A modified version of this post was published in Homeland Security Today on 01/01/15: a digital copy can be found here.

The uneasiness of cyberspace

The recent Sony hacking scandal brought one important policy question to light: To what extent should the US government be involved in the cybersecurity affairs of private citizens and business? Answering this question is difficult; the issues are highly complex, there are epistemic barriers to fully appreciate the risks that need to be managed, and it’s a platitude amongst cybersecurity professionals that cyberspace is notoriously murky. But getting the answer right is imperative because of the issues at stake – privacy, the scope of government, and even national security might hang in the balance.

The task of a good cybersecurity policy is to help us navigate through these complexities and mitigate risk. In my mind, there are at least four reasons why the government will become increasingly involved in the cybersecurity affairs of private citizens and businesses:

(1) Hackers from so-called closed-societies are sanctioned (either implicitly or explicitly) by their respective states: In closed-information societies, such as North Korea and China, hackers may operate with the blessing of the government. Implicit backing from a government ‘allows’ hacker activity to go unchecked. For example, many hackers in North Korea or China must operate at least with the tacit knowledge of the government since the Internet is so closely monitored in those countries. My suggestion here is that the ‘permission’ to allow hackers to operate in an otherwise controlled environment constitutes an implicit endorsement of hacker activity. Of course, this claim rests on the assumption that these governments have knowledge of the hacker-activity; surreptitious hacker-activity in controlled information environments does not have the implicit endorsement of those who are controlling the environment.

This implicit endorsement can be contrasted with the explicit endorsement of a government. In this case, a government maintains formal ties with hackers—for example, the People’s Liberation Army (PLA) Unit 61398 is China’s ‘cyber unit’, apparently responsible for numerous attacks on US-based public and private targets. These hackers could be part of the formal apparatus of the government (such as PLA Unit 61398) or be an independent hacking group that receives resources from a government.

That’s not to say that this kind of implicit acknowledgment but formal distance cannot characterize the relationship between the state and hackers in more open societies as well. Nevertheless, there does, prima facie, seem to be a salient distinction to be made between tacit acknowledgment in societies that straightforwardly monitor and censor the Internet, and tacit acknowledgement in societies that are comparatively ‘open’ in the relevant respect.

The upshot is this: What may look like lone hackers may not be lone hackers, particularly if they are operating in a controlled-information environment. So, for example, what may look like criminal cyber attacks for financial gain might instead be a form of sophisticated economic espionage, or worse.

(2) Information and resource asymmetries: This point is related to (1). If the pertinent cyber hacking groups are getting help from states as large as China, or states willing to spend as much money on their military as North Korea, then private cybersecurity resources will probably not be enough.

Asymmetries of information resources are particularly pronounced in cyberspace. Indeed, even small businesses are worthy targets for hackers. For example, consider the fictitious Mr. and Mrs. Kim, small business owners, who don’t know a thing about cybersecurity, but the computer at the front desk of their small independent motel holds thousands of customers’ credit card information and personally identifiable information (PII). Or say Mr. and Mrs. Kim have a franchised (but still small) hotel – a Best Western, for example. They still don’t know anything about cybersecurity, but their front desk is connected to Best Western International’s central information hub. This might give hackers access to millions of credit cards and terabytes of PII. The point is this: it’s unfair to expect Mr. and Mrs. Kim to develop cyber security practices that will keep them safe from hackers with the backing of the Chinese or North Korean governments. Similarly, it might also be unfair to expect larger businesses to develop cyber security measures that will protect against, say, PLA Unit 61398.

But we might say that it’s not unfair to expect the large multinational corporations take drastic cyber security measures, as they have resources comparable to or larger than countries like North Korea. For example, WalMart’s revenue in 2013 was almost 40 times as much as North Korea’s GDP. But asymmetry issues remain: North Korea spends a significant amount of resources on its military, and presumably quite a bit of that money goes towards gaining information superiority in cyberspace. From defector accounts, for example, North Korea has a specific program to train ‘home grown’ cyber-warriors. WalMart, however, does not have strong enough incentives to pour resources into maintaining a WalMart’s Liberation Army Unit 61398.  

It’s important to stress that the information asymmetry stems from an incentive asymmetry. North Korea, China, and indeed all states have strong incentives to put resources into gaining information superiority because relative gains far outweigh costs. An excellent military cyber unit, for example, can not only obtain sensitive and classified national security information, but it can also cause physical damage to ‘smart’ systems or systems otherwise reliant on network infrastructure (see [4] below). Hackers can also cause significant psychological and economic damage. For example, convincing New Yorkers that there is a nuclear bomb in Manhattan (say, by controlling information flows to the city) would shut the city down and in the process economically paralyze the Northeastern United States. These kinds of attacks can be executed from a computer at no threat to personnel unlike traditional warfare.

(3) Incentives for secrecy: Private actors have a strong incentive to cover up cyber attacks on their systems. This is because consumers place trust in the cybersecurity infrastructure that lies behind much of their face-to-face activity with businesses. When you deposit money into a bank, you expect that nobody can simply hack into your account and take your money – importantly, you trust the bank will insure that nobody is able to do that.

You place a similar trust that nobody can access your information when you rent a room from Mrs. Kim, or when you buy something from Target.

But what incentive would the bank, Mrs. Kim, or Target have to tell you that your credit card information was, say, a part of a large package of information taken from their systems? None (notwithstanding legal compliance). In fact, their incentives run the other way: If the bank lets it be known that someone has hacked their systems and has access to their accounts, it risks a bank run. There are similarly significant costs for Mrs. Kim and large retail stores as well – a loss of trust means a loss of business.

These incentives might run directly against national security interests. It’s important to recognize that what may look like discrete cybersecurity incidents might be part of a broad and sophisticated attack. Obtaining information about cyber attacks is not only prudent for privacy and financial reasons, then, but also for gathering intelligence and developing a robust cybersecurity posture. My view is that a mature cybersecurity posture is not only about ‘keeping out’ who we want to keep out or protecting information, but also about gathering information as well – what are the hackers looking for? Why would they possibly be looking for this or that information set? Is there a discernible pattern to their activities? 

(4) Networked infrastructure: Industrialized societies are embedded with networked infrastructure, which means that industrialized societies are embedded with cyber risk. Sometimes industry doesn’t follow best practices, as in the case of the German steel mill that didn’t keep a ‘gap’ between its networks and the public Internet. A cyber attack in 2014 caused physical damage to the steel mill, and even closed down one of its blast furnaces. Cyber attacks can wreak damage even when there’s an air gap between the public Internet and closed networks. Consider the infamous Stuxnet – a computer worm – that was introduced to the closed environment of Iran’s nuclear industrial control systems through an infected USB drive. Stuxnet shut down almost a fifth of Iran’s nuclear centrifuges before it was discovered.

These worries are only set to intensify with the growth of smart technologies and smart cities, as more critical infrastructure becomes part of the ‘Internet of Things’. Cyber risk to power grid networks, water delivery systems, and transportation increases with the increased connectivity in smart cities. Moreover, various third party contractors (with perhaps varying cybersecurity postures) are typically involved in the running of this critical public infrastructure, increasing overall vulnerability.  

These are but some of the issues we ought to keep in mind as we decide on an appropriate cybersecurity policy for a changing information environment. As cybersecurity professionals, decision-makers, and policy analysts know, cyberspace is an especially messy area when it comes to discerning the proper role of government. But even amidst all of this messiness, one thing is clear: we have a formidable task ahead of us in navigating these murky waters.