The Council on Foreign Relations recently released a document that challenges the “utopian vision” of an open, reliable, and secure global network.
According to the Independent Task Force’s Report No. 80, such a goal “has not been achieved and is unlikely to ever be achieved. Today the internet is less free, more fragmented and less secure.”
Among its numerous claims, the right-wing think-tank document claims that “[c]Cybercrime is a national security risk and ransomware attacks on hospitals, schools, businesses and local governments should be treated as such.”
The report provides a number of insights and recommendations on how to mitigate or prevent these attacks. But like similar documents floating around in cyberspace, it has a serious flaw: it’s wrong to assume that cyberattacks on critical government structures – administration, military installations, research and infrastructure – are somehow pinpointed, mitigated to a meaningful degree, is wrong and can be prevented altogether.
That’s because the three pillars of cyber defense—attribution, mitigation, and prevention—are misinterpreted and the overall structure built upon them is inadequate.
Let’s start with the assignment. In order to successfully prevent, mitigate, and defend against an attack, one must first identify its origins.
In fact, although government agencies and security firms will do their best to convince you otherwise, it is not easy – and sometimes impossible – to pin an attack down to a specific person or country.
Hackers use sophisticated methods to disguise their identities, often relying on the work of other hackers, creating or activating botnets, and hijacking exploits in target systems.
Fingerprinting – ie identifying Tactics, Techniques and Procedures (TTPs) used by attackers – is one of the most commonly used methods to indirectly determine and identify the origin of an attack. However, this approach relies on the assumption that hackers rarely change their MO or tools of the trade when looking for vulnerabilities and executing attacks. This may be the case with novices, but not so much with professional malicious actors.
In one recent attack, suspected Russian hackers used Iranian infrastructure, tools, and methods to launch attacks, distract defenses, and disguise their identities. As hackers adapt and update their techniques, fingerprinting becomes less and less reliable.
Furthermore, while governments devote considerable resources to tracking down the attackers, they are fighting an uphill battle against numerous, vague opponents. It takes a significant effort—both financial and time—to identify the source of an attack.
On the other hand, it doesn’t take too much effort for a single hacker – or more commonly a group – to launch an attack. The infrastructure they need to do their jobs is minimal, and there are plenty of tools, exploits, and connections to speed up their efforts and cover their tracks in the process.
Furthermore, the most successful attacks on government infrastructure are not single-pronged. They rely on multiple attack vectors ranging from brute DDoS (Distributed Denial-of-Service) to exploits, social engineering and botnets.
As the Internet of Things (IoT) infrastructure proliferates, hackers have even more entry points from which to infiltrate networks and inject digital listeners and malicious code to execute sophisticated attack patterns.
Therefore, not only is it extremely difficult to pinpoint an attack accurately, it is also impossible to detect and respond to a parabolic growth of attacks as the attack surface expands exponentially due to the hyper-digitalization trends of the modern world.
What about mitigation or, even better, prevention?
Attribution and defense usually occur in response to an attack already made. By this point, significant damage has already been done, and the focus is on cutting off the attacker from the infrastructure, determining the level of damage, and increasing security for the future. As such, the reduction is negligible.
Prevention is (almost) impossible these days due to the trend of augmenting any analog device with an automated, digital, internet-connected listener, creating wonderful opportunities for hackers.
It empowers them to exert their influence on an item that was inert and impermeable in the past. Once they gain access to the device, hackers can eavesdrop on conversations, log activities, launch attacks, relay communications… the possibilities are endless.
Patching devices to prevent abuse, while useful, is never a cure. After all, who can guarantee that the patch itself won’t contain a hidden backdoor for hackers if the software distribution center is hacked? Preventing such attacks in a digitally dominated environment is like trying to patch all the holes in Swiss cheese; The more devices we connect worldwide, the more holes are added to the proverbial cheese.
One last note needs to be added here: we are not talking about hacking, phishing and spying on citizens and private companies. We are talking about governments and government-related infrastructure of the highest importance: nuclear command, control and communications (NC3 system), expensive energy infrastructure, research facilities with valuable data and intelligence data storage.
Infrastructure that is so important that we absolutely need to speak – full prevention and mitigation, full and correct attribution. Unfortunately, these absolutes are unattainable today.
The ideas – especially those mentioned in the CFR document – do not solve the problem. Instead, they have the potential to lead to cyberterrorism as an excuse to impose even more control and censorship.
If we really want to address cybersecurity, we need to go back to the infrastructure that’s impervious to digital tampering: analog. Even air gapping can be circumvented, but a lever can only be pulled by a human. Importance: All key points in critical parts of risk-critical infrastructure must be analog.
Again, there are risk factors as people can be malicious, bribed or manipulated, but they are outside of the digital realm and fall into a different category of national security.
What about systems that absolutely must remain digital? Their importance should be assessed against their vulnerability.
All standard preventive measures must be taken, but it should be clear that these systems will remain vulnerable. And it needs to be reiterated: these measures should have nothing to do with “internet fragmentation” or the pressure on ISPs to crowd out bad actors based on faulty and unreliable data.
Instead, two-factor authentication, encryption, cybersecurity hygiene and education, and more should provide a reasonable level of security.
Anything else is misleading.