Experts at the Penn Wharton Budget Model forum in Washington examined cyber warfare and what, if anything, can stop it.
The July indictment of 12 Russian intelligence officers by the Justice Department for interfering in the 2016 U.S. presidential election underscores the severity and immense reach of cyberattacks like no other techno-sabotage in history. To influence the election’s outcome, authorities said, these agents hacked into the computer networks of the Democratic Party to get information and strategically released it on the internet. In the private sector, companies have to step up their defenses against cyberattacks that are becoming all too common.
Against that backdrop, fighting cyber threats has never been more important. This is the greatest terror threat to the U.S. economy, but policy makers’ responses have moved at a snail’s pace, according to high-ranking cyber-security and risk management experts who spoke at a panel discussion on cyber risks at the Penn Wharton Budget Model’s first Spring Policy Forum, held last June in Washington, D.C. Experts called for greater awareness of cyber threats at all levels, an inclusive approach to protect all parties affected, and steps to “harden our defenses to make the cost too high for the payoff to carry out these cyberattacks.”
Russia is at the top of the list of sophisticated cyber adversaries confronting the U.S., a group that also includes Iran, China, and North Korea, according to Matthew Olsen, co-founder and president of IronNet Cybersecurity and former director of the National Counterterrorism Center. “Russia has made information conflict a critical and central pillar of its national security strategy,” he said. “Cyber is a means of carrying out their geopolitical strategy.” And Olsen believes there is “every reason” for Russia to interfere in the 2018 and 2020 elections as well, “with even more fervor and more effort.”
A Frictionless Weapons System
Any complacency over cyberattacks is dangerous, warned Ira “Gus” Hunt, managing director and cyber strategy lead at Accenture Federal Services and former chief technology officer at the CIA. “We are exhibiting the classic signs of insanity. We are like the little boy with his finger in the dike,” said Hunt, referring to the folktale of a Dutch child who stayed up all night to plug a leak and save his country. “Things are about to get much, much, much worse, and it’s going to happen very, very quickly and very, very suddenly.”
According to Hunt, “Cyber is the most difficult threat environment the world has ever seen … and as a weapons system, it is unlike anything previous in history.” He said, “The velocity of innovation around cyber itself is unparalleled,” pointing to one study’s finding that more malware is released in a month than all legitimate code in a year.
The scariest aspect of cyber threats is that they are “frictionless,” said Hunt: “Cyber is the world’s first frictionless weapons system. The moment [they are] released and discovered in the wild, everybody’s knowledge is suddenly elevated, and [they] turn around and come back at us in different ways.” For example, he said, days after German magazine Der Spiegel revealed the use of the Stuxnet computer worm in attacking Iran’s nuclear program, variants of it developed and spread—and then were used to attack U.S.-based systems like SCADA, a data tool for critical infrastructure and automated factories.
Tim Murphy, president of Thomson Reuters Special Services and former FBI deputy director, shared his own encounter from 2008: “I’m sitting at my desk in the FBI, and I’m the number three in the FBI, and I am attacked by a state sponsor—in the building—on my unclassified network. If that doesn’t cause you to be scared and give you a greater outlook on how big the problem was and is, [nothing will]. That was 10 years ago, so you can understand the scope of it today.”
- Develop and Practice Strong Cyber Hygiene
- Know and Secure Vendors’ Networks
- Identify and Protect the “Crown Jewels”
- Practice Your Incident-Response Plan
- Create and Develop a Global Communications and Messaging Framework
- Test the Incident Response Plan and Update Regularly
- Develop a Robust Cyber-Threat Monitoring and Sharing Team
- Evaluate Cyber-Security Insurance
- Engage Privacy and Cyber-Security Expertise for All Priority Jurisdictions
- Maintain Government Relationships
Source: David Lawrence and
co-authors, via K@W
More Vigilance Needed
Even as those scary scenarios loom, one reason for optimism is that “we are slowly but surely seeing an awakening of vigilance by the American people about this threat,” said Daniel Kroese C10, senior advisor with the National Protection and Programs Directorate in the U.S. Department of Homeland Security. The first major wakeup call for ordinary Americans was the data breach at health insurer Anthem in 2015 that involved some 80 million medical records, Kroese said. Around that time, another massive breach was under way at the U.S. Office of Personnel Management, showing that “even some of the most sensitive government records were not immune to these threats,” he added. Subsequent major attacks have included WannaCry and NotPetya ransomware, the Uber breach that hit 57 million accounts in 2016, and the 2017 Equifax breach of more than 147 million users.
Murphy said people don’t take cyber threats as seriously as they should. “I want people to be scared, I want the government to be scared, and I want the private sector to be scared, because I don’t think we are scared enough,” he said. “And by scared, I don’t mean fearful; I mean scared into taking some action.” He added that the response to these threats must be improved: “This works at network speed, at code speed, and we’re working at human speed to solve this problem,” he added.
Olsen saw the U.S. response to Russian attacks as underwhelming and also raising troubling questions: “How seriously have we taken that threat? What has Congress done? What has the administration done? What have companies done to defend ourselves better? What pain did we inflict on Russia for the attack on our election? How do we even think about an attack on the fundamental pillar of our democracy when it’s carried out by a nation state? How do we think about it from a doctrinal standpoint?”
Bridging the Digital Divide
David Lawrence, founder and chief collaborative officer of the Risk Assistance Network + Exchange (RANE) and former Goldman Sachs associate general counsel, said the “overarching theme” of the 9/11 Commission and the findings from the 2008 financial crisis are helpful pointers in tackling cyber threats: “Those events were less a failure of intelligence and of information than of imagination, connecting the dots in advance.”
Lawrence noted that “because cyber is about technology, it becomes an overly complex puzzle” and intimidates people with its language and science: “The [cyber] crimes we are witnessing are of biblical proportions. They are theft and fraud and espionage and various [means] of sabotage and extortion and blackmail. The actors are precisely the same people who always meant us harm: criminals and organized crime groups, terrorists, various hostile states, and state-sponsored groups.”
Those that have sufficient resources, such as large and wealthy organizations, do a good job of making the requisite investments to protect themselves from cyber threats, said Accenture’s Hunt. But firms or groups with fewer resources will continue to struggle. “We have this new digital divide, and I call it cyber haves or have-nots, and other people have spoken about a cyber poverty line,” he said. What makes matters worse is a “critical shortage” of cyber personnel, which in turn drives costs up further, he added.
Even large organizations, Hunt said, could see cyberattacks creep into their systems through a vendor that may be small and without the security infrastructure to deal with these nefarious actions. For example, the massive breach of Target four years ago was traced to its heating and air-conditioning services contractor. “When we have this massively interconnected world, we’ve got to think of an approach that can lift all boats,” he said.
The seriousness of the situation is made clearer when one considers how little it costs hackers to unleash such massive disruptions. “You have actors who can spend very little money, scale their resources very effectively, and have an asymmetrical destructive impact while using our own technology,” said Lawrence. “This is the greatest tax on the national economy, bar none, and it’s the greatest terror on our economy, bar none.”
Olsen said that while there are various estimates of the cost of a data breach, a Verizon study put the average cost at between $5 million and $15.6 million for a “mammoth breach.” But that doesn’t include litigation costs or the hit to a company’s reputation. Hunt said cyber crimes have cost the U.S. 0.7 percent or 0.8 percent of its GDP for the past three or four years.
But some damage is so great that it’s impossible to put a price on. “What’s the cost,” Murphy asked, “of undermining your democracy, or stealing your intellectual property in the billions?”
A Leadership Vacuum?
Lawrence wanted to know what might provide the crucial trigger for legislative action. “Is it going to take a crisis?” he asked. “Or can we begin to apply what has worked in the past to deter enemies of the country, criminals, organized crime groups in these activities, and begin to have a unified response that will protect all?”
An effective national response to cyber threats has to take shape in public policy. Murphy wondered what might provide the impetus to achieve that goal. “Maybe it takes one of those major events,” he said. “What we’re advocating is, let’s get ahead of it.” He referenced a Knowledge@Wharton opinion piece by Lawrence and SEC Chairman Jay Clayton ENG88 L93 in which they called for the creation of a “9/11-type cyber threat commission.”
Lawrence added, “It’s not about the people and resources that are now focused, but about our approaches to risk management.” Further, “We’re at the pre-9/11 moment, or the pre-financial-crisis moment, where many people are looking and seeing things and watching with increasing concern, but the centralized leadership is yet to be there. Something more is owed to the American people. We have yet to have ownership of this issue.”
Lessons From Counterterrorism
The response to terrorism in the U.S., especially after the 9/11 attacks, holds lessons in preparing for cyber threats. “One is that it’s a team effort,” said Olsen, recalling his previous role as director of the National Counterterrorism Center. “We learned that the hard way; [9/11 showed that] we weren’t, as a government, well-coordinated in sharing information.”
Second, “We need to address the lack of expertise,” said Olsen. “We did that with expertise around counterterrorism. But there are hundreds of thousands of unfilled cyber security jobs in this country. Third, we need to harden our defenses. We’ve hardened our terrorism defenses. But we haven’t done enough to harden our networks and our data.”
Olsen pointed to one critical difference between counterterrorism and cyber security that makes security in the latter harder to achieve: Much of what needs to be done in cyber security lies in the hands of the private sector, and 98 percent of the critical infrastructure of this country is in the hands of the private sector, leaving a smaller role for government, he said.
Meanwhile, lawmakers are taking cyber security more seriously than ever before, Kroese said: “Almost every authorizing and appropriating committee now wants to find a way to engage in cyber, really understanding and making sure that we are engaging with a nuanced view … to ensure that the legislation that comes out is smarter.”
Published as “The Greatest Global Terror” in the Fall/Winter 2018 issue of Wharton Magazine.