All the evils that can be done in the cyberworld fall into five categories, according to Craig Mundie: malicious mischief, crime, espionage, warfare, and terrorism. And there are three kinds of actors committing them: amateurs, pros, and governments. It’s a taxonomy that he says the industry only invented in recent months to give clarity to discussions about how to deter and defend against attacks—attacks that he says he’s super-worried about.
Senior advisor to Microsoft CEO Steve Ballmer, Mundie is also a global cybersecurity policy advocate. As Techonomy’s David Kirkpatrick points out, Mundie “spends a lot of time talking to the leaders of the world about what’s happening with the landscape of the Internet and security and where it’s headed.” Kirkpatrick interviewed Mundie on stage at Techonomy 2013 in Tucson this week about cyber-insecurity and its impact on business.
What scares Mundie most about what he calls “weapons of mass disruption,” is that, “on the Internet, things can happen so fast, at such a high scale, I believe no country has prepared itself to deal with a disruption that happens to the entire country at the same time.”
For instance, he says, if someone with a highly sophisticated weaponized mechanism were able to cause a cascade of the U.S. power grid, “how does the country bootstrap itself back into operation when there’s no part of the country that’s running? These are scary thoughts.”
Putting all cybercrimes in the same bucket, Mundie says, makes it impossible to defend against them. Those five categories and three players account for 15 completely different kinds of threats, he says. “When everyone puts everything under the banner of cybersecurity, it becomes something that’s not actionable, and that’s the problem we have had with policy-makers—they can’t separate economic espionage from cyber-terrorism from warfare, and they’re all very different,” he says. “Each of them is going to be different, in my view, in terms of what we’re going to have to do about it.”
The most common malicious cyber activities have, in the past year, shifted from the criminal or mischief to the downright destructive, Mundie says. He points to the August 2012 cyber attack that wiped out 30,000 computers at oil giant Saudi Aramco in Saudi Arabia as the first well-known destructive cyberattack that many believe was launched by Iran.
“This is a nation-state attacking a private business for the purposes of getting the attention of the other nation state’s leaders,” Mundie says. “Governments have capabilities they are willing to use that are just not available even to criminal organizations. For that company, it was a very long slog.”
In 2013, destructive attacks against South Korea have been attributed to North Korea. He calls it “a very scary evolution, because you’re starting to see people willing to deploy these things against what could become critical infrastructure.”
Mundie traces the start of a cyber arms race to a year and a half ago when the U.S. became the first country to make a “formal doctrinal declaration that cyber is the fifth domain of warfare”—along with land, sea, air, and space. “In a kinetic war, you wouldn’t say, ‘I’ll only use the navy.’ Well, now people are saying no, I won’t only use the kinetic or I won’t only live in cyber. You blend them together.”
In other words, the U.S. could retaliate against a cyberattack with a cruise missile. It’s naïve, Mundie says, for an enemy to think, “If I do some bad things to you in cyber space, you will come back and do some bad things to me in cyberspace. People are now beginning to realize that there is no clean dividing line between these two.”
On the upside, no society can afford to turn off this technology, any more than it could turn off its electricity or water, Mundie says. That means that, even if governments or businesses have conflict, they might have a common cause against cyberterrorists. For instance, “If terrorists are able to disrupt the global banking system, no country is immune.”
Mundie says he’s trying to help global leaders to understand that “when you have those kinds of actors … we need to find a way to have those countries and their capabilities cooperate in both deterring and addressing or even fighting back.”
He’s also advocating for a serious tune-up of the technology of the Internet. That includes implementing “identity for computers, the physical devices, for the programs that run on those computers, for people,” and getting trusted program module (TPM) hardware put in more devices, and behavioral changes including updating software consistently to ensure your machines are running the latest security. “It’s a classic arms race,” Mundie says, “but most organizations don’t think of it that way.”
For instance, he says, hundreds of millions of machines are still running 14-year-old Windows XP. “It’s completely un-protectable to contemporary threats. If you’re an enterprise and you have one machine on your network running Windows XP, that will be the point of entry for a bad guy.”
As the world moves to mobile, Mundie notes, the problem grows bigger. “The phones that everybody carries around with them are about a decade behind personal computers right now in terms of how well they’re engineered with respect to these kind of security mechanisms.”
The problems, he says, are escalating faster than mechanisms to deal with them.