Setting aside all of the national security issues surrounding the Shadow Brokers leak of the hacking tools developed by the NSA that resulted in last week’s global cyberattacks, an even larger issue looms.
The distinction between cyber and physical attacks is blurring. Instead of just interrupting personal computers and corporate networks used for accounting and billing, the WannaCry attack targeted hospitals and pharmacies, causing cancelled procedures and a massive rescheduling of appointments for medical procedures.
The same malicious code was used in the Sony Pictures hack and may have been used to ransom the latest release of the Pirates of the Caribbean movie. Now, civilians along with state actors have access to the same grade of on-line weaponry that our own NSA has been using for years to disrupt events inside our foreign adversary’s governments and military operations.
If we haven’t yet crossed the line to a more traditional form of retaliation, we may well do so in the coming months. Then what?
Attribution is virtually impossible and applying the rules of war to the internet age, determining who is responsible and how to respond is making foreign policy far more complex than it has ever been..
Whether WannaCry was the first global nation-state attack or not, and whether it thrusts this ransomware pandemic into the sphere of North Korea’s cyber activity, is still up for grabs. But what it did do was enable a glimpse into what is now possible when cyber-attacks are conducted on a large scale. We can extrapolate consequences to life-or-death scenarios in operating rooms, recovery facilities, and medical devices used for post-operative treatments like pace-makers and defibrillators, drug delivery systems and organ monitors.
But even these targets are only a tiny fraction of the myriad of attack possibilities in our new Internet-connected world.
IoT is rapidly coming on line and creating a dramatically expanded attack surface for anyone with a few bucks and an active curiosity. Take the recent case of the 11 year old who demonstrated to a hall full of stunned security experts how easily he could manipulate a toy bear.
He simply used his mini-laptop to scan the hall for available Bluetooth enabled devices, downloaded dozens of numbers and then proceeded to direct the robotic toy bear to light up and record and send messages. That mini-laptop by the way set him back $35.
Whether it’s the Bluetooth functionality that most Internet connected devices use or some future replacement technology, we will soon be overwhelmed with millions of devices all sharing the same vulnerabilities as that robotic teddy bear. Imagine your home appliances, TVs, cars, airplanes, and everything that can be connected to the Internet as a huge attack surface wherein criminals with an 11 year-old education, a fistful of dollars and malicious intent, can spy, damage or hold for ransom conveniences or necessities that are all now part of our everyday lives.
Because our responses to cyberattacks are still passive, and it is nearly impossible to anticipate a cyberattack or trace the source back to the actual perpetrator, we are placed in a difficult and frustrating position relative to combating this class of warfare in the future. Attackers frequently hijack innocent systems and use them as ‘zombies’ in conducting their attacks, not just to obfuscate the actual source but to bait the victim into a mis-directed counter-attack.
We can’t really declare war on what we think is the responsible actor only to discover later that the threats are originating elsewhere. That might be actual cause for impeachment.
So, what we are left with is this strange feeling of exposed vulnerability where the supposed strongest nation on earth is essentially defenseless when it comes to what may be the most significant threat in modern warfare. Oddly, we continue to embrace and enthusiastically consume the latest Internet connected thing while continuing to ignore the cumulative risk. It’s akin to saying that we know stuff is dangerous, but we also know that our government will protect us if something goes wrong.
Well, something IS wrong, and there is no evidence that our government can protect us. On the contrary, there is mounting evidence that we have no overarching cyber defense plan or capability and in fact our government is actually playing a major role in contributing to the threat. The latest Trump executive order underscores this reality.
In our minds, we continue to draw this imaginary line between online things and offline things.
We one-click our way to tweets that shape global political relations, Uber ourselves a Taxi and cause vast amounts of stuff to arrive at our doorstep one day later.
That line is an illusion and as we will soon see with the advent of connected everything, future online wars will not be confined to Starbucks outages or hospital appointment booking failures.