Most cyber-attacks are directed at information confidentiality, which is lost whenever information is stolen. There are also attacks, though fewer in number, on information availability. Such attacks are most often seen in the form of denial-of-service attacks, malicious encryption of data, and the occasional Sony-style destructive attack. What are not frequently seen are attacks on information integrity. An attack on integrity is one in which information is deliberately, and maliciously, altered so as to make the information unreliable or untrustworthy.
Information integrity is critical since effective decision-making is difficult, or even impossible, when underlying information cannot be trusted. It is no exaggeration to say that the most vital activities of government and businesses revolve around people, processes, and technology working together to ensure information integrity.
So an eyebrow rose when, in a little-noticed comment, Director of National Intelligence (DNI) James Clapper said the following to Congress:
“In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it. Decision-making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”
While the statement was made in the context of a discussion of the current threat environment, the passive voice in which this statement is spoken, along with reference to “future…cyber operations” makes it stand out. It seems that Director Clapper is either warning United States decision-makers to anticipate possible attacks on information integrity or, alternately, he is warning adversaries that the U.S. may begin responding to their attacks through attacks on itsinformation. Or, perhaps he’s warning both.
If the U.S. does anticipate adversaries to begin attacking information integrity, that would actually be pretty big news since this would represent a change in tactics of current attackers and would result in significant new risks. Such attacks would be insidious because they may never be detected, or, if detected after too much time has lapsed, recovery could be impossible or prohibitively expensive. If an attacker is seeking to inflict long term damage – as opposed to the short term, but easily identified damage from a destructive attack on availability - this is a very good way to proceed. Alternately, if an attacker is more simply motived by financial gain, the victim will face an awful choice between paying up to find out what was altered or living in fear that some hard-to-identify alteration of information will result in future damage.
These are frightening possibilities. But, is Director Clapper actually warning U.S. adversaries that the U.S. is finally preparing to respond to their provocations? If so, then the statement is directed at “senior government officials (civilian and military), corporate executives, investors, and others” who either support information theft or who benefit from use of stolen information. Would this interpretation also explain Director Clapper’s use of the term “cyber operations” as distinguishing a U.S. retaliatory response from “attacks” on U.S. organizations?
In principal, the U.S. could penetrate a foreign system, toss a few five-pointed throwing stars at bits of key information, and then evaporate, ninja-style, into the night. These “operations” could be conducted at a time and place of U.S. choosing. And, after such an attack, the victim might build a flawed aircraft carrier or bid the wrong sum on a critical business deal. Critically, the adversary may never know for sure what happened to cause his loss. There is little doubt that the U.S. could carry out such operations with great skill.
Responding to adversaries in this manner may seem like a pretty good approach. However, it must be recognized this path is not without some peril. The chief risk lays in triggering an amplified, in-kind response. Unfortunately, if such escalation occurred, it is pretty clear thatthe U.S. is not well-prepared. Director Clapper’s statement summed it up succinctly:
“Overall, the unclassified information and communication technology (ICT) networks that support U.S. Government, military, commercial, and social activities remain vulnerable to espionage and/or disruption.”
This ongoing vulnerability matters, because, when it comes to information integrity, the U.S. has much to lose. Any broad attacks on information integrity could potentially result in collateral damage of greater economic consequence than might otherwise result either from direct, destructive attacks or from the continuing loss of information through theft.
While knowledgeable cybersecurity professionals and organizational leadership are assuredly in short supply, the less risky approach of continuing to bolster defenses seems more appropriate, at least short term. However, because there is a pressing need to respond, everyone must simply accept that the U.S. is engaged in a low intensity, asymmetric war and that attackers are bloodletting the U.S. of its competitiveness. It is critical that the U.S. responds and, therefore, all organizations – by disconnecting networks from the Internet, a practice called air gapping, if necessary – must ensure the necessary cybersecurity readiness is implemented. Compliance mentality and the blithe acceptance of risk on behalf of unknowing 3rd parties must be eliminated, by legislation if necessary.
Regardless of whom Director Clapper intended to warn, what is becoming very clear is that significant new cyber-risks are emerging. The risks of unseen damage to information and extortion are increasing, either because adversaries are changing tactics or because adversaries may respond in-kind to U.S. tactics. These risks should motivate cybersecurity teams to revisit current defenses and contingency plans. Likewise, organizations having weak or immature security programs are well-advised to re-evaluate their exposure. Circumstances appear poised to change.
Robert Jones is an employee of CB&I Project Services Group, and manages a large network on behalf of the National Nuclear Safety Administration. He has roughly a decade of experience in cyber security program implementation and administration. The views expressed in this article are those of the author, and do not represent the views of his employer, or the National Nuclear Safety Administration.
No comments:
Post a Comment