Beginning January 2020, the Cyber Statecraft Initiative will feature a monthly CSI5x5, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the CSI5x5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at [email protected].
The past ten years have, among other things, witnessed the most-costly cyberattack on record, the discovery of a computer worm capable of wreaking physical destruction, and USCYBERCOM’s elevation to unified combatant command status. As we turn the page to 2020, we’re looking back to recap the most significant, overblown, and emergent cyber incidents of the decade.
Our Cyber Statecraft Initiative experts go CSI5x5 to put the 2010s into perspective.
#1 How will the 2010s be remembered as a decade in cyber history?
Beau Woods, cyber safety innovation fellow, Cyber Statecraft Initiative; founder/CEO, Stratigos Security: “[As] the era our neglect was put on display. After decades of the private sector and policymakers ignoring warnings from security researchers and warning signs from data breaches, high-profile, high-consequence cybersecurity incidents like Mirai, WannaCry, and NotPetya catalyzed a collective “oh sh*t” moment. While the increased focus has generated more activity than effectiveness (so far), it now seems accepted that cybersecurity can have a significant impact on public safety, public confidence, and national and economic security.”
Megan Stifel, non-resident senior fellow, Cyber Statecraft Initiative; senior policy counsel, Global Cyber Alliance: “The 2010s will be remembered as the decade of destructive cyber operations and unexpected consequences. From Stuxnet to Shamoon, Sony, and NotPetya, as the decade progressed the effects of actors’ operations were felt more broadly than their assessed intended targets. Whether the collective response, or lack thereof, to these attacks contributed to their escalating nature remains an open question.”
Bobbie Stempfley, non-resident senior fellow, Cyber Statecraft Initiative; director, CERT Division at the Software Engineering Institute at Carnegie Mellon University: “[As] the decade of the data breach. Major breaches impacted every sector, impacting individual privacy, corporate intellectual property, and national security.”
JD Work, Bren Chair for cyber conflict, Marine Corps University: “The teens were the decade in which the last of our comfortable illusions of a free (libre), stable, and peaceful cyberspace were shattered, as the covert competition and conflict that has long marked the interactions of states, proxies, and new powers publicly surfaced in a fashion that could no longer be denied. [It will be remembered as the decade of consequences ranging] from the disclosure of persistent espionage inflicting industry-breaking losses to the recognition of the environment as a new warfighting domain, in which covert action and sustained strategic exchanges play out across the pervasive vulnerabilities of private systems and networks.”
Kenneth Geers, non-resident senior fellow, Cyber Statecraft Initiative; ambassador, NATO Cyber Centre: “Militarization. We created USCYBERCOM in 2009, and other nations quickly followed suit. Likewise, Stuxnet broke in 2010, which gave the world an eye-opening glimpse of “cyber war.”
#2 What do you consider to be the most significant open-source cyber incident of the past decade?
Woods: “Stuxnet. The (alleged) US- and Israeli-led cyberattacks against Iranian nuclear capabilities is a Rubicon-crossing moment. First, it established a norm that using a destructive cyberattack is an acceptable means to achieve a political objective. Second, it put other countries on notice that their cyber offensive programs were behind, encouraging them to ramp up. Third, the malware ended up spreading to dozens or hundreds of facilities worldwide, spreading capabilities to much less advanced adversaries.”
Stifel: “NotPetya due to the global scale and scope of its immediate impact as well as the longer-term consequences of trust in connected technologies.”
Stempfley: “The Myrai-bot demonstrated the unintended consequences of poor design, and the true nature of the environment where those that pay the cost for poor product security are often not the same people who caused the issue.”
Work: “The sustained Lazarus/HIDDEN COBRA intrusions compromising transactions across the global financial backbone, which left destroyed institutional networks in its wake, monetized to prop up the illicit power of an isolated, paranoid Democratic People’s Republic of Korea (DPRK) dictatorship and the Kim family’s twisted, dangerous ambitions towards a nuclear and ballistic missile arsenal. Beyond the significance of the funds stolen, this campaign crossed a fundamental red line in offensive cyber operations by altering the integrity of account and messaging information—options deliberately not pursued by responsible state actors since at least operation ALLIED FORCE two decades before. This is also the campaign which saw key change, where great powers at last chose to no longer abandon private sector actors to fight hostile military and intelligence services alone—but began to shape new strategic approaches and associated concepts of operation to counter threats that directly challenge our sources of national power.”
Geers: “Not even close. The 2016 US Presidential Election was the greatest hack in history, blending SIGINT, HUMINT, and Information Warfare at the highest level of grand strategy.”
More from the Cyber Statecraft Initiative:
#3 What cyber incident was the most overblown of the decade?
Woods: “The fictional “Cyber 9/11” or “Cyber Pearl Harbor.” While catastrophic attack scenarios grab headlines and make for fun gameplay in the Atlantic Council Cyber 9/12 Student Challenge, nothing so devastating emerged in the 2010s. Are predictions of an all-out cyber war naive, or simply premature? Time will tell.”
Stifel: “The 2011 Springfield, IL water pump “attack” ultimately determined to have been an employee remotely accessing the network while on vacation. Initially the US Government labeled the incident akin to Stuxnet; additional investigation concluded it was not an attack at all. However embarrassing, the incident offered a number of lessons for the cybersecurity industry and critical infrastructure sectors.”
Stempfley: “Electric grid hype. Individual and systemic issues require focus, and attention paid to the grid will improve its overall resilience making for an electric grid that is more capable to rebuffing cyber events. However, the focus on increasing the resilience of operational technologies and control systems is needed for a larger community.”
Work: “The convulsive Beltway reaction well after the significant events of 2016, unfortunately gets the vote here. This incident was the weaponization, through political warfare/active measures, of a sadly routine intrusion compromising political leadership targets in a recurring espionage campaign, which whilst novel for its media impact would not have had anywhere near a sustained legacy in the bigger picture but for the uniquely dysfunctional character of the domestic political contest playing out in the United States through the end of the decade.”
Geers: “Let’s abstract this question and say that we still too often refer to cyberespionage as cyberattack. The former leverages computer hacking, but the latter typically involves data denial, destruction, or manipulation—which can be more serious in nature, but is also rarer.”
#4 Looking forward to 2020, what emerging cyber trend will make the greatest mark on the decade ahead?
Woods: “Cyber Hygiene. While venture capital funds billions of dollars of investment in blinky boxes and managed services, the most effective defenses remain the low-cost, high-value approaches we’ve known for many years, as well as some we’ve learned along the way. For instance, software updates, multifactor authentication, coordinated vulnerability disclosure programs, and isolation/segmentation stem the root causes of cyber insecurity, lowering cost, risk, and resource requirements.”
Stifel: “Scalable automated protection of Internet of Things (IoT) informed by real time information sharing. For example, the Automated IoT Defense Ecosystem developed by the Global Cyber Alliance will not only protect configured devices, but it will also inform other devices throughout the ecosystem triggering an immune-type response that will ultimately reduce the scope and impact of malicious activity.”
Stempfley: “Speed—the changing nature of how everything is designed and built changes the risk calculation. Speed will continue to advantage the adversary, but it will also begin advantage the defenders for the first time in a long time.”
Work: “Highly scalable automated vulnerability discovery. In the short term, this will allow for exploit development at an unprecedented depth of many machine eyes, across the ever more fragile ecosystem characterized by dense bugs iterated across a widening range of attack surface. To the longer horizon, this trend offers perhaps the best hope of changing the offense advantaged, or at least offense persistent, balance of the domain towards something that may favor the defender. The DARPA Cyber Grand Challenge, despite being a constrained game, was the leading indication; and the substantial fuzzing resources reportedly directed by Google Project Zero against offensive research targets offers the first outlines of what future operational instantiations may arise.”
Geers: “IT-enabled government, for good and bad. Cynical leaders will continue to use digital tools to gain unfair political advantage, but civil society (and government) should use digital tools to promote democracy, transparency, and accountability, both within and among nation-states.”
The Cyber Statecraft Newsletter
#5 Who is likely to be the single most influential entity, person, or institution, in cyberspace for the 2020s?
Woods: “Adversaries. While we don’t always know how to avoid getting hacked, we know what reliably fails to work. Despite this publicly available knowledge, organizations routinely choose known insecure practices, rather than better alternatives even when there is little to no financial or operational difference. While regulation, standards, and voluntary approaches have failed to correct these issues, active attacks by adversaries trigger improved practices. Here’s hoping the skr1p7 k1ddi3z, criminals, hacktivists, and nation states can help us improve in the 2020s, without triggering too much harm.”
Stifel: “Non-profit actors will play an increasingly critical role in cybersecurity. They will advance scalable security solutions for those who cannot afford them. In addition, their engagement will also move the market to produce devices that are secure to market and capable of automatically implementing updates and other capabilities that will reduce vulnerabilities across the ecosystem. Through these and other initiatives, they will advance a more trustworthy and secure ecosystem that supports sustainable economic growth and social development.”
Work: “The 2020s will likely see the discrete but unmistakable entry of institutional investors into offensive capabilities markets, further normalizing and ultimately rationalizing what to date has been a scattered landscape of boutique players, lifestyle firms, and quasi gray arms transactions. This opaque industry in its current baroque incarnation has nonetheless played a vital role in the capabilities acquisition of even the most liberal, Western states—to say nothing of the parallel and often parasitic mechanisms driving innovation within adversary programs. A more efficient allocation of capital, and therefore talent, will almost certainly offer unequaled influence, for good or ill.”
Geers: “China. A combination of population, economy, and technology may center the next digital map over the Asia-Pacific. But democratic nations, especially via the European Union and NATO, must continue to promote democratic ideals and institutions, both in real life and in cyberspace.”
Simon Handler is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.