Pundits will pick over the lessons of 2016 for a long time, and as they do, cyber experts are looking at the past year and finding lessons as well, with far-reaching implications for our nation’s security.
For most Americans, the 2016 election was the year cybersecurity moved from being an IT issue to one of great political significance. This was evidenced by the 20,000 hacked emails released by WikiLeaks on the eve of the Democratic National Convention to the phishing attack that gained access to Clinton Campaign Chairman John Podesta’s email. No previous election has highlighted for the American people how much we rely on the cyber domain and how much is vulnerable to attack as a result.
With 2016 now behind us, it is worth looking at some of the lessons we learned that will change the way we see cybersecurity and, as a result, our national security.
Cyber is now pervasive
The public is beginning to understand that cybersecurity is no longer solely about protecting computer networks but rather protecting how we live. The convergence of business, national defense, and personal activities on the same devices and networks create opportunities for adversaries to exploit the smallest details of our lives. The network we must now protect includes so much more than computers; it includes things like networked cars, connected appliances, and millions of sensors and processors in addition to the phones, tablets, and devices on which we now rely for information and connectivity to the rest of the world.
This became clear in the days leading up to the election when cyberattacks, generated from millions of hacked home devices, targeted a company that serves as a “switchboard” for the web. Slowing Internet connections on the East Coast to a crawl, the Mirai distributed denial of service (DDoS) attack, as it became known, shut down sites such as Paypal, Twitter, CNN, and Netflix, and those hosted by Amazon. With tens of millions of attacks coming at the targeted company from thousands of devices, the attack showed how diverse the cyber ecosystem of devices has become, and how vulnerable we are to losing the services it provides.
Cyber warfare is targeting commercial companies and private institutions
The cyber domain – the very same network where we communicate, work, bank, and seek entertainment – is now the terrain over which nation-states are playing out their battles. Cyber warfare is being waged across commercial networks with companies and private institutions in its sights. We saw this during the election, as the DNC and targeted Gmail accounts were the targets of sophisticated nation-state hackers. With most of our critical infrastructure and more than 85 percent of the known Internet to be in the hands of the private sector, we can expect in the future for .com to be just as important, or more so, as .gov and .mil.
A major concern is in protecting that commercial domain. When hackers enjoy the resources of a nation state, most companies and private organizations without more sophisticated tools and intelligence don’t stand a chance.
Global supply chains increase our vulnerability to insider threats
The day after the election, news broke of Android phones in the U.S. sending data back to a Chinese manufacturer that is owned by the state. This event, while not connected to the election, revealed how easy it is for actors across a global supply chain to compromise personal devices without the awareness of customers or manufacturers. This kind of compromise does not require a hacker to break into a network. Instead, it was an insider threat—one with acknowledged access—siphoning mountains of data. Without cybersecurity technologies that monitor how data is moving, our networks and devices could be secretly working against us.
We are still vulnerable to the simplest of attacks
Today, the majority of initial attacks are still rather simple and easy to execute. John Podesta’s email breach, for example, was caused by a basic phishing attack: a disguised email, which even fooled the campaign’s IT team, prompted Podesta to change his password via a malicious link. Defending against this kind of attack requires basic training for those entrusted with access to a network. It is still the case today that few employees are told what to be on the look-out for that is suspicious. This reinforces the notion that people are still the most important element in effective cybersecurity.
Non-state actors are as dangerous in the cyber domain as nation-states
Director of National Intelligence Jim Clapper announced in October the massive Mirai attack was not the work of a nation-state but instead, non-state actors. For cyber experts, the use of this term set off alarm bells. Non-state actors in cyber are becoming more dangerous as the international marketplace for cyber mercenaries grows. Nation-states hoping to keep their actions in the cyber domain hidden have been known to outsource this work—often overcoming a lack of expertise inside their own borders. As a result, hacker networks can thrive and proliferate with sponsorship, and they can move from country to country evading criminal prosecution.
The non-state actors behind the Mirai DDoS attacks have no proven connections to nation-state sponsorship, but they, along with those behind other attacks on U.S. hospitals and police departments, have shown the dangerous impact hacker mercenaries can have on our way of life while nation-states may be restrained from such actions without a declaration of war.
We do not have enough cyber experts
If the cyberattacks of 2016 have shown anything, it’s the dire need we have for more cybersecurity professionals. While companies are finding more ways to connect the products they make and the services they provide to the Internet, the opportunities for attacks are growing exponentially. At the same time, we are not training the workforce fast enough to help companies and institutions navigate and defend their interests in this domain. The realization is setting in that we will not out-hire the cyber threat. Instead, we need investment in the technologies that can tip the balance back in the favor of the defenders. The self-healing systems that DARPA (Defense Advanced Research Projects Agency) is helping to create, the power of quantum physics for encryption, and virtual security operations centers for those companies not prepared to defend against sophisticated threats all offer promise. At the end of the day, innovation brought us the Internet, and it will require innovation to secure it.