18 June 2021

Addressing growing threat of cyber-attacks


The potential for nuclear war remains the greatest threat to humanity, as it has for more than seven decades. But cyber-attacks have grown to become arguably the second greatest threat, in part because they could trigger an escalation of response and retaliation that moves humanity towards a nuclear exchange.

Acknowledging how serious a security issue the threat has become, on Monday, during President Biden’s visit to the NATO summit in Brussels, the 30 NATO countries agreed “that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.”

That assessment could lead to the invocation of the organization’s mutual self-defense clause, Article 5, and a collective response.

“If necessary, we will impose costs on those who harm us,” read the joint communique.

The move is at the same time distressing and necessary.

Distressing because in a world in which there are already plenty of ways for countries to harm one another, cyber weapons have now officially entered the field of military resources that the U.S. and its allies must be prepared to utilize and counter.

The move is necessary for that same reason.

“Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent,” read the statement.

Our world has become dependent on computer software to sustain modern civilization from industry, to travel, to communication, to utilities, to health care, to food distribution, to financial transactions from the great to the small; in other words, for most everything. And much of it is vulnerable to cyber-attacks.

In 2015, the 193 members of the United Nations agreed on prohibiting the use of cyber technology to attack critical infrastructure. Recently 23 countries, including the United States, Russia, and China elaborated on that stricture with an agreement that again states nations should not hack each other’s critical infrastructure in peacetime or shelter cyber criminals.

But these provisions contain no real means of enforcement and include a huge loophole — traditional espionage, carried out by the world’s spy agencies, is exempted.

When Russia exploited weaknesses of a private contractor, SolarWinds, to infiltrate the software of at least nine U.S. agencies and about 100 companies, it arguably fell within the domain of espionage, yet the Biden administration has imposed sanctions on Russia in response.

Israel and the U.S. have in the past used cyber technology to degrade Iran’s nuclear program — espionage or cyber-attack?

Russia has ignored the agreements when convenient, perhaps most dramatically by unleashing a cyber “worm” against Ukraine that caused widespread power outages among other infrastructure damage, but which also spread across the world causing collateral damage to software.

Ransomware attacks — hackers shutting down computer systems and the operations they control, then demanding payment to free the software — are becoming a major global problem, the extent unknown because some companies and institutions quietly make payments without acknowledging the attacks.

Recent ransomware attacks in the U.S. shutdown a major fuel pipeline in the Southeast and the world’s largest meat processor. While U.S. security officials have said they do not believe Russia participated in the attacks, it tolerates and does nothing to stop the actors who did so.

In his meeting this week with Vladimir Putin, President Joe Biden must emphasize that this is a dangerous path that Russia is venturing down. The communique from NATO should help back that message, should Biden deliver it. Putin needs to know that retaliation in-kind is an option of the United States and its allies.

Preferably, the historic meeting can produce a joint Putin-Biden statement in which both leaders agree not to protect ransomware attackers and reiterate the wrongness of peacetime cyber-attacks. This would be welcomed not because Putin can be trusted to keep his word, but to at least have those words available to build a unified response when Putin ignores them and again engages in cyber mischief.

On the domestic front Congress should pass laws requiring the public and private sectors to share information about cyber threats and preparedness and to make it a legal requirement that a ransomware demand be disclosed to law enforcement.

No comments: