The expanding role of cyber in national security

Line of Defence Magazine, Winter 2018

Hybrid conflict: Natanz Nuclear Facility
Anti-aircraft guns guarding Iran's Natanz Nuclear Facility no defence against Student. Source: Hamed Saber.

Dr Bryson Payne of the Center for Cyber Operations Education at the University of North Georgia writes public and private will need to work together if we are to survive the next generation of cyber-enabled hybrid conflict.

Code. Vulnerable code. It distributes electrical power to our homes, businesses, hospitals and government buildings. It controls the flow of fresh drinking water to the same. It manages our stock markets, supports our border security and food distribution, and even influences our elections. Software is at the heart of our physical security systems, including smart cards, keypads, and biometric access controls that safeguard our businesses, critical systems, and government facilities.

A great deal of attention has been paid of late to cybersecurity as a component of national defence, but there is little discussion, or appreciation, of cyber’s role across and throughout the other components of national security.

Cyber is an important domain of national security, as attested by its inclusion in the national security policies of a growing number of OECD countries, with New Zealand and the United States at the head of the pack. But it is the impact of cyber across the other components of national security that remains to be sufficiently addressed at the national policy level.

In addition to standing on its own as a domain of attack, cybersecurity impacts economic and trade security, ecological and biosecurity, energy and critical infrastructure security, food security, transportation and public health, as well as communications, physical and even political security.

Unfortunately, secure coding isn’t sufficient to address the above concerns, as the Spectre and Meltdown hardware vulnerabilities have shown. First published in January 2018, the Spectre and Meltdown attacks are based on the computer processing chips that run our desktops, laptops, smartphones, automobiles, smart appliances, medical devices, and even our critical national infrastructure. Because these vulnerabilities are in the hardware chips themselves, they remain invisible to antivirus software or other security controls.

These vulnerabilities were first exposed publicly in 2018, but they affect virtually every microprocessor produced from 1995 forward. And while software patches have been applied in major operating systems (Windows, Linux and Mac OS), most so-called Internet of Things (IoT) devices will remain vulnerable until discarded – including smart TVs and appliances, as well as smart building controls and medical devices for which patches are unavailable or rarely applied.

Cybercrime, cyberterrorism, cyberwarfare, cyber espionage, and cyber vandalism all threaten to disrupt systems critical to national security and public welfare. Nation-states, criminal organisations, terrorists/insurgencies, private military contractors, corporations and individuals all play a part both in attacking and defending the public good.

Enjoying this article? Consider a subscription to the print edition of Line of Defence.

In terms of economic security impact, cybercrime alone will cost the world more than $6 trillion (USD) annually by 2021 according to current estimates. Ransomware, a newly popular class of cyberattacks, cost more than $5 billion worldwide in 2017, including over $1 billion in ransom payouts, with high-profile attacks in the past year on hospitals, banks, utilities, and the city government of Atlanta, the ninth largest metropolitan area in the US, ranked 78th among the 100 largest cities in the world.

As acts of war or terror, attacks on critical infrastructure (communications, energy, food / agriculture, financial, health, safety/emergency services, transportation, water, and IT itself) are possible from anywhere in the world, by individuals, large organisations, or by nation-states. Information operations and information warfare can achieve a scale and speed never before possible, with the influence of ‘fake news’ postings via social media site Facebook on the most recent US presidential election at the forefront of the news.

In addition to trillions of dollars and millions of hours of productivity lost to cybercrime, economic security can be threatened through industries like finance, communications and transportation. Financial industry attacks include bank hacks, like the $81 million Bangladesh Bank hack that made world news in 2016. But they also include lesser-known but more complex hybrid attacks like the Carbanak malware that was blamed for an estimated $1 billion in fraudulent transactions from 2012-2014.

Stock market attacks, communications disruptions and denial of service (DoS) attacks, and transportation attacks on both traffic systems and autonomous / semi-autonomous vehicles can have a crippling impact on economic activity.

On the energy and public utility infrastructure level, power, gas, and water distribution systems are often run by outdated legacy hardware and software that are rarely patched whether due to lack of availability of updates, lack of funding for maintenance and renewal, or fear of interrupting service. Smart-grid/smart-city technologies combined with antiquated core systems combine to make dams, renewable energy, and nuclear SCADA (supervisory control and data acquisition) controls and legacy systems vulnerable to attack, even when ‘air-gapped’ or separated from the public Internet.

The 2007 StuxNet attack on Iranian nuclear centrifuges demonstrated that even air-gapped systems with no direct connections to the broader Internet could be penetrated, and many public utilities aren’t as isolated from the Internet as these systems were.

Physical security and human security concerns, in addition to the possibility of cyber or hybrid cyber-kinetic attacks on utilities discussed above, include medical systems, border security, and interference in communications and GPS. Military forces would be impacted by attacks on GPS and communications systems, as well as direct attacks on drones and autonomous vehicles and weapons.

Future cyber and hybrid warfare will be designed to limit the ability of military forces to defend their homeland both physically and virtually.

Finally, disruptions to any of the other elements of national security can threaten political stability and trust in the government’s ability to protect its people. But direct threats to political security through cyber exist as well, including information operations, deception, and information warfare.

The rise of ‘fake news’, manipulation of information via social media, and even election tampering, have given more visibility to the tenuous relationship between perception and reality, with potentially hundreds of millions of users on any of the major world social media systems at risk of being influenced by misinformation or disinformation at a scale and pace once unimaginable.

A generation ago, it would have required taking over an entire national broadcast network to command the attention a few hundred dollars’ worth of well-placed social media ads, photoshopped images, and misleading news articles could garner on social media.

We must address crucial cybersecurity concerns as a whole, across all public and private networks and systems that contribute to the security and stability of our nations if we are to prepare for and survive the next generation of cyber-enabled hybrid conflict. As 85 percent of the infrastructure of the Internet is privately owned, corporations and private industry will be needed as allies in addressing network-borne threats and device vulnerabilities.

But businesses have a stake in cybersecurity themselves, so national security policies that support better protection for private industryshould be well received. An ideal solution, of course, would not impose significant costs, or, in the best case, would be subsidised by national investment in improved security measures and infrastructure for the nation as a whole.

It is at the individual level that developed nations may have the disadvantage: an Internet-connected civilian can unwittingly sponsor or support our adversaries simply by having poorly-protected computing resources on a high-speed network connection, yet cyber education is virtually non-existent for the majority of our populations.

Even in our military forces, user error due to lack of basic cyber hygiene training imperils our best efforts at securing critical systems. A comprehensive national security strategy for the next twenty years must address not only the technologies and the processes involved in each of the components of national security, it must include cyber training and education for the people working across those areas as well.