersecurity information sharing, and provide narrowly tailored liability protections that would allow the private sector to respond to threats.”
The Hill says “the final version of the bill did not satisfy the White House's key principles because it would allow companies to share cyber threat information directly with the military, including the National Security Agency (NSA), without being required to remove personal information from that data first.” The Hill also says that the current bill doesn’t require companies to remove information on the identity of a specific person before sharing the threat information: “CISPA requires the government to strip that personal information from the cyber threat data it receives from companies instead.”
What does the White House’s objection (and, therewith, the Democratic Senate’s) really come down to? At whose expense personal information would be removed from attack reports, the government’s or the private sector’s? Apparently so. Billions of dollars at stake and we can’t figure out how to do information sharing, which, in itself, is no defense against cyber attack.
Given our performance with regard to CIPSA (which was rejected twice last year, too), it’s hard to get enthused about May 7th’s bipartisan Senate proposal to fight cyber theft, the Deter Cyber Theft Act, sponsored by Carl Levin, Jay Rockefeller, John McCain, and Tom Coburn. Levin said we need to hit those who commit cyberespionage in their wallets, “by blocking imports of products or from companies that benefit from this theft." Reuters says that the law would require an annual report listing the countries involved in cyberespionage and detail the kind of data the perpetrators were stealing. These lists could lead to the president blocking imports of certain products from those countries.
This would be a step in the right direction.
The trouble is one cannot be sure how the White House would react to the push to take such reprisals against offenders. All of its actions regarding the Chinese cyberthreat have been “let’s talk” timid. Yes, the administration has more than acknowledged China’s depredations, but that’s really as far as things have gone. The Chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, recently visited with Chinese general Fang Fenghui, and talked about setting up a cybersecurity “mechanism.” What does that mean? This seems to indicate that the administration is less interested in getting China to stop cyberattacks than it is in finding a compromise where no compromise ought to be seen as an outcome favorable to the United States. Remember: The Chinese want to regulate the Internet.
Since tougher administration rhetoric regarding China and cyber in March, the Chinese have done nothing to mitigate criticism. This was acknowledged in a May 6 Pentagon report openly blaming some Chinese cyber attacks directly on its government and military. The report also said that Chinese espionage “was designed to benefit its defense and technology industry into U.S. policy makers’ think about China.” Commentators have noted that the administration has never been this forthcoming before. They don’t particularly notice that there’s nothing new in the report that people who follow cyber haven’t known about for years. Actually, the report was far more interesting on Chinese investments in new ships and anti-access military systems aimed at keeping enemy ships out of any particular area of the sea.
And, by the way, if the Defense Department is so concerned about Chinese penetration of U.S. defense systems, as the report suggests, then how does it explain its recent $10.6 million contract with the Chinese for a year’s use of their Apstar-7 satellite for data communications purposes?
Meanwhile, there’s more bad cyber-related news in the financial sector. The recent hacking of the Associated Press that caused a tweet to go out reporting on explosions at the White House, while put down as an “annoyance” by the media, apparently instantly wiped $136 billion off the Dow Jones Industrial Average. The Dow came back, of course, but so what? It illustrates what cyber attack can do to the market, even if it’s not an attack on the market per se. Apparently, the AP attack was the work of the Syrian Electronic Army, by the way.
And then there’s the new SEC trade-tracking computer system, which is purportedly designed to insulate the market from things like flash crashes caused by High Frequency Trading and hacking remains a system that report trades the next day instead of in real time. SEC Commissioner Mary Shapiro broke a 2-2 commission deadlock in favor of next-day reporting, ostensibly because the real-time version would be too costly. As Constantine von Hoffman has said, the market is now protected thus: “1) See horse in barn; 2) see horse leave barn; and 3) go close gate.”
So where are we on cybersecurity, and not only regarding the vulnerabilities of the market? At the point of being able to close the barn door when the horse has a mind to bolt.
Ken Jensen is associate director of the American Center for Democracy for its Economic Warfare Institute.