(From left) Arthur W. Coviello, John Kao, Jody Westby (all photos by Asa Mathat)
Mark Anderson (l) and Arthur W. Coviello
Arthur W. Coviello
Executive Vice President, EMC Corporation
Founder and CEO, EdgeMakers
Chief Executive Officer, Global Cyber Risk LLC
Founder and CEO, Strategic News Service
As society relies ever more on the Internet, cyberwar and its unpredictable consequences has become our 21st century bogeyman. And the country most responsible for letting this particular genie out of its bottle, as with another frightening weapon back in the 1940’s, appears to be the United States. Can there really be winners in a cyberwar? Read excerpts from the discussion below.
Anderson: There really are at least two, if not 50, large-scale separate divisions of concern about cyberwar or cyber attacks. And those are, in simple terms, economic and military. And you often read about the military side of this, in the sense of Iran or Stuxnet and so forth, and I’m sure we’ll talk about these today. Less often do you read about the economic part of it. I think mostly because it’s a more complicated story.
If you look around the world today at the major players in the post-information age, it’s easy to say that technology drives the economy. Obviously the primary asset of technology is IP—it’s intellectual property. So we can look at intellectual property, we can try to imagine where is it created on a daily basis and how does it move. And if you have that map in your mind, a global map of that in your mind, put big red arrows where it’s invented and where it moves—whether it’s moved by theft or moved by dislocation somehow, by, it could be spying, it could be purchase, it could be forced disclosure. Whatever it is, that map is the best map I know of to predict wealth in the future.
In 2007, Jonathan Edwards, who was then the head of GCHQ in Britain, sent a letter to all 300 of the top CEOs in Britain, in which he said, if you believe that your crown jewel IP is still safe, you are mistaken.
In fact, I believe it’s possible now, at this advanced stage of the game, for that level of economic parasitism to exist that would actually slow down the global economy.
Westby: I really believe that we should have some geo-cyber stability. And there are four basic premises, and one is that I believe a certain amount of critical infrastructure should be declared sacred and off limits for attack. And people can say, well, gee, that’s pretty bold, how could we possibly do that? Look at the Iraq War, we went in and we destroyed the communications systems. Yes, that’s true, but we have engaged in cyber warfare, cyber conflict activities probably more than any other country. And so I believe that we actually should be advocating that there be a guaranteed minimum stability of critical infrastructure to protect unnecessary destruction and harm and suffering.
When the Internet is the central nervous system of society, we need to have some basic amount of it protected or all of society will be harmed.
Kao: This should be a pretty horizontal discussion, because as far as I’m concerned, the issues of cyber are very emergent, very fuzzy, very open to interpretation. We’re kind of like three minutes into this movie, we don’t know how it’s going to turn out. There will be many unintended consequences of whatever actions are taken, and, to quote William Goldman in a different context, namely Hollywood, “Nobody really knows anything.”
What we’ve seen so far in terms of activity in the cyber realm is very much evidence of an innovation war. There’s a big problem, we figure out how to deal with it, but the way we deal with it leaves behind technical traces that allow other people to platform on that technology and get a lot smarter, as was unfortunately the case with the Stuxnet virus. So you know, there’s a call and response kind of quality and a lot of this materially depends on innovation capability.
North Korea has over a thousand cyber warfare specialists in four separate commands. China has unknown thousands of specialists from a military perspective who are trying to exploit the fact that, you know, China doesn’t have 12 aircraft carriers—they don’t even have one. But, you know, if they can figure out smart ways of spoofing our installed base of expensive assets by being smart and using cyber, well, that’s pretty good return on investment.
This notion of war is kind of one model of what’s going on in cyber conflict. We don’t even in many cases—in most cases—know who these adversaries are. You know, cyber is perfectly set up for false flag operations, for people to utilize proxies, for people to hide their intentions in a very big way.
This past August 15th in Saudi Arabia, thirty thousand computers in Saudi Aramco were attacked and when you turned them on, you saw a burning American flag, and critical datasets were completely wiped out to the point where a large percentage of these computers had to be discarded. Okay? I mean, so this is not like a hypothetical situation anymore. That is a very real event.
We have our secretary of defense, Mr. Panetta, who just basically four weeks ago interviewed in the press: “We are facing a cyber Pearl Harbor.” Now, is that, I ask you, the right metaphor? Well, questionable. So in Pearl Harbor, yes, we were unprepared. I’m not sure we’re unprepared now. We have Cybercom; we actually have lots of smart people who are trying to figure stuff out, so we’re not completely flatfooted. But the big difference was that on December 7, 1941, there were these airplanes that flew over with the insignia of the Imperial Japanese Navy. Right? I mean, they weren’t hiding; they were in plain sight.
We don’t really know how to wrap our minds around this phenomenon—we have data points—and that what is really important is to try to figure out a robust metaphor or set of metaphors that can guide further investigation. So if war is not necessarily the right metaphor, because we’re not talking necessarily about winners anymore—I mean, what does it mean to win in cyber? You know, it could be that I satisfy my weird psychological itch to wreak destruction on other people or, you know, I’m a terrorist and I see satisfaction in people getting killed or, you know, I steal a lot of money, or I believe that I’m an anarchist, right, so I believe that I should be able to destroy the institutions of society. Is that war? Not by any traditional metric.
There was a famous quote by the head of the IRA that said, “We just have to be lucky once, you have to be lucky every time.” Well, that’s kind of a little bit the way it works in cyber if you’re sitting as the head of Cybercom. It’s like your goal is security and having nothing happen, right? So is wellness the metaphor? Because then, you know, you have an immune system, you’ve got the T cells and the B cells, and the viruses come in and you can either deal with them or not. What is the right model? I mean, I kind of put forth the metaphor of Silicon Valley, in the sense that, you know, all of those Chinese engineers in bunkers figuring out asymmetric responses, I mean, that’s their version of an innovation strategy. What is Cybercom going to do with its billions of dollars of appropriations to avoid just talking to people like themselves and, you know, the Lockheed Martins and so forth of the world as opposed to getting down into the 20-year-olds, who probably have as good ideas about, you know, the kind of cyber realm as anyone?
Anderson: There’s a lot of resistance on the comme rcial side to any kind of real relationship with the military people because they’re not trustful. So—
Kao: The corporate people are not trustful.
Anderson: Yeah. There’s a reluctance on the corporate side to allow true cooperation with the military. Would you comment on that for me?
Kao: Yeah, sure. So this is actually a very real issue, and part of what I would consider to be included in the innovation agenda for our country vis-a-vis cyber, which is—you’re right, I mean, the military is probably the largest body of intentional work on methodologies and strategies for addressing this issue.
With exceptions like DARPA, the military has not been that great at being able to speak the language of the commercial sector, reach out to the commercial sector, and also get beneath the behemoth companies to the startups and the, you know, domain experts and the smaller kind of entrepreneurs. At the same time, you said that the issue of trust, and I think that’s very real. If I’m a company and I got hacked, robbed, you know, plundered, blown up, whatever, I may or may not be completely forthcoming about what happened because I may not—I may be embarrassed, I may want to keep that information to myself.
So the question of how to create the right kind of rules of engagement are very material and don’t exist right now.
Anderson: And we have a situation, which I won’t describe in detail, where the NSA was aware of an attack, told the attack victim; they said, “No, we’re not being attacked.” They said, “Yes, you are being attacked. And now they’re taking the stuff out of your—” and they—“No, that’s not happening.” And then they finally realize it’s happening. So it can be that one agency knows or one group of military-related people knows, but the attack victim doesn’t know.
Kao: Well, exactly, and there’s been a crescendoing tempo of attacks on U.S. financial institutions just over the last few months, I mean in terms of intrusions or attempted break-ins of one kind or another. So, you know, the military monitors this, or CyberCom monitors this, and is in possession of information, but the rules of engagement in terms of how it then communicates with the commercial sector are undefined.
Coviello: Unless we have a policy that is firm in terms of how we’re going to protect intellectual property, then we ought to stop with the whining in the press and get on with just wholesale defending ourselves.
Another thing that people fail to understand is there is this sense that the NSA, at some level, is omnipotent. They cannot look within the IT infrastructures of the physical United States. So they have tremendous information about everything that goes on outside the United States, but by law they cannot look at what’s going on inside the United States.
We’re used to having wars in and among nation-states. Again, as John points out, where does the criminal activity end and war-like behavior begin? We now have evidence that criminal groups are collaborating with nation-states. The criminals, believe it or not, have a Big Data problem. They have such a wealth of credentials that they don’t know how to necessarily monetize all of them. So what do they do if they do get a password from an executive at Lockheed Martin? Do they rob his checking account? Or do they sell that credential to a nation-state? They get a lot more money selling those credentials to nation-states. On the flipside, the nation-states are now selling their sophisticated APT-oriented attack to criminals.
For those nation-states that might not have the capability to prosecute a cyberwar, why not subcontract some of these criminal groups to launch a distributed denial of service attack on the target of your choice?
Hacktivists are clearly a problem. They’re anarchists, in a large sense, and they are potential perpetrators of a cyber attack or cyber warfare. In addition, terrorists, who have nothing to lose and everything to gain by blowing things up, they would like to prosecute cyber warfare. So we have to understand that it’s not just nation-states, it’s actually criminal groups, and what we call non-state actors, which would be the hacktivists and the terrorists.
In terms of mutually assured destruction, I do think that that is an emerging de facto among nations that understand the rules of warfare, whether they’re codified or not. In other words: you take out my power grid, I’m going to take out your dam, if I have that capability to perpetrate such a destructive attack. My worry is that rogue nation-states, states that sponsor terror, and terrorists that have nothing to lose, won’t abide by this concept of mutually assured destruction
What I’m seeing is an evolution from intrusion; in other words, get inside a network, copy intellectual property, steal credit cards, steal passwords, steal money from checking accounts, going from intrusion to disruption. And the example that John gave of the distributed denial of service attacks on the New York banks is clearly an example of disruption. If you’re going to have economic sanctions on my company, if you’re going to unleash something like a Stuxnet on me, if you’re going to do something to me in cyberspace, I’m going to come after you with at least a proportional attack to disrupt you. And if I get even more sophisticated, I go to the next level, which is to destroy something.
I believe that in the next 12 to 18 months, I could see, in terms of either disruption—and hope to God not destruction—but I could see at least in terms of disruption, I would say that there’s a good probability in the next 12 to 18 months that we will see a disruptive event in this country.
Anderson: Is it fair to say that there are probably actors of the type you’ve mentioned who already have the work finished? Essentially, the traps are set, and the question is do they push the trigger or not.
Coviello: The capability exists, and that’s what I worry about. I understand the capabilities. I do see attacks that obviously go unreported in the press. What I also know is how open we are. Ten years ago, there were only a couple of points of ingress and egress. It was okay to have a perimeter-oriented defense. Now, with cloud and mobility, there is no such perimeter. And we spend way too much of our budgets on prevention and not enough on detection and the ability to respond timely enough to prevent some catastrophe or to prevent some loss.
We really have to start migrating our security infrastructures to ones that are less focused on prevention and create a balance between prevention, detection and response. And if we don’t do that, we can’t set up true defense in depth.
Anderson: Our challenge as a group, if you’re concerned about this, is not the different pieces that you hear, that are all true, but how to raise the level of concern in the minds of people who are running corporations so that they allocate greater budget for this and greater time and greater personal resources so that they really convince their own people that this isn’t 19th on the list, this is number one on the list.