It's not enough to prepare for known cyber threats.
Luke McNamara is a senior analyst at FireEye.
Cyber threats are not always made using the most innovative tools. Even very sophisticated advanced persistent threat groups with access to zero days, such as the Russian group APT28 behind the Democratic National Committee compromise and the Chinese group behind the Office of Personnel Management breach, mostly infiltrate their targets via simple spear-phishing and social-engineering techniques.
The recent distributed denial-of-service attack on Dyn DNS that destabilized and interrupted a portion of the internet in October 2016—brought about by a botnet comprised of internet of things-enabled devices—highlighted the nexus of longstanding, relatively unsophisticated threat vectors and emerging technologies.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
While espionage campaigns and destructive attacks on critical infrastructure will remain known threats—the latter being an issue President Donald Trump has already noted—this administration must prepare for the new ways adversaries will disrupt, compel and influence their targets.
It will not be enough to have strategies in place to defend against known activity, high-tech exploits and previously observed attack vectors. Given the dynamic nature of cyberspace, the Trump administration must adopt a robust and flexible framework for responding to future cyber threats that could look very different from the ones we face today.
Ransomware continues to be a growing problem across the globe. In late November 2016, actors compromised the San Francisco transit system with ransomware, demanding a payment of 100 bitcoins and disrupting the ability of would-be passengers to use their fare cards.
In the near future, we could also see ransomware being adopted by nation-states looking for ways to affect targets previously considered out of bounds, in order to extort or compel the populace. Nation-states might also take a page out of extortive cyber criminals' playbooks and use DDoS attacks to compel adversaries to comply with their demands.
We have observed criminal groups such as DD4BC and Armada Collective (and others more recently) extort financial institutions by using DDoS attacks to demand bitcoin ransoms. And as the 2007 Estonian DDoS attacks and Operation Ababil suggested, some nation states have already seen value in utilizing limited DDoS attacks for disruption.
Both ransomware and DDoS are inherently disruptive tools. But they also possess a capability baked into them that would make them very attractive to nation-states seeking to employ more aggressive means against targets in cyberspace: reversibility. The cessation of a DDoS attack or provision of an unlock code for ransomware means the effects of the malicious activity can be rolled back as soon as the adversary chooses.
As such, these sorts of disruptive tools could be used more aggressively against inherently civilian targets. Imagine a nation-state waging a compellence campaign against a rival country by targeting several grocery store chains and locking down their point-of-sale terminals with ransomware, preventing citizens from being able to purchase goods.
Perhaps this is accompanied with an ongoing wave of DDoS attacks against domain hosting infrastructure like the Dyn DNS attack or against major banks, further disrupting life for many. When the digital networks that facilitate our everyday lives are so pervasive and interconnected, all infrastructure has the potential to be critical infrastructure in some manner.
Undoubtedly such action would be strongly denounced, but during a crisis that threatens to break out into kinetic conflict, a clever actor may be able to manipulate the immediate confusion following the aftermath of an attack to their advantage. Depending on the scope and persistence of the attack, this could potentially disrupt life for thousands without destroying physical infrastructure or leading to a direct loss of life. As such, it could catch policymakers off guard and unprepared with how to respond proportionately.
Effects-Based Assessment, Actor-Tailored
The Trump administration has taken office during a time in which known cyber threats are myriad. Furthermore, both the private sector and government must continue to address related issues from information sharing to internet governance. However, despite these known areas needing improvement, policy options and strategies for countering cyber threat activity will fall short if they do not anticipate future types of threats.
The best way to counter these unknown threats is a set of policy options that focuses on the effects of the cyber threat activity—rather than the sophistication of the adversaries' tools—and is robust enough to provide meaningful responses to the responsible parties.
Arguably, effective response options to both conventional and unconventional nation-state cyberattacks may not involve a cyber component, but rather a mixture of other elements of state power. Covert cyber responses, in particular, may be ineffective in deterring future malicious activity from other adversaries, given the apparent lack of response by the government.
Our understanding of present and known cyber threats should not limit us into the complacency or a "failure of imagination" of potential threats. While we can't anticipate every threat, a range of policy options, tailored to the effect of the cyber activity and the sponsoring actor will most effectively provide for proportionate and effective response. It is especially important to develop policy options that counter specific nations who are known "bad actors" in cyberspace. The way we deal with Russia, China, North Korea and Iran will likely establish the emerging norms around cyber conflict in many other nations worldwide.