How We Need to Prepare for a Global Cyber Pandemic by Glenn S. Gerstell, NSA General Counsel
Presented to The Cipher Brief Threat Conference, Sea Island, Georgia
April 9, 2018
By some accounts, Russian meddling in the US election system may have originated from the depths of a hot dog cart. It’s a success story, of sorts.
In the early 1990s, an enterprising hot dog vendor in Russia seized upon the entrepreneurial opportunities created by the collapse of the Soviet Union to start his own catering company. He eventually grew his business enough to win lucrative catering contracts with the Russian government. He and his restaurants threw opulent banquets for Kremlin officials, earning him the nickname “Putin’s Cook.” Yevgeny Prigozhin’s company even won a contract in 2011 to deliver school lunches across Moscow, but children wouldn’t eat the food, complaining that it smelled rotten. Bad publicity ensued. Prigozhin’s company responded not by upgrading the food, but by hiring people to flood the internet with postings praising the food and rejecting complaints. Presumably, they found it cheaper to use the internet to write fake reviews than to fund deluxe hot dogs for schoolchildren.
Perhaps building upon this experience, Prigozhin and his companies funded and largely controlled an organization that began in 2013 or 2014 called the Internet Research Agency. In the Agency’s office building in St. Petersburg, hundreds of individuals worked around the clock as “internet content producers.” Although the Agency’s original agenda was the online spread of pro-Russia and pro-Putin propaganda, that agenda quickly expanded westward.
With an annual budget of hundreds of millions of dollars, the Internet Research Agency began to engage in a widespread and concerted campaign aimed at the United States. They created fictitious US personas on social media platforms that were designed to attract US audiences and sow discord regarding divisive US political and social issues. They used stolen social security numbers, home addresses, and birth dates of real US persons to open banking accounts to pay for expenses and to collect money from real US persons, and they produced and paid for political advertisements on US social media, concealing their true identity.
The details of the story I just shared with you are derived not from classified reporting, but rather from allegations made in newspaper articles and publicly available criminal charging documents filed against some of the main players in the Internet Research Agency’s scheme. Prigozhin, the Internet Research Agency, and several other Russian individuals and companies associated with the organization were indicted on February 16 by Special Counsel Robert Mueller. And what was the ultimate aim of this Russian internet troll factory, according to that indictment? To “impair, obstruct, and defeat the lawful functions of the government through fraud and deceit for the purpose of interfering with the U.S. political and electoral processes, including the presidential election of 2016.” Charging the defendants with conspiracy to defraud the US, conspiracy to commit wire and bank fraud, and aggravated identity theft, the indictment highlights the lengths to which sophisticated nation-states will rely upon cyberspace to carry out their objectives. These allegations reflect a threat beyond just routine cybercrime and mischief; indeed, if true, they represent an attempt to strategically undermine institutions critical to the functioning of our democracy, and at their core, they underscore the vulnerabilities created by our digital lives.
This audience is sophisticated, and I know that you all are generally familiar with the scope of the cyber threat facing our country. But I will first spend a few minutes this afternoon explaining why we are concerned about a possible “global cyber pandemic.” I then want to do two things: first, outline a necessary dialogue about how we go about addressing the cyber threat, focusing primarily on what the federal government needs to consider. Second, and perhaps more importantly, I want to underscore why our nation’s response must include not only the federal government, but also all sectors of the population who rely upon and enjoy cyberspace — which is to say, everyone.
2018 represents another year in which the Intelligence Community has highlighted the gravity of the cyber threat in its annual worldwide threat assessment. That assessment reports that over 30 countries are now believed to possess cyberattack capabilities. This number, which has increased almost every year since 2007, reflects the ease with which malicious cyber actors can now obtain and deploy cyber weapons. Cyberspace has proven to be a relatively accessible vector in which to carry out malicious activities, and so we are seeing that less sophisticated nation states and criminal actors are becoming better equipped in the use of cyber toolkits.
We continue to see China, Iran, North Korea and Russia as the nation states posing the greatest cyber threat to the US. For example, last November, the Department of Justice indicted some Chinese hackers for deliberate intrusions seeking trade secrets in the financial, engineering and technology sectors. Iranian cyber actors are reported to have conducted cyber operations against dozens of networks across the Saudi Arabian government and private sectors in late 2016 and early 2017, deleting data from those networks. And just a few months ago, the White House publicly attributed the pervasive WannaCry ransomware to North Korean actors. The Intelligence Community expects that North Korea may continue to use cyber operations as a means to raise funds to offset heavy sanctions, to gather intelligence, or to launch malicious cyber activities against adversaries. Rounding out this malicious foursome, the IC has predicted that Russia — which has heretofore acted with impunity in this sphere — will conduct bolder and more disruptive cyber operations over the next year. It remains to be seen whether recent sanctions and diplomatic expulsions will have an effect on their cyber activities.
Despite our best efforts across the government, the threats posed by malicious cyber activity have now combined with even greater toxicity to present unprecedented challenges across our personal, professional, and political lives in a way that’s hard to overstate. History and our own experience have taught us that we collectively tend to underestimate the gravity — and perhaps the probability — of risks, and that we as a society react only after a crisis or calamity.
Just consider the potential scope and effect if some of the following cyber threat scenarios ever came to pass:
- Data is corrupted in a company’s financial and accounting systems, or in systems like the Bureau of Labor Statistics’ national unemployment or GDP collection databases, thus raising questions about how you make reliable business and economic decisions.
- Development of certain technologies is curtailed by the inability to ensure security. Think self-driving cars or assembly line robots that go haywire or become unreliable.
- Companies decide to take matters into their own hands by hacking back or seeking recovery of cyber ransoms, risking retaliation by nation states that won’t necessarily tailor their responses.
- Governments — worried about secret surveillance by perceived adversary countries — begin banning electronic products from those countries, resulting in a global technology trade war.
But these scenarios — some of which have already played out — need not be our future. We are capable of anticipating threats and talking about them in a serious and productive way. We at NSA think that such a dialogue is useful. Any such dialogue will, at its foundation, need to consider twin overarching questions: First, how much connected technology do we really want in our everyday lives? And related to that, do we want the rate of adoption of cyber technology to be controlled only by the speed of innovation and market forces, or do we want other governing factors to limit the rate at which new connected technologies can be made available?
Our society has generally made decisions about emerging technologies based upon whether the benefits of the technology outweigh the costs or fundamental risks to our way of life. For example, in the medical industry, we’ve made a decision that new drugs — no matter how quickly invented or discovered — cannot be brought to market unless and until they are tested and approved. I don’t think we’ve consciously confronted that question yet with respect to cyberspace, but the time to do so is upon us — if it isn’t already too late. This question opens up an enormously broad topic which ought not be trampled unexamined in the stampede of technological advancement. But let me leave that weighty topic with you for further reflection, and now focus on the narrower issue of the federal government’s functions with respect to cyberspace.
Let me first note that the current and prior administrations have taken important steps at the federal level to address the complexity and pervasiveness of the cyber threat. But work remains to be done by the private sector and Congress, as well as the Executive Branch. Cyber authorities are spread across government agencies. Private sector companies and individuals have taken disparate approaches to cybersecurity. Significant gaps remain in issuing standards and guidance for connected products. Our country is still in the development stage of national-level cyber strategy and policy.
We’ve seen other nations make strides in adopted unified cyber strategies or national cyber policies. For example, a few years ago, the UK adopted a national cyber strategy covering 2016 through 2021. More recently, Canada has set aside over $500 million in its 2018 federal budget to fund development of a new cybersecurity strategy and to develop a new Canadian Centre for Cyber Security.
Admittedly, approaches suitable in other countries might not translate well here in the US for various reasons, but it may be worth examining their approaches to determine what we might learn from their experiences. To facilitate a productive dialogue, what factors would we need to consider in developing a more unified approach to cybersecurity? Many groups have studied and written on this issue, but I believe it's useful to lay out key cyber functions so that we can consider them holistically at the federal level.
- One such function involves policy and planning. In forming a unified cyber strategy, careful thought must be given to how national-level cybersecurity policies and plans will be developed, coordinated, and implemented.
- A national cyber strategy will not be successful unless it facilitates engagement among the public sector, private companies, and other governments on cybersecurity. DHS efforts have certainly improved information sharing between the public and private sectors over the past several years, but work remains. Private sector companies are on the front lines of the latest developments in malicious cyber activity — after all, they are the targets — and their knowledge is invaluable both to other companies and to the government.
- We must establish clear standards for the security of networks and connected devices so that companies understand what the expectations are. The government could lead by example by increasing the security standards for federal government and government contractor networks, but this is not a complete solution. A governmental or industry regulatory body responsible for developing and enforcing standards and regulations relating to cybersecurity is almost universally recognized as key to the success of a national cyber strategy. This function could be centralized in one organization to ensure consistency in standards and enforcement; however, centralizing this function does not necessarily mean that organizations outside of the government could not provide valuable input on appropriate cybersecurity standards or conduct independent verification of the government’s adherence to those standards. Indeed, a critical component of this function’s success will be securing the confidence of industry and the public that the standards established are well-intended and are not, in fact, designed to facilitate government surveillance of U.S. persons or otherwise allow unacceptable intrusions on privacy.
- Nevertheless, unified standards and policies are not likely to make an impact unless we can translate them into guidance for users that can be easily and effectively implemented. Thus, education is one function that may be conducive to centralization within a single organization as part of an overarching national cyber strategy. Importantly, educational efforts should be aimed at various types of audiences. For example, individual users might be most in need of tips and best practices for securing home networks and personal devices, while corporate network owners could benefit more from technical information tailored to their specific industry. The UK has started to make great strides in this area. Recognizing the need to speak directly to different types of audiences, the UK’s new National Cybersecurity Centre has been issuing guidance tailored for readers of differing levels of sophistication. For example, NCSC has posted common sense guidance for everyday internet users about how to implement meaningful password protection while avoiding cybersecurity fatigue — the recently documented phenomenon in which individuals are feeling overwhelmed by the scope of the cyber threat and frustrated with complex cybersecurity guidance. On another end of the spectrum, they also recently posted information for local authorities about securing systems supporting local elections.
- A unified and nationally prioritized federal budgetary authority would clearly be a critical component of a new cybersecurity strategy. To oversimplify the options: in one model, each federal department could manage its own cybersecurity budget. After all, each one knows its own systems, equipment, and requirements the best and can balance its own competing priorities. But another model recognizes that cyber threats and vulnerabilities often cut across multiple departments and agencies, and thus it may make sense to consolidate control of the cybersecurity purse strings so that needs can be centrally prioritized and addressed in an way that is optimal for the entire federal enterprise.
- Turning to operational considerations, one obvious function is network monitoring. The theoretical efficiencies that might be gained by centralizing this function would probably be overwhelmed by the sheer enormity of the task and the variations among federal network configurations. We must instead identify a structure that permits centralized visibility over federal government networks but that remains operationally agile to respond to individual agency variations and requirements.
- Once a cyber incident has been identified, at least two critical follow-on functions must occur: remediation and response, and victim notification and outreach. Response and remediation in the wake of malicious cyber activity is one of the most important components of cybersecurity. In the UK, the NCSC has handled this function by making available a list of pre-approved private sector vendors who can assist victims with cyber remediation. Developers of a national strategy here in the US will have to consider whether these functions should be centralized within a single organization or, as in the UK model, shared with other government agencies or private sector organizations.
- Regardless of which organization is ultimately deemed responsible for these two operational functions, both must be carried out in close coordination with law enforcement, given the law enforcement sensitivities inherent in victim outreach and remediation efforts. A national cyber strategy should ensure that criminal investigatory functions remain with the FBI as the primary domestic law enforcement agency (or other specialized law enforcement agencies, as appropriate), even if other cybersecurity responsibilities are centralized elsewhere.
- Finally, attribution of malicious cyber activity is a function that should be incorporated into a national cyber strategy. Attribution often requires the expertise of various government components; however, primary responsibility for coordinating efforts to attribute malicious cyber activity could be centralized within one agency. Regardless of how a national cyber strategy assigns this function, I would expect NSA to have an important role to play in the execution of this function, given the Agency’s expertise in this area.
Let me turn now to my third and final point: the federal government is a necessary, but not a sufficient, participant in a unified cyber strategy. All of the considerations I just discussed are certainly important components of a government-led national-level cybersecurity vision. Indeed, when discussing how best to address the cyber threat, much has been made of the need for a “whole-of-government” approach. Yet, even at its most effective, the US government cannot stand alone in securing our nation’s most critical systems while cyber vulnerabilities abound in other networks and systems not under government control. What we truly need might be more aptly described as a “whole-of-users” approach. Those users include, on one level or another, other nations, private sector network owners, and even everyday users of cyber technologies.
To date, the US government has played a leading role in defending against and responding to malicious international cyber activity, whether acting alone or in concert with close allies like the UK. The US already deploys non-cyber tools, such as sanctions, public attribution, criminal charges, and extradition, in its responses to that activity. Other nations should recognize the global nature of the problem and take a multilateral approach to cyber threat response — and not merely leave it to the US.
Even so, this isn’t a problem solely for governments to solve; as I’ve already noted, the private sector has a role to play as well. In general, the private sector is well aware of the seriousness of the cyber threat, and some industries, such as the financial and electric sector, have invested significant time and resources into shoring up their critical components and networks. There are many individuals and small businesses, however, who may not have the resources to invest in upgrading and maintaining expensive equipment, may not have access to trained personnel who can provide cybersecurity services, who may be confused by complicated cybersecurity guidance, or who may simply think that they are too small to be a target. Some private network owners — including those who control critical infrastructure — may be willing to accept some security risks in their networks that would be unacceptable to the government. Because we are dealing with a range of expertise and resources, we need to more clearly define private sector responsibilities for cybersecurity and tailor laws and standards accordingly.
We also need the private sector to throw their weight behind government efforts to address threats in cyberspace. If we’re going to be successful, companies must share information about what they’re seeing on their own networks and to take the initiative to propose their own solutions. Indeed, because the vast majority of our nation’s critical infrastructure is privately owned, one could argue that those private sector companies actually share with us a piece of our national security mission.
The enormity of these challenges cannot be overstated. Malefactors of cyber will, in all probability, be ever more successful before we as a society will be able to blunt or negate this threat. But this very probability — the sheer foreseeability of possible and grave harm —underscores the need for our society to do more to counter this almost existential threat. The alternative is to wait until one cyber incident after another forces us to adopt piecemeal solutions to what we all recognize is actually an overarching issue that must be addressed through a comprehensive approach. We need to own this problem that we’ve all created, and take aggressive steps to manage it before a calamity occurs. After all, with a tool as accessible, cost-effective, and easy to use as cyberspace, we just can’t predict from which hot dog cart the next big attack will emerge.