Rational Security

How to Protect Yourself from the Online Axis of Evil

How to Protect Yourself from the Online Axis of Evil

North Korea and Iran are viewed as threats to the world because of their potential to field weapons of mass destruction, but they are far more likely to focus their malfeasance on "mass disruption" via cyber attacks. Should either state ever step out of nuclear line, overwhelming retaliation would follow. But in cyberspace, both Tehran and Pyongyang are credible powers capable of and apparently quite willing to make considerable mischief. Iran appears to have mounted a serious attack on the Saudi oil industry recently, wiping out critical data on tens of thousands of machines with the so-called Shamoon virus. North Korea is thought to have just attacked its southern neighbor’s banking sector — the latest in a steady stream of cyber strikes spanning several years.

Yet there has been no response-in-kind, which suggests that cyber attackers will press on with a growing sense of impunity, making the task of deterring them quite difficult. Indeed, instead of posing retaliatory threats — the key to successful deterrence during the Cold War — there appears to be a willingness to live under cyber siege, relying instead on improving defenses. Over the past few days, while all eyes have been riveted on the Snowden leaks, word has also gotten out, more quietly, about ongoing American efforts to craft cyber defensive coalitions with countries in the Persian Gulf region and in Northeast Asia. Information about these alliances remains proprietary, but it would be hard to think of them arising in the absence of Saudi Arabia and Qatar in response to the perceived threat from Iran, or without Japan and Taiwan when it comes to dealing with North Korea.

It is a very good thing that these alliances are forming. That they may rely on American cybersecurity strategies is a bit more problematic. The United States rates quite low in terms of its defensive capabilities. Last summer at the Aspen Security Forum, General Keith Alexander, head of both Cyber Command and the National Security Agency, publicly rated American cybersecurity a "3" on a scale of 1-10. Former government cyber czar Richard Clarke was a tougher grader, giving Washington a "1." The point is, it is one thing to build cyber defensive alliances, quite another to actually mount robust defenses. And ambiguous American threats either to "pre-empt" imminent cyber attacks or to respond with physical force are simply not very credible. It is extremely difficult to catch enemy electrons while they are massing — or whatever they do before being launched — and highly unlikely that the U.S. military will be authorized to go off and break things, and possibly kill people, in response to even costly cyber disruptions.

So the defensive alliances forming up should perhaps start, not so much by taking American direction as by opening up a spirited discourse on alternative cybersecurity paradigms. This would be good both for them and for the United States, as it is clear that American reliance on anti-virals and firewalls will not get the job done. One master hacker of my acquaintance likes to put it this way: "There are no firewalls, because they only recognize what they already know." This does not mean throwing these defenses out completely, as they do have some value. But it does mean shifting emphasis to more effective means.

For reasons that still baffle me, the ubiquitous use of very strong encryption has been neglected, sometimes resisted. Indeed, under American law there was a time not too long ago when it was illegal for the average citizen to have and use the strongest code-making capabilities. This silliness stopped some years ago yet, with our first cyber president in office — he is very attached to his personal information technology suite — but his bully pulpit is hardly being used to tell Americans to encrypt, encrypt, encrypt.

There are additional strategies that the emerging cyber defensive alliances should consider, perhaps the best among them being the resort to concealment in "the Cloud," an airy place in cyberspace outside one’s own system where information can be encrypted, broken into several pieces, stored with much improved security, and called back home with a click. A place closer in, the area of unused capacity in a friendly network called "the fog," for example, is another way to move information around and keep it concealed. Both these approaches deal with another of the problems that my hacker friend describes: "If data just sits in your system, someone will get at it. Data at rest is data at risk. Keep it moving."

Not only will consideration of these alternative strategies improve security against the threats posed by Iran and North Korea, but adopting them would go a long way toward dealing with the nettlesome intrusions that are believed to emanate from China. President Obama has made very little progress with President Xi on cyber matters; in addition to jawboning Beijing, Washington should develop a sense of urgency about getting better at cyberdefense. After all, when the head of Cyber Command and a long-time senior official with a cyber portfolio both give failing marks to our cyberdefenses, it is high time to do something in addition to talking. If there is ever to be an effective behavior-based agreement to refrain from cyber attacks on, say, civilian infrastructure, I guarantee it will only happen when all parties have strong defenses in place as well.

So let me suggest that, for all the attention that will no doubt be devoted to the PRISM debate — so relevant to the matter of dealing with terrorist networks — equal time should be given to the matter of developing defenses as strong as the alliances that are being forged against the looming threat of cyberspace-based weapons of mass disruption. For it is possible, in the course of what may become a protracted, divisive domestic debate about big-data intelligence gathering methods, that the crucial need to improve our and our allies’ cyberdefenses will be neglected. The anguish over possibly undue intrusions into our privacy will pale in comparison to the economic, social, and strategic costs that will be inflicted on the world — not just the United States — if we fail to act now to improve cyberdefenses.