The worldwide WannaCry ransomware, which targeted computers running the Microsoft Windows operating system, was an admonition to everyone who connects to cyberspace – especially the U.S. intelligence community.
WannaCry was only the most recent example in a long line of high-profile cyber attacks that demonstrated how the timely application of proper technical tools – including patching, firewalls, and backups – is a basic first step for reducing vulnerable attack space. Microsoft issued a "critical patch" almost two months before the attack and a full month before the hacking group known as the Shadow Brokers leaked the EternalBlue exploit tool.
While the U.S. government is still in the nascent stages of crafting a coherent cybersecurity policy with clear executive and legislative components to enable and secure the cyber mission, those who neglect any opportunity to harden their technical defenses do so at their own peril.
At the same time, the global cyber attack should be ringing alarm bells – not because a zero day vulnerability warning was found wanting – but because it exploited the government's failure to protect a highly classified hacking tool, which was designed to enable offensive cyber operations.
Reading about WannaCry, American citizens may have wondered why our intelligence community could not have stopped this, why this attack was not disrupted before its launch.
The world is now wired into networks with virtually instantaneous interaction, which enables free expression and commerce, but also carries risk from criminals as well as hostile states.
The best cyber defense results from successfully collecting the right data, analyzing it in conjunction with other sources of information – such as network data, past intrusion activity, and adversary profiles – and transmitting the intelligence analysis to executive decision makers. This requires resolving the growing dissonance between the public and private sectors resulting from a perceived zero-sum game of competing collection and cyber defense missions. It is essential for maintaining U.S. national security.
The aftermath of the 2015 San Bernardino attack demonstrated a growing schism between the U.S. government’s and the private sector’s approaches to cyber security. While the FBI sought to collect counterterrorism intelligence, Apple was understandably loath to degrade the security of its device. Requiring Apple to degrade the iPhone's encryption would have harmed one critical element of national security while seeking to serve another, creating a dangerous precedent for public-private sector collaboration.
U.S. national security depends as much on conducting effective forensics following a terrorist attack as it does on protecting the security of cyberspace in which companies entrust their intellectual property and sensitive data. The FBI's eventual use of a cyber tool to unlock the iPhone simply deferred public debate on the benefits and costs of mutually exclusive offensive intelligence collection and defensive technical countermeasures.
As the vast majority of network intrusions can attest, the most serious risk to cybersecurity is the human element – or the "skin behind the keyboard," in the words of FBI Deputy Assistant Director Donald Freese. The private and public sectors rely on protecting against the insider threat from both unwitting employees, who require training to appreciate and defend against the risks of operating in cyberspace, as well as malicious employees with ill intent.
In light of torrential leaks from Edward Snowden and, more recently, the Vault 7 documents allegedly belonging to the CIA that were published on WikiLeaks, it will not be enough for the Intelligence Community to highlight the value of cyber collection without simultaneously considering the potential collateral risk to cyber defense should the tools make their way into the hands of others. More than ever, the private sector rightly expects the government to take a Hippocratic oath of doing no harm to cybersecurity when conducting offensive operations. Without increasingly effective counterintelligence and insider threat mitigation strategies to protect the cyber tools that generate such valuable intelligence, the Intelligence Community risks a diminution of support for the offensive cyber operations on which U.S. national security so deeply relies.