February 1, 2016
Last Friday I attended the Cybersecurity Lecture series at the
US Naval Academy where Director of National Intelligence (DNI) James
Clapper spoke to midshipmen that are studying and training up to be
future signals intelligence (SIGINT) and cyber intelligence (CYBINT)
officers in the Navy and Marine Corp.
The lecture series is open to the public, so no state secrets were
shared, but the perspective of our highest ranking intelligence
officer on current Cyber-related events, cyber threats and future
threats was interesting and informative. DNI Clapper has been in
government service for the better part of 50 years and shared a few
of his war stories, and his personal loyalty to the Marine Corp,
although he has also proudly served in the US Air Force.
Well-prepared midshipmen posed a range of questions including what
ethical/moral standards are considered when the US is determining a
cyber-attack or cyber-retaliation; and there was a request for his
personal response to the perjury allegations from his 2013
congressional testimony on national security matters. The
Midshipmen were not shy to ask.
Several important highlights came from his talk. One was more
philosophical than technical, where he talked about his role in
briefing the President weekly on all national security matters. In
the context of inspiring and informing future intelligence officers
he said there will come a point where you will have to tell “truth
to power,” and that that can be a challenge. To give bad, terrible
or unwanted news to people that are not only your superiors, but in
positions of power, like the President of the United States.
Building on that came the first revealing fact–Cyber is the first
of all threats reported to the President of the United States right
now. Not terrorism, not financial markets–Cyber. Remember that
all threats have a priority. Just because an attack on Sony
Entertainment from a nation-state (North Korea) is big news at one
point in time, doesn’t mean that all other current threats get
marginalized. Each week he reports on all threats, and the one that
gets 1st priority is Cyber. Part of the challenge with CYBINT is
that the actors (individuals, terrorist organizations, nation
states, cooperatives (like Anonymous)) all have varying levels of
scale, capacity, incentive and impact.
There are actors that have the scale to do real harm and damage, but
they don’t. And there are other actors (e.g. ISIL, Hezbollah and Al
Qaeda) that have no qualms or moral compass to hesitate to use a
cyber weapon that has extreme collateral damage. This type of actor
would attack energy infrastructure, cities, hospitals with the hopes
of death, destruction and any added brutality–but because they lack
scale they are left with only wishful thinking to use a cyber weapon
to do real harm.
These 2 types of actors are the main focus of intelligence efforts.
One who has the capability to do real harm, but lacks the incentive;
and the other who has the incentive but lacks the scale to do real
harm. The challenge is that these two types of actors are the two
big black holes in the Cyber Domain that our intelligence operations
monitor and research. And every day these two holes are
converging. The challenge of cyber analysts, threat analysts and
intelligence officers, both in government and industry, is to be on
the front line of that war–to be prepared to identify, defend and
potentially retaliate against real threats that can also potentially
cause real physical harm.
Imagine if the United States retaliated at China for the OMB breach
by using a cyber weapon (my example not Clapper’s) and one of the
unintended consequences is that the power grids in Shanghai and
Beijing shut down. Hospital generators run until empty, life
support and critical care equipment drain all available batteries,
and Chinese citizens die as a result. Would this be a cyber-attack
or an act of conventional warfare?
Scenario two: A cyber-attack is launched and it must travel through
core internet routers in surrounding counties to deliver the attack
to the intended target. Has the United States inadvertently
involved other counties in their focused attack? What are the
geopolitical implications of this act? Is it an act of war?
The Cyber Domain is an official theater of war. They include: air,
sea, land, space and cyber. And we are in a war time. But the
risks, the unforeseen risks, of using what power the US Government
has could cause far more damage than intended. As a result, the
United States monitors events closely, and evaluates each attack and
threat as them come, but only time will tell how private industry
and governments, not just the United States, will act on and
perceive acts of war in the Cyber Domain.
What can you do to protect your systems and your computer? Step 1:
Patch, patch, patch. And that came from the top.
These lectures are open to the public and are posted
February 1, 2016