Here’s the good news on America’s birthday: the last year has seen the U.S. emerge as an undisputed global leader in the use of offensive cyber operations. Averting another “Sputnik” moment, the nation’s longest running and most successful democracy blazed new trails in non-kinetic warfare, effectively ending speculation that the world’s lone superpower was asleep at the wheel as nations like China and Russia dashed ahead in the cyber realm. Now for the bad news: we’re screwed.
The U.S. was already the target of an untold number of foreign incursions on civilian and military networks before it loosed Stuxnet in an effort to curb Iran’s uranium enrichment efforts. Now that the Stuxnet genie is out of the bottle, we’ve become a prime target for politically or economically motivated attacks, even as our elected leaders flounder in their efforts to pass much-needed legislation to strengthen the nation’s cyber defenses.
The evidence is everywhere that the U.S. faces a daunting challenge in securing both public and private networks from intrusions. As Threatpost reported, in just the last week a House Homeland Security subcommittee heard testimony from Gregory Wilshusen, the Government Accountability Office (GAO) Director of Information Security Services that computer-enabled spying and espionage has increased the scope and abilities of countries and private interests that wish to illegally obtain U.S. technology. Cyber spying has already had “serious effects on consumers and businesses,” Wilshusen told Congress.
That testimony followed warnings in May about the threat of cyber attacks on capital markets in the U.S., including banking and financial services. Those threats go beyond sophisticated banking Trojan horse programs that raid consumers accounts. We reported in May on the case of a 33 year old Chinese man who pleaded guilty in U.S. Federal Court to stealing proprietary source code used by the U.S. Federal Reserve to help track billions of dollars in government transfers that occur daily. Hardly a week goes by without news of some kind of attack aimed at the U.S. government, U.S. military or the web of private firms that do business with it. In October, 2011, a report surfaced that indicated that a troubling and persistent virus infection at Creech Air Force base – home of the U.S. military’s unmanned drone program- was kept secret from senior Air Force cyber security officials for weeks while IT staff in the affected unit at Creech struggled to eradicate the infection. The Trojan was observed logging the keystrokes of remote pilots controlling drones in flight over Afghanistan, Pakistan and other countries.
Then, in May, the Department of Homeland Security said it is investigating a string of cyber intrusions targeting companies that operate national gas pipelines in the U.S. Just this week, we wrote about a new variant of the Sykipot Trojan horse program that has been linked to a spear phishing attack against the aerospace industry. In January, a different version of the same malware was identified that was able to steal the same kind of two factor credentials used by the U.S. Department of Defense for its Common Access Card (CAC). What a coincidence!
While the evidence of cyber threats is clear, the U.S. Government’s response to those threats has been spotty, at best. The Government Accountability Office (GAO) – a kind of Federal Cassandra – has warned repeatedly over the past decade about the need for the Federal Government to improve its cyber preparedness. In July, 2011, it issued a report warning that the U.S. Department of Defense’s efforts to unify its cyber security operations has serious gaps and that the Department is “unprepared to meet the current threat” of cyber attack.. On Capitol Hill, lawmakers made the smart move of putting new cyber security legislation on the front burner in 2012. But, Washington being what it is, that same legislation bogged down as special-interest politics and partisan squabbling produced the stilted and unpopular bill, CISPA, the Cyber Intelligence Sharing and Protection Act.
Whatever its merits in combating cyber attacks, the bill infuriated civil liberties and privacy advocates by seeming to give carte blanche to connected Washington interests – private ISPs and technology firms – to share information with the government on the online behaviors of private citizens. Passed by the House, but opposed by the Senate and the Obama Administration, CISPA and efforts to revamp the government’s rules for combating cyber crime are stuck in limbo and mired in election year politics. This, despite dire warnings from some of Washington D.C.’s leading policy experts that the U.S. is urgently in need of a new policy and ill-prepared for cyber attacks.
Flat footed in its response to cyber attacks, the U.S. government is also failing to prepare for the future. A GAO report in November warned that federal cyber security workforce initiatives are in need of better planning and coordination, particularly with regards to human capital. The stud by the government’s watchdog of the seven federal agencies with the largest IT budgets found that most were beset with inconsistent policies for developing their cyber security workforce. Five of the seven had addressed some key principles in their IT security workforce plans, while the remaining had no concrete plans as of yet to address their workforce needs.
And then there’s Stuxnet. There was informed speculation, almost from the first, that the U.S. may have been the author of the ultra-sophisticated worm, and that its purpose was to curb Iran’s budding nuclear program by disabling centrifuges used for uranium enrichment in Iran’s Natanz facility. That speculation become much more pointed in June with an article by David Sanger in the New York Times that quoted Obama Administration insiders admitting that Stuxnet was a U.S. operation, dubbed “Olympic Games” that was started under the previous administration, and accelerated under Mr. Obama’s tenure. That mission was, on the whole, a success. However, its secrecy was compromised when the Stuxnet malware “jumped the fence” – spreading well outside of Iran and attracting the attention of the world’s virus experts, who did the Iranian regime a favor by dissecting the malware and pointing fingers at its likely creators.
If Stuxnet is our generation’s Sputnik, there’s no question that its better to have launched it than to be in the position of watching, helpless, as it drifts overhead. But, in the wake of the latest revelations about Stuxnet’s origins, some leading experts on cyber security have warned that the U.S. may come to regret Stuxnet. Writing for the New York Times, industrial control systems security expert Ralph Langner argued that, while the time was ripe for history’s first cyber weapon, the fact is that the United States is “not prepared to defend against such sophisticated cyber-physical attacks that they chose to experiment with in the open.” Far from serving as a deterant, Stuxnet was a wake up call for “military forces and intelligence services around the globe, along with some terrorists and criminals,” Langner warned.
Echoing those comments, Mikko Hypponen of the anti virus firm F-Secure wrote in the same paper that the United States, as the world’s largest economy, has “the most to lose from attacks like (Stuxnet). No other country has so much of its economy linked to the online world.” In the post Stuxnet world, many crises will have cyber elements in play, as will future wars, Hypponen wrote. “The cyber arms race has now officially started. And nobody seems to know where it will take us.”
Those are sobering words. And, of course, its not like the U.S. is the only country whose cyber offensive abilities far outstrip its defenses. We’ve written about the Chinese government’s fondness for cyber espionage, despite an utter lack of security on domestic networks. Nor is it the job of government to perfectly predict the future. But it is fair to say that its the government’s job to read the writing on the wall and adjust accordingly. It’s not clear that the U.S., despite its many advantages, has done that yet, or – even more troubling – that our zero-sum political culture is capable of even small scale changes right now. If so, the coming years may test us as never before. Stay tuned…and happy Independence Day!
