Editor’s Note: Over the coming days, The Cipher Brief presents some of our most incisive coverage on key issues of 2016 and a look ahead at what is yet to come in 2017.
From disruptive distributed denial of service (DDoS) attacks rendering entire swathes of the Internet including Netflix, Twitter, PayPal, CNN, The New York Times, and Amazon hosting services inaccessible, to nation-states inserting themselves into the democratic process of other countries’ self-determination, it has truly been a landmark year for cybersecurity—or lack thereof.
Nations are desperately attempting to exert national sovereignty over cyberspace via controversial new laws, massive breaches compromising the personal data of millions continue, and the stalemate over encryption technology endures as the rift between Washington and Silicon Valley only grows.
Cybercriminals are as prevalent as ever, and Nation-states have been emboldened in cyberspace. While both China and Russia use cyberspace to conduct all forms of espionage, China focuses on furthering its economic goals while Russia uses its toolset for influence operations to further its foreign policy objectives.
Perhaps most importantly, the reliability of attribution has come under increasing scrutiny, particularly because many states outsource their cyber operations to proxy outfits making the last mile of attribution even more challenging. As a result, the political will to respond to state-sponsored hacking is often lacking—a major hindrance to any hope of deterrence in cyber space.
So how should one best characterize the security of the virtual domain in 2016? And what have we learned that may illuminate cybersecurity efforts in 2017?
Chinese Economic Espionage
Following the U.S. indictment of Chinese military hackers last year and the subsequent agreement between the U.S. and China to halt economic espionage targeting intellectual property, China’s cyber activity appears to have declined this year—suggesting that responding to cyber attacks can actually create deterrence.
However, Leo Taddeo, Chief Security Officer for Cryptzone, suggests this conclusion could be misleading—the Chinese may have simply modified their tactics to conceal their actions, or placed their operations on “a temporary pause.” The Chinese “have a long view of their economy and their relationship with the United States, and it would not be rational to jeopardize ongoing trade talks or sensitive discussions about the South China Sea,” Taddeo argues, by simultaneously “being accused of continuing to hack into sensitive U.S. networks.”
The Internet of Things
Meanwhile, 2016 saw the dark side of the Internet of Things (IoT)—a series of Internet-connected devices like routers, DVRs, and webcams. These systems can be used as a launch pad for large-scale disruptive cyber attacks against critical systems. The Mirai malware—now available in full online and open to modification—spreads by scanning for devices with default login credentials providing easy entry and turning them into bots capable of flooding servers with artificial traffic until they crash.
Most notably, this kind of automated botnet DDoS attack temporarily took down the domain service Dyn, cutting Internet connectivity across the East Coast and halting access to information services like Twitter for hours. Not long after, the entire country of Liberia was forced offline after it experienced a similar attack. Then five major Russian banks also fell victim to the IoT’s disruptive capacity. Weaponizing these internet-connected devices was a major theme of 2016 and the threat posed by botnets will likely expand.
Law Enforcement’s Response
The FBI and international law enforcement agencies, faced with outdated laws that do not address the scope of these botnets, have made changes of their own. In the United States, new amendments to what is known as Rule 41 are intended to better equip the FBI to tackle the geographically dispersed botnet attacks. But the changes also present challenges to privacy and implementation could, in the eyes of some experts, result in unintended collateral damage, undermining overall cybersecurity.
Other countries, notably the U.K. and China, recently passed new laws similarly rationalized by the need to address cybercrime and seeking to impose national sovereignty in a new sphere that is commonly portrayed as anarchic. However, these laws include extensive monitoring on virtual interactions, causing concern among privacy advocates. In their eyes, strong encryption technology continues to be misunderstood by government entities as a tool intent on allowing malicious actors to “go dark” as opposed to a fundamental security measure against data theft for all.
At the same time, however, Internet companies are providing unprecedented amounts of consumer data to intelligence services, both foreign and domestic. This has pushed countries like Russia and China to either deny certain internet services entry into their market or adopt data localization laws, not only so they have access to their own citizens’ data, but also so foreign governments do not.
Weak Links in Cybersecurity
Foreign-made hardware and software supply chains also present vulnerabilities through the creation of deliberate backdoors—often under the guise of remote firmware updates—like those discovered in hundreds of Android phones in the United States sending user data and content back to China. This supply chain problem becomes acutely difficult with the push toward modernizing U.S. federal IT systems, particularly those of the Pentagon and the Intelligence Community.
Meanwhile, breaches that reveal consumer data can have lasting financial and reputational costs. After reaching a deal to sell the company to Verizon, Yahoo acknowledged two separate breaches this year (though they occurred in 2014), which compromised a combined 1.5 billion accounts. Verizon is now reportedly considering reneging on the $4.8 billion deal.
Often, the greatest threat to an organization’s cyber security is employee malpractice, whether it be falling prey to phishing attacks or simply ignoring security protocol—maliciously or not. Investigators have found that Bangladesh banking officials deliberately allowed hackers into their Society for Worldwide Interbank Telecommunication (SWIFT) networks, a global financial messaging system used to transfer billions of dollars daily, to haul out some $81 million dollars. Forensic evidence suggests the group known as The Shadow Brokers, who are currently attempting to sell stolen National Security Agency (NSA) exploits online, attained them through a rogue insider rather than through an external hack. There have also reportedly been links found between the material exposed by The Shadow Brokers and the material allegedly stolen by the NSA contractor Hal Martin. Despite new and sophisticated technical capabilities, the human factor, often referred to as the insider threat, remains the weakest point in cybersecurity.
Russian Interference and the Challenge of Attribution
The most prominent story in 2016—and likely the most prophetic—is the Russian breach of the Democratic National Committee (DNC) and Clinton Campaign Chair John Podesta’s email account followed by the strategic release of embarrassing correspondence throughout the course of the United States election season. The extent to which the leaks swayed the election in favor of President-elect Donald Trump—or whether that was even the original intent—will likely never be known, but the evidence identifying Russia’s hand is, for many, highly persuasive. The U.S. Intelligence Community has unanimously identified “Russia’s senior-most officials,” yet the President-elect has brushed off those claims with what many national security experts deem reckless abandon.
Part of the reason Trump has been able to deny Russian involvement, however, is the challenge of providing compelling evidence. Rob Dannenberg, the former head of security at Goldman Sachs and a 24-year veteran of the CIA, argues states like Russia often use proxy actors when conducting cyber attacks specifically for the purpose of disputing their involvement. He writes: “The cyber proxy approach has many advantages, including plausible deniability, relatively low cost, little chance of political blowback, and very little legal recourse for the target or victim.”
Short of damning intercepted communications or an informant in the room, evidence for attribution is largely based on forensic, behavioral, and geopolitical analysis that can be shaped into probabilistic intelligence estimates. For example, new forensic and behavioral evidence tying the DNC hackers to military operations against Ukrainian forces in 2014 can be geopolitically deduced to conclude it was the work of the Russian military.
But such deductions leave room for reasonable doubt and create an atmosphere where political will to respond to cyber attacks by nation states is fragile and uninformed. This fails to create deterrence, signaling to nation states that they can continue with their present behavior—or perhaps even escalate it—and they will likely endure no consequences.
Possibly the most important lesson learned in 2016 is that there is a need for a viable framework in which the United States can respond to cyber attacks based upon an agreed level of confidence in the attribution of the attacks.
Ultimately, there is little to suggest that any of these problems will not persist into the New Year.
Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.