|
Literally everything is a weapon in the Digital Age.
 Dear Wall Street Daily Reader,
Yesterday, we talked about what may be the earliest days of an all-out cyberwar with Russia and Vladimir Putin.
Today, we're going to talk about some things that may be even more frightening.
During
a compelling sit-down with Establishment conversationalist Charlie
Rose, former Assistant Attorney General and chief of the U.S. Department
of Justice National Security Division John Carlin talked about threats
emerging in this new era of constant interconnection.
The internet is a wonderful thing. It could also lead to our doom.
There
are nation-states — including Russia, China, North Korea, and Iran —
that can and will penetrate government and corporate networks to do us
harm.
We've
already revamped policies and procedures to address these relatively
symmetric threats, as Carlin explained with regard to Chinese attempts
at economic espionage, the North Koreans' comical attack on Sony, and
Russia's ongoing effort to muck up the current presidential election.
Motivations
here are easy to define and understand, whether it be China's profit
hunger, North Korea's vengeance for slighting Dear Leader, or Russia's
and Putin's antipathy toward democracy.
More
troubling — and perhaps more dangerous — are the asymmetric threats
lying among terrorist groups operating via social media and in the "dark
web."
These
malefactors will hack private networks "in order to steal names to
create kill lists, which is an actual case," according to Carlin.
The internet is a wonderful thing. It could also lead to our doom.
Carlin
describes what appeared to be a "routine criminal hack" of a company's
network — a run-of-the-mill theft of names and addresses in order to
"make a buck" via ransom.
In
the case Carlin cites, the hacker stole a relatively small number of
names — an amount of information so insignificant that a company would
ordinarily not report it.
The
hacker demanded a payment of $500 for the names — who happened to be
U.S. government and military officials — via Bitcoin. Typically,
companies would just pay the money or otherwise handle the problem on
their own.
But
this company — "a trusted U.S. retail company" — did report this
particular hack, which was actually not some low-level shakedown. Behind
it was an extremist from Kosovo who had moved to Malaysia and hooked up
with British-born Pakistani "black hat hacker" Junaid Hussain.
Hussain
was operating out of Syria "at the heart of" the Islamic State of the
Levant terrorist organization, better known as ISIL or ISIS. Hussain
"culled through that list of names to make a kill list."
Hussain
used Twitter to "publish" that kill list in the United States —
basically soliciting adherents/assassins here at home to finish the
work.
Despite
the fact that its targets were far-flung and moving "at the speed of
cyber," the U.S. government was able to disrupt the plot.
Ardit
Ferizi, the Kosovo hacker, was arrested in Malaysia and in June 2016
pleaded guilty in U.S. federal court and faces 25 years in prison.
Junaid Hussain was, says a statement from the U.S. Central Command, "killed in a military strike."
We're
talking now about the "blended threat," the overlap of what appears to
be criminal activity with a national security situation involving a
nation-state or a terrorist operation run by militant groups.
When
it comes to cyberwarfare, it's not always so easy to identify threats.
At the same time, Carlin notes that we're "much better at investigation
and attribution than people thought."
That
conclusion is supported by the China economic espionage case, where the
government was able to pinpoint a 9-to-5 working schedule (including a
lunch break) for the hacker(s). That it was a "day job" provides "a hint
as to who's involved."
We're
talking now about the "blended threat," the overlap of what appears to
be criminal activity with a national security situation involving a
nation-state or a terrorist operation run by militant groups.
The
government used behavioral analysts from the FBI — "profilers" you see
on so many procedurals on TV — to help solve the North Korea/Sony case.
The FBI now has expect cyberprofilers.
It's
a sophisticated approach incorporating behavior analysis with technical
understanding of malware that helps the feds reach "high-confidence
conclusions" about who's responsible for hacking activity.
We're
still extremely vulnerable, based on the pace of advancement of digital
culture over the past several decades and the potential for where we're
headed.
"It's
not only electronic; it's digital, and we've connected almost all of it
to the internet," as Carlin notes. "And the internet was not designed
with security in mind."
Spies,
crooks, and terrorists are well aware of this profound vulnerability.
"The whole world's playing catch-up now," says Carlin.
In
this world of "blended threats," options for retaliation aren't limited
to cyberspace. The U.S. government response kit includes not just
computers but economic; diplomatic; and, yes, military tools as well.
And
as did the perpetrators of the September 11, 2001, terrorist attacks,
those who would do us harm via the internet have made their aspirations
clear.
ISIL/ISIS,
for example, has appealed to its followers around the world to
participate in "cyber-Jihad" to create "as much fear and inflict as much
damage as they can."
"We
have right now a well-funded ecosystem of crime," explains Carlin,
establishing a capability context through which terrorists' intent can
be actualized.
What's
commonly referred to as the "dark web" comprises sites with IP
addresses that can't be seen. It's not mapped in the way that the
internet you and I search with Google is.
"In
that dark web, you have things like criminal groups who create,
essentially, cyberweapons of mass destruction," says Carlin, "like a
bot-net — this is hundreds and hundreds of thousands of compromised
computers that a bad guy can turn into a weapon by hitting a command."
Iran used a bot-net on 46 global financial institutions via a "digital denial of service" (DDoS) attack.
Hackers
can also use "cryptolockers" to encrypt your personal computer and lock
all your files. They can then demand a ransom payment.
"It's
not only electronic; it's digital, and we've connected almost all of it
to the internet. And the internet was not designed with security in
mind."
They can also coordinate attacks on hospitals and encrypt its records, resulting in "a matter of life or death."
On
the dark web, you can "literally shop" for stolen credit cards or a
bot-net to launch a DDoS attack. There are actually customer reviews for
such products and services, a la Amazon.com.
"We're
on the cusp of a major societal transformation," notes Carlin. "As big
of a change as it was when we digitalized information, now we're moving
to the Internet of Things."
That
includes driverless cars run by computers. And, as Charlie interjects,
"If you can hack that computer, you can send that car anywhere you want
to."
"Think about what one terrorist did with one truck in Nice," responds Carlin. "What happens when you have a fleet of trucks?"
The
key now is to learn from the mistakes we made when the move from paper
to digital happened: We have to consider security first.
"When
it comes to things like cars and trucks and missiles, planes, drones,
this internet of things, or pacemakers, we have to build security in on
the front end by design."
Carlin
explains an odd dilemma at the heart of this rapidly emerging future:
"security versus security," and it's a question of privacy:
When
we think through some of the hard issues, like "Is there certain
information you ought to be able to obtain via a court order?" and "What
should a company's responsibility be in making its information
accessible?"
We
strongly believe in encryption. Because we want to keep information
secure. And we wouldn't want even the government to get it without
proper legal process.
But
designing a system so that it is both secure from the bad guys who want
to steal or destroy your information and secure as in "a safe place" to
prevent terrorists from committing attacks…
I'm optimistic that we'll be able to innovate our way out of this situation.
Carlin
— if you can muster some trust in a decades-long Justice Department
official — provides solid foundation for the case that Putin himself is
behind Russia's and WikiLeaks' U.S. presidential election mischief.
But that's all part of an emerging "great game." It's not a deadly conflict, not yet at least.
The asymmetric threats are the real killers.
|
Hillary Clinton's campaign has already denied she has brain injury or Parkinson's disease.
No comments:
Post a Comment