Going cyber nuclear: Is it time for a big red button?
(This article originally appeared in Forbes.)
It wouldn’t be an actual button (although that would be cool). It's more likely that it would be a series of actionable software-script “launch codes,” jointly executed from multiple locations by designated officials and authorized by national command authority. But the impact would be near-instant: The United States of America’s internet would be cleaved off from the rest of the world, isolating U.S. network traffic from outside bad actors.
Yes, it’s extreme. And it may not even be possible. But it’s time to consider such an approach given the current state of state-sponsored cyberterrorism. Bad actors have become more aggressive, and their tools, tactics, and procedures have become more destructive.
In China, for years the government has been investing in developing the cyberespionage capabilities of its People’s Liberation Army (PLA). In a 2016 report, RAND Corporation researchers noted as much, observing, “The PLA’s warfighting concepts for employing information warfare have expanded to include cyber warfare, attacks on satellites, and information confrontation operations.” While Chinese government leaders decry cyberterrorism, unofficial militias of so-called patriotic white-hat hackers wreak havoc with little fear of consequence or retribution.
In Russia, the state has embraced a well-publicized-in-the-West “information confrontation” strategy. For instance, to the extent that Russian government involvement has been questioned, there is little doubt that Russian state-sponsored hackers actively interfered in the 2016 U.S. federal election. But what’s really terrifying may be yet to come: Russia’s elite Fancy Bear hacking group—which is allegedly connected to the Russian government's GRU intelligence arm—has recently developed a novel and incredibly destructive UEFI rootkit, a tool of cyberterror that Brian Barrett of Wired notes, “hadn’t ever been seen in the wild until now.”
Diplomacy? What’s That?
If there ever even were any guardrails for international cyberespionage, they’ve fallen away. In the past, nation-state actors observed some semblance of respectful decorum, if you can call it that, limiting attacks that they knew could be traced to them. But for some nations, improved attribution detection offers no deterrence. Cyber operations expert and FireEye CEO Kevin Mandia said in a recent interview that “the rules of engagement have broken.” He cited recent hacks emanating from China, Russia, and Iran and noted the scorched-earth approach of North Korean hackers, who—when detected—launch destructive malware to wipe infected machines.
You can’t shout “fire” in a crowded theater. But, to paraphrase a line from an old movie, what if there’s a fire? Last year, the GRU-developed NotPetya malware took down global logistics company Maersk in a matter of minutes. If the world’s largest container shipping company is vulnerable, what hope is there for the rest of us?
Maersk’s experience shows that individual companies—even multibillion-dollar companies—cannot keep up (or for that matter, be expected to keep up) with protecting themselves from the threat of state-sponsored cyberterrorism.
Drastic times call for drastic measures
Our economy has evolved from a manufacturing base to technology services. Our national economic well-being depends on the internet, which, as recent hacking has illustrated, is something over which we exert less control than we think we do. Given the prevalence and proliferation of state-sponsored cyberterrorism, how do we best protect our internet-based government and economic viability going forward?
First, we need to establish mutually agreed-upon boundaries for cyber operations. That starts with a new Geneva Convention–type agreement on cyberwarfare. Yes, it will probably have to be orchestrated in concert with the United Nations (perhaps specifically the Security Council), and yes, it must include state sponsors of cyberterrorism like Russia and China. And the boundaries it dictates must be enforceable based on detection: Potential economic and political penalties for violation must be severe enough to serve as an effective deterrent, ideally leading to mutual detente. Couple that with a unified front against rogue state activities (looking your way, Iran and North Korea), and we might be onto something.
Second (if feasible), we need to install a mechanism (i.e., a big red button) that, when used in a time of catastrophic emergency, activates internet isolation. This kind of isolation technology would presumably be tied to logical and physical infrastructure assets (e.g., lifting the drawbridge on the moat around the United States internet), but with international diplomatic support, it could also be punitive toward a specific region or country (“That’s it, Rogue State. You’ve just lost your internet privileges.”).
Yes, it’s still extreme. Yes, it may be politically untenable or even technically impossible. But we need to start a blunt, serious conversation on destructive state-sponsored cyber activities. Because if we don’t do something soon, the next “unsanctioned” Fancy Bear attack will hit. And it will hurt. And it won’t be just Danish shipping conglomerates paying the price.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Stan Lowe is the Zscaler Global CISO