The declassified 1991 US National Research Council report “Computers at Risk: Secure Computing in the Information Age” stated the problem clearly:
We are at risk. America is increasingly dependent on computers. They control power distribution, communications, aviation and financial services. They are used to store important information from medical records to business plans to criminal records. Although we rely on them, they are vulnerable – to the effects of poor design and inadequate quality control, to accident, and perhaps most dangerously, to deliberate attack.
Three decades later, the lone superpower has become accustomed to deliberately becoming a victim of cyber attacks. The ransomware hit major cities, local governments, hospitals and schools especially hard, from Baltimore to Atlanta. Even third-class powers directly attack the American homeland.
On Christmas 2014, Sony Pictures Entertainment (SPE), a California-based entertainment company that employed more than 9,000 people, was scheduled to release the film. interview, The action-comedy plot revolves around the Central Intelligence Agency (CIA) recruiting some incompetent American entertainers to assassinate Supreme Leader Kim Jong-un in Pyongyang. The Democratic People’s Republic of Korea (DPRK) deemed the assassination plot intolerable, an act of terrorism and war, and threatened predictably merciless retaliation. But this time, the backward and isolated state found a way to project power into the United States.
Cyber attackers then stole, wiped out terabytes of data, and disabled thousands of SPE computers in the United States, the United Kingdom, and elsewhere. SPE did not comply with the hackers’ demands, and went ahead with its plan to release interview, Then, the cyber attackers published four unpublished films, along with SPE’s internal emails, payroll lists and business plans. The Western media supposedly hosted a feast of gossip based on SPE’s emails. The perpetrators threatened to publish confidential data and personally threatened 3,800 US SPE employees. As SPE had yet to decide the fate of the film, on December 16, North Korean cyber attackers threatened to physically attack US cinemas for a screening of the film; AMC Theaters and most major cinema owners immediately refused to screen the film. Now, Sony has decided not to release the film, effectively giving in to North Korea. Despite President Barack Obama’s intervention, the regressive DPRK publicly intimidated the United States.
Iran, like North Korea, is hostile to the United States even though it lacks economic or military power projection capability. Like North Korea, Iran also demonstrated effective use of cyber power. For example, a US Department of Justice (DOJ) indictment made public on March 23, 2018 described how many Iranians organized the Mabna Institute in Tehran to target more than 100,000 professors at 320 universities, including the United States. Includes 144 in the US and 176 in twenty. Another country. The small team had achieved global reach using known tactics, techniques and procedures (TTPs), such as spear-phishing and password spraying, without doing any meaningful R&D. The Iranians then used thousands of stolen credentials (including 3,768 accounts in US universities) to acquire $3 billion of Western intellectual property. The criminals aided the Iranian national effort on behalf of the Islamic Revolutionary Guard Corps (IRGC) and made profits by selling stolen data and credentials. In addition, Iran and North Korea have taken advantage of ransomware to attack the US homeland.
What do these attacks have in common with the recent ransomware spree? A foreign adversary contemplating a devastating attack on a US stronghold faces state-class defenders on land, sea, and air. A foreign adversary launching a direct cyberattack on a non-military homeland target would face none.
Why did this lack of state-class defense become the norm? Lack of capabilities cannot be the reason. After all, the United States boasts second-to-none intelligence and military forces, global operational experience, ample awareness, and big budgets. In addition, Americans have cyberspace based on an excellent innovation system and wide industrial base. The current argument (correctly) asserts that a military approach to protecting civilian targets from cyber threats does not fit. However, it can be misused by the defense and military establishment to avoid the burden of change. A recent Congressional Research Service report “Defense Primer: Cybersecurity Operations” briefly describes the federal cybersecurity organization. The primary defender, the Department of Defense (DoD), will only assist the nation in a cyber emergency. In plain English, it’s only after things get really bad that the fighters will take power and ‘lead America to victory. DoD will not be disturbed in the day to day security of film studios or hospitals. The flaw in the logic is that even if the DoD is successful, it will be too late.
Widespread insecurity is the result of peacetime strategic defense malpractices. Thus, the debate on national cyber power must refocus on a non-technical issue: how to inspire and drive effective change in defense missions, strategies, principles, forces and organisations. This challenge is hardly new.
In contrast to rationalism, serious research shows that the state and military prepare for future wars. There is rarely an ugliness in denying that reality is changing. Armies are large bureaucracies, and, as Harvard professor Stephen Peter Rosen wrote, “What we know in principle about large bureaucracies suggests not only that they are difficult to replace, but that They are not made to replace them.” Peacetime strategic defense adaptation usually fails because defense organizations are unwilling, forced, or in fact unable to change their ways.
For more than six decades, social scientists have established military adaptation scholarship. While an overview exceeds the scope of this piece, I present only a sample of studies that dealt with the persistent problems that now affect cybersecurity.
Azar Gat studied the principles of mechanized warfare in the air and on the ground, demonstrating that technology in itself does not drive innovation or its course. Frederick A. Bergerson’s groundbreaking political science study explained the revival of US military aviation from 1942 to 1970: some activist reformers who opposed the policy still worked to change it from within the military organization, generating significant ‘defense adaptations’ Did. Ultimately, Rosen recognized that military innovation stemmed from new promotion routes for young officers.
Theoretical stagnation is the root cause that hinders US cyber insecurity. Neither of the defense branches accepts a novel, challenging mission: to protect the homeland from foreign cyber attacks. Furthermore, radical cyber defense innovation will not emerge on its own. Instead, scholars and policy makers should take advantage of the Defense Innovation Scholarship to provide adequate protection.
Lior Tabansky, Ph.D., is head of research development at the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University (TAU).